Prices for James Bond-style hacks continue to grow, especially for those who steal iPhones and secure messaging apps. It’s the latest sign that governments and police around the world are as eager as ever to use software that is extremely difficult to compromise.
On Monday, commercial exploit broker Zerodium said it would pay up to $2 million for zero-key jailbreaks of Apple’s iOS, $1.5 million for one-click iOS jailbreaks, and $1 million for exploits that take over messaging apps. secure WhatsApp and iMessage. Previously, Zerodium offered $1.5 million, $1 million, and $500,000 for the same types of abuse respectively. The higher prices indicate not only that the demand for these exploits continues to grow, but also that the reliability of these targets is becoming harder.
“I think one conclusion is that targets are getting harder to exploit,” Patrick Wardle, a former hacker for the National Security Agency and now the founder of Digital Security, told Ars. “But another is that There is a higher demand for abuses.” He continued:
In many cases, customers/buyers don’t want to share exploits — so (it) can be exclusive access. If there are fewer buyers now, (it) means more demand, means the price will go up. I think it’s a good time to be a bug hunter/hacker. And (it) should continue to be a wake-up call for companies to realize that having a complete bug bounty program is a must.
Single click and click exploits
The types of exploits that Zerodium looks for are those that compromise a targeted device or app without any reference to their users. Police and state-backed spies around the world rely on these types of attacks to intercept messages from criminals, terrorists, and other targets and to monitor their location and online activities in real time. real
Sometimes, activists and civilians are also targeted by such exploits, as was the case in 2016. That is when a researcher in the United Arab Emirates was targeted by malware that only required him to click on a web link to infect. Your iPhone. A one-click jailbreak earning $1.5 million from Zerodium is comparable to an exploit that targets the opponent. (The 2016 attack, which exploits what appear to be three unspecified vulnerabilities in iOS, was developed by Israel-based NSO Group and has no known link to Zerodium.) Once clicked the link, the exploit gives the attackers complete control over the infected. iPhone.
The attacker, however, was never infected because he suspected that the link in the text message was a trap, and asked security experts to intervene. Zero-exploitation for which Zerodium is offering $2 million presumably would have worked anyway. As mentioned, it will give the attackers the same control but will not require the target to click on any link to get infected.
Monday’s updated list also doubled the charges for attacks that used messaging apps WhatsApp and iMessage. Interestingly, the exploits for Signal—an encrypted messaging app that is considered the gold standard by many engineers, journalists, and lawyers—are at $500,000, the same price as before. The larger user base for WhatsApp and iMessage is likely driving the price differences announced on Monday.
Zerodium announced improvements for several other exploits, including:
- $1 million for zero-click arbitrary code execution attacks in Windows (previously $500,000)
- $500,000 for remote code executions in Chrome that escape the security sandbox (previously $250,000 or $200,000, depending on OS)
- $500,000 for Apache or Microsoft IIS RCEs, ie, remote exploits via HTTP(S) requests (previously $250,000)
- $500,000 for local privilege attacks against Safari that include a sandbox escape (previously $200,000
- $250,000 for Outlook RCEs, ie, remote exploits via malicious email (previously $150,000)
- $250,000 for PHP or OpenSSL RCEs (previously $150,000)
- $250,000 for Microsoft Exchange Server RCEs (previously $150,000)
- $200,000 for VMWare ESXi virtual machine escape, i.e., host-to-host escape (previously $100,000
- $200,000 for upgrading local privilege to either kernel or root for Android or iOS (previously $100,000)
- $100,000 for local PIN/passcode or Touch ID bypass for Android or iOS (previously $15,000)
- $80,000 for Windows domain upgrade or sandbox escape (previously $50,000)
Zerodium has said it only sells exploits to legitimate governments, but has never provided details to verify those claims. It has been one of the top brokers for exploits since it made its debut in 2015 with a contract of $ 1 million for reliable iOS operations and a large number of platforms and other apps. Since then, Zerodium has steadily increased those values.
Wardle, a former NSA hacker, said he has no reason to doubt Zerodium is making a good living paying those fees.
“I know of a lot of full remote iOS exploit chains… so they’re definitely out there,” he explained. “And I know customers who will pay more than $1.5 for those. So I don’t see a reason to doubt that Zerodium both buys and sells (for profit) such bugs.”