Exploit broker triples iOS bounty to $1.5M, cites security improvements and demand
Zerodium, a well-known "bug broker," on Thursday announced a new $1.5 million top end limit for zero-day exploits targeting iPhones and iPads running Apple's latest version of iOS 10.
As reported by ArsTechnica, Zerodium upped its bounty payout to reflect stronger security protocols introduced with iOS 10, Apple's latest mobile operating system which launched on Sept. 13. The enhancements make the creation of remote jailbreaks more difficult, which according to the law of supply and demand makes said exploits more valuable to those looking bypass Apple's built-in protections.
In a somewhat controversial practice, Zerodium purchases strings of exploits and flips them to government agencies. The state actors in turn apply the solutions to compromise target devices for surveillance purposes, the report said.
Last year, the firm offered three $1 million bounties for iOS exploits, later dropping the going rate to $500,000. By comparison, Zerodium this year doubled its bounty for Android workarounds to $200,000.
"Prices are directly linked to the difficulty of making a full chain of exploits, and we know that iOS 10 and Android 7 are both much harder to exploit than their previous versions," said Chaouki Bekrar, Zerodium's founder.
Commenting on why an iOS exploit is priced higher than a comparable Android bug, Bekrar said, "That means that iOS 10 chain exploits are either 7.5 times harder than Android or the demand for iOS exploits is 7.5 times higher. The reality is a mix of both."
Developers like Google -- and as of August, Apple -- operate bug bounty programs, though prices are often much lower than rates offered by brokers like Zerodium. This is to be expected, however, as brokers seek working hacks that can be marketed and ultimately deployed, while developers pay researchers for rough outlines and proofs-of-concept, the report said.
Apple's program, for example, offers a maximum payout of $200,000 for secure boot firmware components, with lesser amounts quoted for extraction of confidential material protected by the Secure Enclave Processor, execution of arbitrary code with kernel privileges, unauthorized access to iCloud account data and sandbox boundary bugs.
Though software developers are constantly looking for ways to stay one step ahead of hackers and other nefarious players, the exploit market is alive and well. Most recently, Apple's iOS was the target of a particularly nasty malware package called "Pegasus." A three-pronged attack, Pegasus compromised iOS 9 security measures to surreptitiously jailbreak and install a suite of monitoring software onto a victim's device. Apple patched the attack vectors in iOS 9.3.5.
As reported by ArsTechnica, Zerodium upped its bounty payout to reflect stronger security protocols introduced with iOS 10, Apple's latest mobile operating system which launched on Sept. 13. The enhancements make the creation of remote jailbreaks more difficult, which according to the law of supply and demand makes said exploits more valuable to those looking bypass Apple's built-in protections.
In a somewhat controversial practice, Zerodium purchases strings of exploits and flips them to government agencies. The state actors in turn apply the solutions to compromise target devices for surveillance purposes, the report said.
Last year, the firm offered three $1 million bounties for iOS exploits, later dropping the going rate to $500,000. By comparison, Zerodium this year doubled its bounty for Android workarounds to $200,000.
"Prices are directly linked to the difficulty of making a full chain of exploits, and we know that iOS 10 and Android 7 are both much harder to exploit than their previous versions," said Chaouki Bekrar, Zerodium's founder.
Commenting on why an iOS exploit is priced higher than a comparable Android bug, Bekrar said, "That means that iOS 10 chain exploits are either 7.5 times harder than Android or the demand for iOS exploits is 7.5 times higher. The reality is a mix of both."
Developers like Google -- and as of August, Apple -- operate bug bounty programs, though prices are often much lower than rates offered by brokers like Zerodium. This is to be expected, however, as brokers seek working hacks that can be marketed and ultimately deployed, while developers pay researchers for rough outlines and proofs-of-concept, the report said.
Apple's program, for example, offers a maximum payout of $200,000 for secure boot firmware components, with lesser amounts quoted for extraction of confidential material protected by the Secure Enclave Processor, execution of arbitrary code with kernel privileges, unauthorized access to iCloud account data and sandbox boundary bugs.
Though software developers are constantly looking for ways to stay one step ahead of hackers and other nefarious players, the exploit market is alive and well. Most recently, Apple's iOS was the target of a particularly nasty malware package called "Pegasus." A three-pronged attack, Pegasus compromised iOS 9 security measures to surreptitiously jailbreak and install a suite of monitoring software onto a victim's device. Apple patched the attack vectors in iOS 9.3.5.
Comments
Android - $200,000
That about sums it up right there.
And this is legal how?
If the people who discovered the exploits hacked into our phones, they'd be criminals.
Irrelevant. iOS is far more secure than Android, hence the higher maximum payouts.
There are many reasons for this, but the biggest one is Androids useless update model. When Apple discovers a new threat they can issue a patch to everyone within days. Google can do so for Nexus devices, but these represent a tiny fraction of Android devices out there so they don't really count (hackers don't care if they get patched quickly as they are a low priority target). Samsung is currently promising 30 day updates for their flagship devices, but we'll have to see how long they keep this up once a device gets over a year old. The remaining Android devices are left unpatched for many months (or never get patched). So why would you pay for exploits for Android when there are already several to choose from that still work? And even if discovered they will continue to work for some time on the majority of Android devices.
Yes that's HIGHLY relevant. Your comment was completely irrelevant to anything I said.
Your post claimed these are for attention getting/PR, and that real payouts start at much less. Yet Zerodium paid a $1 million bounty last year for the same thing. All I see is you trying to distract from the fact exploits that successfully get into a iOS device Pay 7.5x as much as for Android. It's irrelevant what they start at - the top level "golden key" for iOS is $1.5 million and for Android a measly $200K.
Still think those discovering exploits may do better dealing directly with Apple and Google and as a plus sleep better at night. As for your irrelevant-to-my-point comments please do carry on.
It's sad that this country has sunk to the point where and obviously and blatantly corrupt candidate has legions of people defending her. Trump may be a giant douche, but Clinton is a turd sandwich whose been exposed revealing classified information (yet she wants to persecute Snowden for the same crime- except when he did it he exposed criminal activity at the highest levels of government.)
Never would have thought we would have a more corrupt administration after W. Bush, but here we are, and we are supposed to vote for the most corrupt of the secretaries in the most corrupt administration ever?
Astounding!
It's sad that this country has sunk to the point where and obviously and blatantly corrupt candidate has legions of people defending her. Trump may be a giant douche, but Clinton is a turd sandwich whose been exposed revealing classified information (yet she wants to persecute Snowden for the same crime- except when he did it he exposed criminal activity at the highest levels of government.)
Never would have thought we would have a more corrupt administration after W. Bush, but here we are, and we are supposed to vote for the most corrupt of the secretaries in the most corrupt administration ever?
Astounding!
And other than crazy conspiracy theories, the Obama administration has been remarkably clean. There's obviously too much money in politics, but that is what the Supreme Court decided is required, voting entirely on party lines according to the administrations that appointed them.
"When the President does it, that means that it is not illegal"...
Unless you mean that I should have said, "channeling J. Edgar"?