Software 'bug broker' Zerodium to stop buying iOS exploits due to oversupply

Posted:
in General Discussion
A private company that buys software security bugs and exploits from hackers has said that it will stop rewarding developers of several types of iOS exploits because it simply has too many of them.

Zerodium is a well-known broker of exploits and bugs for most popular operating systems.
Zerodium is a well-known broker of exploits and bugs for most popular operating systems.


Zerodium is a well-known cybersecurity firm that pays to acquire exploits from third-party security researchers. In many cases, Zerodium's payouts are much, much higher than Apple's official bug bounty program.

We will NOT be acquiring any new Apple iOS LPE, Safari RCE, or sandbox escapes for the next 2 to 3 months due to a high number of submissions related to these vectors.
Prices for iOS one-click chains (e.g. via Safari) without persistence will likely drop in the near future.

-- Zerodium (@Zerodium)


The company on Wednesday that it'll pressing pause on acquiring any more local privilege escalation, remote code execution or sandbox escape exploits "for the next two to three months due to a high number of submissions." Additionally, the company said that prices for certain types of iOS Safari one-click vulnerabilities will probably drop in the near future.

In a subsequent tweet, Zerodium founder Chaouki Bekrar said that iOS security is "f--cked," adding that the lack of persistence and a security mechanism called pointer authentication codes are the only two things keeping iOS's security from "going to zero."

iOS Security is fucked. Only PAC and non-persistence are holding it from going to zero...but we're seeing many exploits bypassing PAC, and there are a few persistence exploits (0days) working with all iPhones/iPads. Let's hope iOS 14 will be better.https://t.co/39Kd3OQwy1

-- Chaouki Bekrar (@cBekrar)


Part of that is likely because of global lockdowns and the fact that security researchers have more time on their hands. Another factor could be that iOS 13 was unusually buggy -- a fact that led Apple software chief Craig Federighi to overhaul the development process for the next version of iOS.

"Let's hope iOS 14 is better," Bekrar said.

This isn't the first time that Zerodium has seen a glut of iOS exploit submissions. In September 2019, the company said that, for the first time, it would pay more for Android exploits than iOS ones due to an oversupply.

Comments

  • Reply 1 of 12
    olsols Posts: 50member
    If half of the number of existing exploits on iOS  is true than it is very concerning...
    edited May 2020 doozydozen
  • Reply 2 of 12
    What's Zerodium's business model?  How can they afford to pay millions of dollars for security exploits?  Are they "good guys" using this information to make the world a safer place, or are they reselling these exploits to bad actors?
    bonobob
  • Reply 3 of 12
    kmareikmarei Posts: 176member
    What's Zerodium's business model?  How can they afford to pay millions of dollars for security exploits?  Are they "good guys" using this information to make the world a safer place, or are they reselling these exploits to bad actors?
    Reselling to bad actors A.K.A governments
    to spy on their own citizens
    paid for by taxes paid by the same citizens :)
    muthuk_vanalingamdoozydozendewmewatto_cobra
  • Reply 4 of 12
    AppleZuluAppleZulu Posts: 1,942member
    ...or someone could just be looking to generate a dip in AAPL before making a buy.

    Exploits and claims of exploits are not the same thing. The announcement in question seems to be trying hard to imply the former while really only speaking about the latter. For that matter, they could just be weary of spending money on claims that fail to pan out.
    jdb8167am8449
  • Reply 5 of 12
    auxioauxio Posts: 2,707member
    AppleZulu said:
    For that matter, they could just be weary of spending money on claims that fail to pan out.
    Or they're looking to drive the price of 0 day iOS exploits down (i.e. reduce their costs)
    macpluspluswatto_cobra
  • Reply 6 of 12
    gatorguygatorguy Posts: 24,105member
    AppleZulu said:
    ...or someone could just be looking to generate a dip in AAPL before making a buy.

    Exploits and claims of exploits are not the same thing. The announcement in question seems to be trying hard to imply the former while really only speaking about the latter. For that matter, they could just be weary of spending money on claims that fail to pan out.
    auxio said:
    AppleZulu said:
    For that matter, they could just be weary of spending money on claims that fail to pan out.
    Or they're looking to drive the price of 0 day iOS exploits down (i.e. reduce their costs)
    Or more likely they really do have too many and for the time being won't be buying any more "local privilege escalation, remote code execution or sandbox escape exploits" at least until the next version of iOS. There are currently so many that any new ones "discovered" have no commercial value to Zerodium at the moment. 

    This isn't something new. Similar Android exploits were already more rare and valuable to them and have been since at least last September, quite the surprising turnabout.  Remember the article AI posted last fall? Easy to search up if you don't recall it. 
    edited May 2020 prismatics
  • Reply 7 of 12
    auxioauxio Posts: 2,707member
    gatorguy said:
    AppleZulu said:
    ...or someone could just be looking to generate a dip in AAPL before making a buy.

