Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Zerodium Boosts Bounty for iOS Exploit to $1.5 Million

ZERODIUM, a leading zero-day exploit broker, has published its revised bounty figures for the amount it will pay for new zero-days. The highest figure is reserved for iOS – now up to $1.5 million for “fully functional/reliable exploits meeting ZERODIUM’s requirements”. It was ‘only’ $500,000 in September 2015.

ZERODIUM, a leading zero-day exploit broker, has published its revised bounty figures for the amount it will pay for new zero-days. The highest figure is reserved for iOS – now up to $1.5 million for “fully functional/reliable exploits meeting ZERODIUM’s requirements”. It was ‘only’ $500,000 in September 2015.

ZERODIUM was formed in July 2015 by Chaouki Bekrar, the founder of Vupen. Vupen ceased trading around the same time. While Vupen developed and sold its own exploits, Zerodium trades in third-party exploits as well as maintaining its own research team. Its bounties range from up to $10,000 for applications such as vBulletin, WordPress, Joomla and Drupal to the $1.5 million mark. Android comes a distant second to iOS with a bounty set at up to $200,000.

In November 2015, Zerodium awarded $1 million to a team of hackers for a remote browser-based untethered jailbreak that worked on iOS 9.1 and 9.2 beta.

“The amounts paid by ZERODIUM to researchers to acquire their original zero-day exploits,” says the Zerodium website, “depend on the popularity and security strength of the affected software, as well as the quality of the submitted exploit (full or partial chain, reliability, supported versions/systems/architectures, bypassed exploit mitigations, limitations, process continuation, etc).”

The clear implication is that iOS zero-days are hard to find but eminently re-sellable. The organizations willing to pay (with Zerodium’s mark-up) in the region of $2 million for an iOS exploit will be limited — but do exist.

Speaking at a security forum hosted by the Aspen Institute in London, FBI Director James Comey intimated that the FBI had paid more than $1.3 million dollars to crack the San Bernardino shooter’s iPhone. He actually said that the cost of the tool was “more than I will make in the remainder of this job, which is seven years and four months, for sure.” (7.33 times the likely $185,000 per year is $1.356 million.)

Apart from reselling zero-days, Zerodium also publishes a subscription-only newsletter providing details of the exploits it has found or bought.

“For $500,000 or more a year, governments could buy a road map for hacking Android phones to spy on people. Companies could learn about a special hacking tactic before it’s used on their own Windows computers — or quietly use it themselves for corporate espionage,” notes CNN Money.

Advertisement. Scroll to continue reading.

It’s a controversial service. Ilia Kolochenko, founder and CEO of security firm High-Tech Bridge, points out that run-of-the-mill cyber criminals and even governments under normal circumstances simply do not need additional help with exploits. “Gartner says that through 2020, 99% of vulnerabilities exploited will continue to be ones known by security and IT professionals for at least one year,” he told SecurityWeek.

Nevertheless, he believes there will always be exceptional circumstance, perhaps like the San Bernardino case. “Grey and black markets for them will always exist; and taking into consideration that vulnerabilities become more and more difficult to find and exploit in popular software, prices will continue to climb.”

Zero-days, whether bought or discovered, are a fact of life. “What the various NSA dumps have shown is that zero-day vulnerabilities exist and when found by certain groups they are kept secret from the vendors so they can be used covertly — just ask Cisco,” said Drew Koenig, security solutions architect at Magenic. He has no problem with Zerodium paying bounties — only what it does with the vulnerabilities it buys.

“If Zerodium can pay millions for these findings,” he continued, “it only shows they are making far more by selling it on the back end.” And those who buy the vulnerabilities keep it secret as well. “What ethically bound company that buys these zero-day lists wouldn’t tell the vendor so they can update and protect millions of devices?” He sees it as a moral issue. “Zerodium and firms like it… know they are providing to the potential destruction of people’s lives by withholding these exploits from the vendors that can fix them,” he added. “Zerodium doesn’t help this, especially if they ‘delay’ or never tell the vendor about it.”

“Selling zero days is similar to classic arms market,” says Kolochenko. “Weapons can always be stolen or re-sold, and it’s almost impossible to control it.” But despite the moral issues, trade in zero-days is as legal as trade in weapons. 

Zerodium says access to its exploit marketplace is “highly restricted” and available to a limited number of corporations and governments.

Related: Exploit Acquisition Firm Offers $3 Million for iOS 9 Zero-Days

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.