WASHINGTON — The director of the FBI suggested Thursday that his agency paid at least $1.3 million to an undisclosed group to help hack into the encrypted iPhone used by an attacker in the mass shooting in San Bernardino, California.
At a technology conference in London, a moderator asked James B. Comey Jr., the FBI chief, how much bureau officials had to pay the undisclosed outside group to demonstrate how to bypass the phone's encryption.
"A lot," Comey said, as audience members at the Aspen Institute event laughed.
He continued: "Let's see, more than I will make in the remainder of this job, which is seven years and four months, for sure."
The FBI had been unwilling to say anything at all until Thursday about how much it paid for what has become one of the world's most publicized hacking jobs, so Comey's cryptic comments about his own wages and the bounty quickly sent listeners scurrying in search of their calculators.
The FBI director makes about $185,100 a year — so Comey stands to earn at least $1.35 million at that base rate of pay for the remainder of his 10-year term.
The FBI declined to confirm or deny Thursday whether the bureau had in fact paid at least $1.3 million for the hacking, and it declined to elaborate on Comey's suggestive remarks.
But that price tag, if confirmed, appears in line with what other companies have offered for identifying iOS vulnerabilities.
Zerodium, a security firm in Washington that collects and then sells such bugs, said last fall that it would pay $1 million for weaknesses in Apple's iOS 9 operating system. Hackers eventually claimed that bounty. The iPhone used by the San Bernardino gunman ran iOS 9.
"A number of factors go into pricing these bounties," said Alex Rice, the co-founder of the security startup HackerOne CTO, who also started Facebook's bug bounty program. Rice said that the highest premiums were paid when the buyer did not intend to disclose the flaw to a party that could fix it.
"The cost of keeping a flaw secret is high," Rice said. He added that buyers like Zerodium's customers and the government might not work to fix problems.
When companies run bug bounty programs, they may pay about $100,000 to hackers that show them system vulnerabilities that must be fixed. "When you sell at a high price, you have to be OK with the possibility that the person you sold the flaw to could do something bad with it," Rice said.
While Comey's remarks appeared to address the lingering mystery of how much the FBI paid to get into the San Bernardino phone, he said nothing that would indicate the actual identity of the outside group behind the hacking. Some media reports have named an Israeli software company that might have helped the FBI, but numerous law enforcement officials have said that company was not involved.
After an intense courtroom fight in Southern California, the FBI disclosed three weeks ago that it had managed to get access to the data inside an iPhone 5c used by Syed Farook, one of the attackers in the San Bernardino rampage, which killed 14 people, by paying the outside group.
The Justice Department had gone to court to try to force Apple to develop a new operating system to allow access into the encrypted phone, setting off an intense national debate about privacy versus national security. But it withdrew its case after the outside party came to the FBI and demonstrated a way around the phone's internal defenses, which would have destroyed the data inside after 10 failed password attempts and would have meant longer and longer intervals in between guesses.
With those mechanisms disabled, the FBI was able to use what is called a brute force attack — using computers to guess vast numbers of password combinations at once — in order to get inside the phone.
But the Justice Department is still trying to force Apple in court to help unlock encrypted phones in Brooklyn, Boston and elsewhere.