The price of some iOS exploits has dropped recently and at least one exploit acquisition company is no longer buying certain types of vulnerabilities. Experts believe this is a result of security researchers increasingly focusing on finding vulnerabilities in iOS.
Exploit acquisition company Zerodium announced last week that it would no longer be buying certain types of iOS exploits for the next 2-3 months due to surplus. It also announced that prices for iOS exploit chains that require some user interaction and don’t provide persistence will likely drop in the near future.
Furthermore, Zerodium’s CEO and founder, Chaouki Bekrar, said “iOS security is fucked,” noting that they are already seeing many exploits designed to bypass pointer authentication codes (PAC) — PAC provides protection against memory attacks — and a few zero-day exploits that can help an attacker achieve persistence on all iPhones and iPads.
Zerodium’s website says it offers up to $2 million for full iOS exploit chains that achieve persistence and require no user interaction. In comparison, the same type of exploit for Android can be worth up to $2.5 million.
The company also typically offers up to $500,000 for iOS persistence exploits, and remote code execution and local privilege escalation vulnerabilities affecting iMessage or Safari. Hackers can earn up to $200,000 for Safari remote code execution exploits without a sandbox escape component and the same amount just for a sandbox escape.
However, Bekrar says in the past few months they’ve seen a spike in iOS submissions, particularly Safari remote code execution, sandbox escapes and privilege escalation. This forced his company to first reduce prices and then to completely suspend the acquisition of such exploits for the next 2-3 months.
“The spike is likely caused by the increased number of researchers looking into iOS and probably by the availability of public jailbreaks which are helping researchers to reverse engineer iOS devices more easily and find bugs faster. On the other hand, the number of Android submissions remains stable,” he explained.
Bekrar added, “Our prices for zero-click exploits and persistence remain unchanged for now as these capabilities are unicorns with only a few of them available each year.”
Zerodium offers high rewards for a wide range of vulnerabilities, but the company says it only accepts high-quality exploits, which it claims to sell only to government organizations, mostly in Europe and North America.
Alfonso de Gregorio, founder of exploit acquisition company Zeronomicon, confirms that there is a surplus of iOS local privilege escalation exploits.
“Some of the mitigations in place are being successfully bypassed, showing that meaningful progress is being made by security researchers. This will affect the prices for those exploits, assuming their demand will not change significantly,” De Gregorio told SecurityWeek.
Zeronomicon, which provides exploits to both governments and private sector companies, claims to have over 1,000 satisfied customers. The company, which also claims to hold itself to high ethical standards, says it provides organizations with “tailored cybersecurity capabilities, actionable vulnerability information, and risk mitigation strategies.”
“I established Zeronomicon to help the fellow security researchers to convert their talent and knowledge into profit, meaning that the amount paid for each security capability always reflects the best market conditions and other circumstances existing at the time of the acquisition,” De Gregorio said.
“The market prices reflect the changing supply and demand indeed,” he added. “This is not the first nor the last time that the payouts adjust according to the new values given to the exploit chains, as already occurred years ago with the exploits that targeted web browsers.”
Zerodium and Zeronomicon did not want to say exactly how much prices have dropped or how much they could drop in the future.
Zuk Avraham, founder of mobile security firm Zimperium and cybersecurity automation company ZecOps, has also confirmed that the price of iOS exploits has decreased. He says iOS security research has become much more mainstream, with many researchers drawn to it by high exploit prices and an increasing amount of resources to learn from (e.g. vulnerability writeups, blogs).
“Large portions of iOS code were not touched for years, it is a known secret that many of the vulnerabilities aren’t patched properly, and in-general, there are many vulnerabilities in iOS – much more than what most people think / are aware of,” Avraham told SecurityWeek.
It remains to be seen just how much the upcoming iOS 14 and A14 mobile processors will improve security.
“A14 devices are supposed to include memory tagging mitigation, which may make some of the exploits value worth less – so a lot of researchers are dumping their exploits now and trying to cash in,” Avraham said.
Both Zimperium and ZecOps have run mobile exploit acquisition programs, but their focus is on already-patched vulnerabilities rather than zero-day flaws.
ZecOps recently reported seeing targeted attacks exploiting unpatched vulnerabilities in the iOS Mail app. Apple has confirmed that the flaws exist, but disputed claims regarding active exploitation.
Charles Ragland, security engineer at Digital Shadows, a San Francisco-based provider of digital risk protection solutions, believes Apple’s high-paying bug bounty program has brought increased scrutiny to the platform, leading to researchers identifying a significant number of vulnerabilities.
“With the increased focus and larger volume of exploits, it isn’t surprising to see prices drop for iOS,” Ragland said. “It is likely that researchers will shift their attention to more lucrative options in the coming weeks, and we may see an increase in price for exploits of other devices or operating systems.”
What do exploit prices say about iOS security?
There has always been a debate over which is more secure — Android or iOS — and while years ago many agreed that iOS was better in terms of security, the significant number of vulnerabilities and attacks targeting the platform in recent years have shown that Apple’s mobile operating system is not as secure as many believed it to be, particularly when faced with a well-resourced adversary.
“The zero-day market is based on supply and demand, a spike in supply of zero-day exploits for a specific product means that the security level of that product is decreasing and the price goes down as there are too many exploits available,” Bekrar said. “Obviously, we cannot draw a final conclusion about the overall security level of a system just based on its bug bounty price or the number of existing exploits, but these are very strong indicators that cannot be ignored.”
“The fact that [Zerodium] won’t pay for [certain types of iOS exploits] anymore is an indication the supply is high and indicative of the current state of this mobile platform,” Robert Nickle, security intelligence researcher at mobile security firm Lookout, told SecurityWeek. “While iOS is a relatively secure mobile OS, there are still ways to exploit it, and therefore benefits when users run additional security on those devices.”
Zeronomicon’s De Gregorio noted, “When it comes to software engineered by Apple, I can tell you that this was never free of vulnerabilities. Rather, their exploitation was typically prevented by the security mitigations put in place at both hardware and software level.”
Apple did not respond to a request for comment.
Related: Zerodium Offers $500,000 for VMware ESXi, Microsoft Hyper-V Exploits
Related: Apple Awards Researcher $75,000 for Camera Hacking Vulnerabilities
Related: Corellium: Apple Sued Us After Failed Acquisition Attempt