ZERODIUM, a leading zero-day exploit broker, has published its revised bounty figures for the amount it will pay for new zero-days. The highest figure is reserved for iOS – now up to $1.5 million for “fully functional/reliable exploits meeting ZERODIUM’s requirements”. It was ‘only’ $500,000 in September 2015.
ZERODIUM was formed in July 2015 by Chaouki Bekrar, the founder of Vupen. Vupen ceased trading around the same time. While Vupen developed and sold its own exploits, Zerodium trades in third-party exploits as well as maintaining its own research team. Its bounties range from up to $10,000 for applications such as vBulletin, WordPress, Joomla and Drupal to the $1.5 million mark. Android comes a distant second to iOS with a bounty set at up to $200,000.
In November 2015, Zerodium awarded $1 million to a team of hackers for a remote browser-based untethered jailbreak that worked on iOS 9.1 and 9.2 beta.
“The amounts paid by ZERODIUM to researchers to acquire their original zero-day exploits,” says the Zerodium website, “depend on the popularity and security strength of the affected software, as well as the quality of the submitted exploit (full or partial chain, reliability, supported versions/systems/architectures, bypassed exploit mitigations, limitations, process continuation, etc).”
The clear implication is that iOS zero-days are hard to find but eminently re-sellable. The organizations willing to pay (with Zerodium’s mark-up) in the region of $2 million for an iOS exploit will be limited — but do exist.
Speaking at a security forum hosted by the Aspen Institute in London, FBI Director James Comey intimated that the FBI had paid more than $1.3 million dollars to crack the San Bernardino shooter’s iPhone. He actually said that the cost of the tool was “more than I will make in the remainder of this job, which is seven years and four months, for sure.” (7.33 times the likely $185,000 per year is $1.356 million.)
Apart from reselling zero-days, Zerodium also publishes a subscription-only newsletter providing details of the exploits it has found or bought.
“For $500,000 or more a year, governments could buy a road map for hacking Android phones to spy on people. Companies could learn about a special hacking tactic before it’s used on their own Windows computers — or quietly use it themselves for corporate espionage,” notes CNN Money.
It’s a controversial service. Ilia Kolochenko, founder and CEO of security firm High-Tech Bridge, points out that run-of-the-mill cyber criminals and even governments under normal circumstances simply do not need additional help with exploits. “Gartner says that through 2020, 99% of vulnerabilities exploited will continue to be ones known by security and IT professionals for at least one year,” he told SecurityWeek.
Nevertheless, he believes there will always be exceptional circumstance, perhaps like the San Bernardino case. “Grey and black markets for them will always exist; and taking into consideration that vulnerabilities become more and more difficult to find and exploit in popular software, prices will continue to climb.”
Zero-days, whether bought or discovered, are a fact of life. “What the various NSA dumps have shown is that zero-day vulnerabilities exist and when found by certain groups they are kept secret from the vendors so they can be used covertly — just ask Cisco,” said Drew Koenig, security solutions architect at Magenic. He has no problem with Zerodium paying bounties — only what it does with the vulnerabilities it buys.
“If Zerodium can pay millions for these findings,” he continued, “it only shows they are making far more by selling it on the back end.” And those who buy the vulnerabilities keep it secret as well. “What ethically bound company that buys these zero-day lists wouldn’t tell the vendor so they can update and protect millions of devices?” He sees it as a moral issue. “Zerodium and firms like it… know they are providing to the potential destruction of people’s lives by withholding these exploits from the vendors that can fix them,” he added. “Zerodium doesn’t help this, especially if they ‘delay’ or never tell the vendor about it.”
“Selling zero days is similar to classic arms market,” says Kolochenko. “Weapons can always be stolen or re-sold, and it’s almost impossible to control it.” But despite the moral issues, trade in zero-days is as legal as trade in weapons.
Zerodium says access to its exploit marketplace is “highly restricted” and available to a limited number of corporations and governments.