    Exploits and claims of exploits are not the same thing. The announcement in question seems to be trying hard to imply the former while really only speaking about the latter. For that matter, they could just be weary of spending money on claims that fail to pan out.
    auxio said:
    AppleZulu said:
    For that matter, they could just be weary of spending money on claims that fail to pan out.
    Or they're looking to drive the price of 0 day iOS exploits down (i.e. reduce their costs)
    Or more likely they really do have too many and for the time being won't be buying any more "local privilege escalation, remote code execution or sandbox escape exploits" at least until the next version of iOS. There are currently so many that any new ones "discovered" have no commercial value to Zerodium at the moment. 
    If they really have more than they can handle, it probably wouldn't hurt to publish a few as proof wouldn't it?

    That said, iOS Safari and Messages have been notoriously bad sources of exploits, so it wouldn't be too surprising if there's a whole class of exploits from either of them.  But to state that "OS security is f-ed" simply because of those apps is very misleading.  App level exploits tend to be easier to avoid (i.e. don't click on questionable links).  As compared to OS level exploits which can be utilized without the user doing anything.
    edited May 2020 randominternetpersonmacpluspluswatto_cobra
  • Reply 8 of 12
    CloudTalkinCloudTalkin Posts: 916member
    What's Zerodium's business model?  How can they afford to pay millions of dollars for security exploits?  Are they "good guys" using this information to make the world a safer place, or are they reselling these exploits to bad actors?
    Zerodium customers are governments and corporations.  They can afford to pay millions of dollars for security exploits because their customers pay millions more to gain access to the exploits.  If the market is saturated with what they sell, what they sell isn't as valuable as it used to be.  They seem to be taking the DeBeers diamond strategy: make the product more valuable by controlling how much there is to sell.  It has worked like a charm for DeBeers.  Time will tell if it's a success for Zerodium.
    randominternetpersonjony0am8449
  • Reply 9 of 12
    swineoneswineone Posts: 65member
    So clearly there are a lot of iOS exploits, so much so that a company that buys them can afford to turn them down.

    I guess the "security by obscurity" model championed by Apple is merely making exploits a little harder to find, rather than preventing them from being found. Of course, this was known since the 19th century (just Google for "Kerckhoff's principle").

    Do you know how these exploits could be more quickly found and patched? If security researchers could get unfettered access to iOS, like you already can with macOS, Windows, Linux, BSD, etc. It would be great if Apple would get with the program and allow that, but in the meanwhile, imagine if hypothetically there was a company that allowed security researchers to get such unfettered access via some technology like virtualization. I guess Corellium would be a great name for such a company.

    The only issue is if Apple were to sue this hypothetical company, and even bully users of this hypothetical company's technology by going against them. But I guess that would never happen, because Apple really worries about its users' security and privacy, right?

    (BTW: I'm a cryptographer, so I know at least a tiny little bit about the topic.)
    prismaticsOfer
  • Reply 10 of 12
    swineone said:
    So clearly there are a lot of iOS exploits, so much so that a company that buys them can afford to turn them down.

    I guess the "security by obscurity" model championed by Apple is merely making exploits a little harder to find, rather than preventing them from being found. Of course, this was known since the 19th century (just Google for "Kerckhoff's principle").

    I'm sorry, but that's nonsense.  Show me were Apple has ever championed anything that can be described as "security by obscurity."
    watto_cobra
  • Reply 11 of 12
    auxioauxio Posts: 2,707member
    swineone said:

    (BTW: I'm a cryptographer, so I know at least a tiny little bit about the topic.)
    And I'm a software developer who has worked on everything from the OS kernel (Linux), to low-level TCP/IP and BSD socket communication (encrypted and unencrypted), to high level/end user applications on a number of platforms.

    Apple's technology stack is a mixture of open and closed source components.  The vast majority of the OS-level technology stack in both macOS and iOS is actually open source (shares much in common with BSD UNIX).  So it's subject to the same open peer reviews as any other open source platform.  It isn't "security by obscurity" as you somehow believe it is.
    macplusplusjony0
  • Reply 12 of 12
    AppleZulu said:
    ...or someone could just be looking to generate a dip in AAPL before making a buy.

    Exploits and claims of exploits are not the same thing. The announcement in question seems to be trying hard to imply the former while really only speaking about the latter. For that matter, they could just be weary of spending money on claims that fail to pan out.
    If you knew anything about the stock market you'd know that articles like this would not affect AAPL. It's only a matter of time before the stock market crashes again because of how screwed the economy is, so nobody has to create false news for the stock to drop down.

    With the billions of lines of code within iOS and you make it sound as if it doesn't have any serious vulnarabilities.
    Ofer
Sign In or Register to comment.