Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Zimperium Throws $1.5 Million at Mobile N-day Exploits

Zimperium Launches Exploit Acquisition Program for Android and iOS N-Days, But No Interest in 0-Days

Zimperium Launches Exploit Acquisition Program for Android and iOS N-Days, But No Interest in 0-Days

Bug bounty programs exist to encourage researchers to find and report zero-day vulnerabilities. The theory is that the vulnerability is patched and the threat goes away. In reality, however, the zero-day vulnerability simply becomes an N-day exploit; where ‘n’ is the number of days between the patch and its deployment. During this period, an N-day exploit is as dangerous as a 0-day exploit.

This is a particular problem in the mobile world, where millions of users remain at risk for extended periods due to poor deployment processes that never reach the majority of mobile devices. Now Zimperium, which raised $12 million in Series B funding in February 2015, is attempting to upset the status quo with the announcement of a zLabs $1.5 million N-day exploit acquisition program.

Mobile N-Days and Zero-Days

“Unfortunately, the security patching process for mobile devices’ operating systems is extremely slow, which leaves companies and individuals highly vulnerable to dozens of security threats,” explains Zuk Avraham, CTO and founder at Zimperium. “Through zLab’s new Exploit Acquisition Program, our customers, partners, and the rest of the cybersecurity community will be notified of these vulnerabilities so that they will be able to provide the highest level of protection possible.”

There are several actual and hoped-for effects. The first is that once an N-day exploit is known, it will apply pressure to the mobile ecosystem to rethink and improve the security process update. The second is that it will encourage and reward those researchers that develop exploits that immediately become worthless, in bug bounty terms, as soon as the vulnerability is known to the vendor. 

The third is that it will simply make for a more secure mobile market. With the researcher’s approval, the exploit will be released to members of the Zimperium Handset Alliance (ZHA). This includes Samsung, Softbank, Telstra, Blackberry and more than 30 members of well-known handset vendors and mobile carriers around the world. Zimperium will publicly release the exploit crediting the researcher after between one and three months.

The fourth is Zimperium’s own reward. It will use the exploits and the techniques used in the exploit to enhance its own machine learning z9 threat detection engine. This will give customers protection against the exploit even before the patch is released and deployed.

The reporting process is relatively simple for researchers who produce relevant N-day exploits. They should simply email ninja_exploits at nothuman.ninja, describe the exploit, quote the CVE number, explain how the exploit chain works, and state whether they wish to release the code publicly, and receive credit for it.

The exploit is then evaluated by a zLabs committee, and a researcher compensation offer raised. “As a rule,” Avraham told SecurityWeek, “critical flaws — such as a full, remote exploit chain — will receive more compensation than local exploits. Once we are able to trigger a vulnerability on an older device/OS, we will provide a quote.”

“It’s simple,” he wrote in a blog post today. “We’ll buy remote or local exploits targeting any version other than the latest version of iOS and Android.”

It could be argued that by encouraging the development of N-day exploits and incorporating their solution into the z9 detection engine, Zimperium is increasing the threat level for any user not using Zimperium. Avraham refutes this suggestion. “While individual device owners won’t see the benefits of this program immediately,” he told SecurityWeek, “we’re doing everything we can to enhance the way that users receive security updates.

“Sophisticated attackers,” he continued, “didn’t wait for this program to research the monthly security bulletins. These vulnerabilities already exist and are explored by sophisticated actors. Making these vulnerabilities available to the Zimperium Handset Alliance (ZHA) and then the security community, decreases the chances that they will be used in targeted attacks, increases the chances of the carriers to stop these attacks, increases the chances of the vendors allocating resources to provide an update, and helps the entire ecosystem.”

In reality, the scheme formalizes and increases what Zimperium has already done. In September 2015 it published an exploit for a critical Android Stagefright vulnerability. The vulnerability had already been patched by Google, but the existence of a published exploit applied pressure on Android suppliers to deliver the patch.

It is certainly true that anything done to decrease the duration of an N-day exploit must be beneficial. But what happens if the $1.5 million runs out? “That will be a great problem to have,” said Avraham. “Depending on the success of the program we may allocate more.”

Written By

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.