Software 'bug broker' Zerodium to stop buying iOS exploits due to oversupply
A private company that buys software security bugs and exploits from hackers has said that it will stop rewarding developers of several types of iOS exploits because it simply has too many of them.
Zerodium is a well-known broker of exploits and bugs for most popular operating systems.
Zerodium is a well-known cybersecurity firm that pays to acquire exploits from third-party security researchers. In many cases, Zerodium's payouts are much, much higher than Apple's official bug bounty program.
The company on Wednesday that it'll pressing pause on acquiring any more local privilege escalation, remote code execution or sandbox escape exploits "for the next two to three months due to a high number of submissions." Additionally, the company said that prices for certain types of iOS Safari one-click vulnerabilities will probably drop in the near future.
In a subsequent tweet, Zerodium founder Chaouki Bekrar said that iOS security is "f--cked," adding that the lack of persistence and a security mechanism called pointer authentication codes are the only two things keeping iOS's security from "going to zero."
Part of that is likely because of global lockdowns and the fact that security researchers have more time on their hands. Another factor could be that iOS 13 was unusually buggy -- a fact that led Apple software chief Craig Federighi to overhaul the development process for the next version of iOS.
"Let's hope iOS 14 is better," Bekrar said.
This isn't the first time that Zerodium has seen a glut of iOS exploit submissions. In September 2019, the company said that, for the first time, it would pay more for Android exploits than iOS ones due to an oversupply.
Zerodium is a well-known broker of exploits and bugs for most popular operating systems.
Zerodium is a well-known cybersecurity firm that pays to acquire exploits from third-party security researchers. In many cases, Zerodium's payouts are much, much higher than Apple's official bug bounty program.
We will NOT be acquiring any new Apple iOS LPE, Safari RCE, or sandbox escapes for the next 2 to 3 months due to a high number of submissions related to these vectors.
Prices for iOS one-click chains (e.g. via Safari) without persistence will likely drop in the near future.-- Zerodium (@Zerodium)
The company on Wednesday that it'll pressing pause on acquiring any more local privilege escalation, remote code execution or sandbox escape exploits "for the next two to three months due to a high number of submissions." Additionally, the company said that prices for certain types of iOS Safari one-click vulnerabilities will probably drop in the near future.
In a subsequent tweet, Zerodium founder Chaouki Bekrar said that iOS security is "f--cked," adding that the lack of persistence and a security mechanism called pointer authentication codes are the only two things keeping iOS's security from "going to zero."
iOS Security is fucked. Only PAC and non-persistence are holding it from going to zero...but we're seeing many exploits bypassing PAC, and there are a few persistence exploits (0days) working with all iPhones/iPads. Let's hope iOS 14 will be better.https://t.co/39Kd3OQwy1
-- Chaouki Bekrar (@cBekrar)
Part of that is likely because of global lockdowns and the fact that security researchers have more time on their hands. Another factor could be that iOS 13 was unusually buggy -- a fact that led Apple software chief Craig Federighi to overhaul the development process for the next version of iOS.
"Let's hope iOS 14 is better," Bekrar said.
This isn't the first time that Zerodium has seen a glut of iOS exploit submissions. In September 2019, the company said that, for the first time, it would pay more for Android exploits than iOS ones due to an oversupply.
Comments
to spy on their own citizens
paid for by taxes paid by the same citizens
Exploits and claims of exploits are not the same thing. The announcement in question seems to be trying hard to imply the former while really only speaking about the latter. For that matter, they could just be weary of spending money on claims that fail to pan out.
This isn't something new. Similar Android exploits were already more rare and valuable to them and have been since at least last September, quite the surprising turnabout. Remember the article AI posted last fall? Easy to search up if you don't recall it.
That said, iOS Safari and Messages have been notoriously bad sources of exploits, so it wouldn't be too surprising if there's a whole class of exploits from either of them. But to state that "OS security is f-ed" simply because of those apps is very misleading. App level exploits tend to be easier to avoid (i.e. don't click on questionable links). As compared to OS level exploits which can be utilized without the user doing anything.
I guess the "security by obscurity" model championed by Apple is merely making exploits a little harder to find, rather than preventing them from being found. Of course, this was known since the 19th century (just Google for "Kerckhoff's principle").
Do you know how these exploits could be more quickly found and patched? If security researchers could get unfettered access to iOS, like you already can with macOS, Windows, Linux, BSD, etc. It would be great if Apple would get with the program and allow that, but in the meanwhile, imagine if hypothetically there was a company that allowed security researchers to get such unfettered access via some technology like virtualization. I guess Corellium would be a great name for such a company.
The only issue is if Apple were to sue this hypothetical company, and even bully users of this hypothetical company's technology by going against them. But I guess that would never happen, because Apple really worries about its users' security and privacy, right?
(BTW: I'm a cryptographer, so I know at least a tiny little bit about the topic.)
Apple's technology stack is a mixture of open and closed source components. The vast majority of the OS-level technology stack in both macOS and iOS is actually open source (shares much in common with BSD UNIX). So it's subject to the same open peer reviews as any other open source platform. It isn't "security by obscurity" as you somehow believe it is.
With the billions of lines of code within iOS and you make it sound as if it doesn't have any serious vulnarabilities.