Exploit resellers report glut of iOS vulnerabilities, will pay more for Android bugs
Software vulnerability brokers have lowered payout rates for iOS exploits, saying a recent "flood" of iPhone zero-days makes the bugs less valuable than comparable attacks designed to penetrate Android.
Exploit reseller Zerodium on Tuesday announced higher going rates for Android vulnerabilities, with the firm now paying out up to $2.5 million for so-called zero-click zero-days, reports Motherboard.
As the value of Android exploits increases, the market health of zero-days designed to thwart iOS protections stagnates due to what can be characterized as a supply glut. Zerodium, for example, pays out $2 million for zero-click vectors targeting iPhone, and decreased payouts for one-click attacks from $1.5 million to $1 million, the report said.
Zero-click exploits refer to vulnerabilities that can be leveraged to hack a device without user interaction, while zero-days are defined as bugs, exploits and other flaws that are as yet unknown to platform operators. Zero-days are particularly prized assets for hackers -- both lawful and nefarious -- looking to break into locked-down devices like iPhone.
"The zero-day market is flooded by iOS exploits, mostly Safari and iMessage chains, mainly due [to] a lot of security researchers having turned their focus into full time iOS exploitation," said Zerodium founder Chaouki Bekrar. "They've absolutely destroyed iOS security and mitigations. There are so many iOS exploits that we're starting to refuse some of them."
The director of exploit buyer Crowdfense, Andrea Zapparoli Manzoni, agrees with Bekrar's assessment of the market, but notes not all iOS chains are "intelligence-grade." Still, it appears the supply of vulnerabilities more than sates demand.
Bekrar added that Android is becoming increasingly difficult to crack, in part due to fragmentation. The multi-version, multi-device nature of Google's operating system has long been considered a weakness in terms of consistency and stability, but it is this very "feature" that might prove useful in protecting against widespread attack, the report said.
"Android is such a fragmented landscape that a 'universal chain' is almost impossible to find; much harder than on iOS which is a 'monoculture,'" said Zapparoli Manzoni.
Bekrar elaborated, saying Android's constantly improving security is making bug discovery more difficult for researchers. He seemingly implies Apple is not keeping pace with its iOS efforts.
"The security of Android is however improving with every new OS release. It's very hard and time consuming to develop full Android exploit chains and it's even harder for zero-click vectors (not requiring any user interaction)," Bekrar said. "We believe that the time has come to pay the highest bug bounty for Android exploits until Apple re-improves the security of iOS components such as Safari and iMessage."
As noted by Motherboard, brokers like Zerodium and Crowdfense comprise only a subsection of a much wider market dealing in software vulnerabilities. Other players include firms who broker deals solely with law enforcement and government agencies, regional research firms and rogue actors.
Zerodium's new bounty pricing arrives days after Google's Project Zero announced the discovery of a massive iPhone hacking operation. Over a period of what is thought to be years, a series of hacked websites took advantage of multiple vulnerabilities to disseminate a software implant capable of swiping sensitive user information and tracking the location of modern iPhones running the latest versions of iOS.
A follow-up report claimed the Chinese government used the hack to monitor Uyghur Muslims.
Exploit reseller Zerodium on Tuesday announced higher going rates for Android vulnerabilities, with the firm now paying out up to $2.5 million for so-called zero-click zero-days, reports Motherboard.
As the value of Android exploits increases, the market health of zero-days designed to thwart iOS protections stagnates due to what can be characterized as a supply glut. Zerodium, for example, pays out $2 million for zero-click vectors targeting iPhone, and decreased payouts for one-click attacks from $1.5 million to $1 million, the report said.
Zero-click exploits refer to vulnerabilities that can be leveraged to hack a device without user interaction, while zero-days are defined as bugs, exploits and other flaws that are as yet unknown to platform operators. Zero-days are particularly prized assets for hackers -- both lawful and nefarious -- looking to break into locked-down devices like iPhone.
"The zero-day market is flooded by iOS exploits, mostly Safari and iMessage chains, mainly due [to] a lot of security researchers having turned their focus into full time iOS exploitation," said Zerodium founder Chaouki Bekrar. "They've absolutely destroyed iOS security and mitigations. There are so many iOS exploits that we're starting to refuse some of them."
The director of exploit buyer Crowdfense, Andrea Zapparoli Manzoni, agrees with Bekrar's assessment of the market, but notes not all iOS chains are "intelligence-grade." Still, it appears the supply of vulnerabilities more than sates demand.
Bekrar added that Android is becoming increasingly difficult to crack, in part due to fragmentation. The multi-version, multi-device nature of Google's operating system has long been considered a weakness in terms of consistency and stability, but it is this very "feature" that might prove useful in protecting against widespread attack, the report said.
"Android is such a fragmented landscape that a 'universal chain' is almost impossible to find; much harder than on iOS which is a 'monoculture,'" said Zapparoli Manzoni.
Bekrar elaborated, saying Android's constantly improving security is making bug discovery more difficult for researchers. He seemingly implies Apple is not keeping pace with its iOS efforts.
"The security of Android is however improving with every new OS release. It's very hard and time consuming to develop full Android exploit chains and it's even harder for zero-click vectors (not requiring any user interaction)," Bekrar said. "We believe that the time has come to pay the highest bug bounty for Android exploits until Apple re-improves the security of iOS components such as Safari and iMessage."
As noted by Motherboard, brokers like Zerodium and Crowdfense comprise only a subsection of a much wider market dealing in software vulnerabilities. Other players include firms who broker deals solely with law enforcement and government agencies, regional research firms and rogue actors.
Zerodium's new bounty pricing arrives days after Google's Project Zero announced the discovery of a massive iPhone hacking operation. Over a period of what is thought to be years, a series of hacked websites took advantage of multiple vulnerabilities to disseminate a software implant capable of swiping sensitive user information and tracking the location of modern iPhones running the latest versions of iOS.
A follow-up report claimed the Chinese government used the hack to monitor Uyghur Muslims.
Comments
The goal is to infect the most number of devices, that determines the “value” of an exploit. There are more Android devices out there so naturally they’re worth more. There’s no “glut” of iOS exploits affecting price.
The easy way to attack any device with a browser is the browser itself. The question is if social engineering is even easier with a browser, getting people to go to infected sites, or to download an infected app.
Is Apple’s “walled garden” App Store still better? Probably...
Google does spend quite a bit on security, so it’s possible they’ve done a better job sandboxing the apps. But, it’s not likely given they’re given deeper access to the system.
The biggest suspect thing that was said was about the fragmentation of Android being a positive. That has to be B.S. There’s a huge number of Android devices not getting updates, that means any exploit is going to have longer legs. If the fragmentation is referring to hardware, then it’s possible. Hardware related exploits would be the most difficult to find. So, while Apple would be more effected by an exploit, I’d think the number of exploits found would be small.
My main takeaway is Apple needs to focus on browser security. Last I checked, iOS device users are heavy browser users, so the importance of making Safari rock solid (with regards to security) can’t be understated. All the browsers on iOS use the same underpinnings unlike Android so that’s a huge potential problem.
Safari also does not allow browser plugins on iOS. Many of those plugins improve the browsers security (like NoScript). Apple has talked about a “desktop class browser” on iPad OS...so maybe that will change.
One would also imagine that the more malicious and damaging the exploits, the higher price that organizations would pay for them, suggesting that Android exploits are more malicious and damaging.
As you point out, the other reason why prices for Android exploits are high is because there are more Android users.
More exploits for iOS is consistent with the greater wealth of iOS users. The fact that Apple responds quickly to the presence of exploits and almost all iOS users upgrade their operating systems relatively quickly means that exploits are more rapidly and definitively neutralized, reducing their value.
It is not pleasant feeling that hacker has more freedom then me on device, I know there is nothing like completely safe software. It is process.
https://appleinsider.com/articles/19/01/10/zerodium-hikes-bounties-for-apple-vulnerabilities-to-as-high-as-2m
There's been more Android users for years and they've typically had more money too but Zerodium has previously been paying out more (sometimes FAR more) for iOS exploits. So for you to be correct something has changed. What do you think it is?
iOS security is still stronger because of tighter policies. Safari and iMessage can be improved as quickly and targeted as exploits show up. There is nothing inherently weak about Apple’s update strategies. They can release more frequent update if they want to.
For the recent Uighur hacks, the hackers had to chain together 14 iOS exploits. That’s a long chain and will use up the number of exploits quickly. Android and Windows are also hacked but the developer community did not get a chance to fix them since the attacks had been dismantled when the iOS hack was discovered (more people scrutinizing iOS). So the vulnerabilities still exist, and we don’t know how easy it is. It may very well be shorter exploit chains but more variety of them. I did a quick check, the iOS exploits in this Uighur hack were fixed more than half a year ago in 12.1.4.
Apple recently beefed up their bug bounty program. This has also generated huge interests amongst the hackers community. After all, everyone knows Apple has deep pocket. So it is not surprising to have so many submissions these days. Some of them are not good enough to receive payouts from Apple or other buyers, and it will result in people shopping around for payment, submitting duplicated findings. Once the bug bounty program (and of course fixes) kick into high gear, we will have a better idea of the run rate for such things.
Not to mention hardware security. Most software centric companies ignore these hardware and firmware exploits because they don’t play in this area well. So they barely get any mention in the software heavy blogosphere, but Apple’s hardware security is unmatched so far. Take a look at the T2 chip, and other UEFI work done by their teams. It is a cat and mouse game, but Apple’s approach in integrating software and hardware security is pretty interesting so far. We’ll get to see how things evolve in the long run.
Coincidentally, a new ”Android” exploit today, from the manufacturers:
https://apple.news/AgUqxXGueSJG68z0oX2oEJA
But bottom line Apple has the ability and almost infinite resources to create its own zero-day research team that is entirely focused on iOS, tvOs, macOS, iPadOS, watchOS. They could hire the very best white and black hats on the planet and pay them well to remain on task and loyal. Apple was recently shamed into creating a bug bounty program that pays decent money for exploits. Maybe they will be shamed into not relying on Google for researching and reporting exploits.
"...iOS is far more secure than Android, hence the higher maximum payouts......why would you pay for exploits for Android when there are already several to choose from that still work? And even if discovered they will continue to work for some time on the majority of Android devices."
IMO that was never valid to begin with. I suspect we now agree.
Sure, if you want to discuss the relative security of both platforms have at it, but in a different thread please. Create one and let me know where to find it. This one isn't about which OS is more secure, just whether either one is insecure and if the amount paid for exploits proves it either way as you've often claimed.
"Check Point researchers said they found that four smartphone makers have not implemented this standard (OMA CP) in a secure manner on their devices.
Researchers said they were able to send OMA CP messages to devices from Samsung, Huawei, LG, and Sony, which accepted these messages, even if it didn't come from a trusted source.
Of the four phone brands, the easiest devices to attack were Samsung smartphones. Check Point said this was because Samsung phones accepted any kind of OMA CP message, with no authentication or verification mechanism in place"
"The good news is that three of the vendors have patched or are in the process of patching this attack vector, after first being notified of the issue in March this year.
Sony is the only vendor which did not ship a fix."