Mikey Campbell
Software vulnerability brokers have lowered payout rates for iOS exploits, saying a recent "flood" of iPhone zero-days makes the bugs less valuable than comparable attacks designed to penetrate Android.
Exploit reseller Zerodium on Tuesday announced higher going rates for Android vulnerabilities, with the firm now paying out up to $2.5 million for so-called zero-click zero-days, reports Motherboard.
As the value of Android exploits increases, the market health of zero-days designed to thwart iOS protections stagnates due to what can be characterized as a supply glut. Zerodium, for example, pays out $2 million for zero-click vectors targeting iPhone, and decreased payouts for one-click attacks from $1.5 million to $1 million, the report said.
Zero-click exploits refer to vulnerabilities that can be leveraged to hack a device without user interaction, while zero-days are defined as bugs, exploits and other flaws that are as yet unknown to platform operators. Zero-days are particularly prized assets for hackers — both lawful and nefarious — looking to break into locked-down devices like iPhone.
"The zero-day market is flooded by iOS exploits, mostly Safari and iMessage chains, mainly due [to] a lot of security researchers having turned their focus into full time iOS exploitation," said Zerodium founder Chaouki Bekrar. "They've absolutely destroyed iOS security and mitigations. There are so many iOS exploits that we're starting to refuse some of them."
The director of exploit buyer Crowdfense, Andrea Zapparoli Manzoni, agrees with Bekrar's assessment of the market, but notes not all iOS chains are "intelligence-grade." Still, it appears the supply of vulnerabilities more than sates demand.
Bekrar added that Android is becoming increasingly difficult to crack, in part due to fragmentation. The multi-version, multi-device nature of Google's operating system has long been considered a weakness in terms of consistency and stability, but it is this very "feature" that might prove useful in protecting against widespread attack, the report said.
"Android is such a fragmented landscape that a 'universal chain' is almost impossible to find; much harder than on iOS which is a 'monoculture,'" said Zapparoli Manzoni.
Bekrar elaborated, saying Android's constantly improving security is making bug discovery more difficult for researchers. He seemingly implies Apple is not keeping pace with its iOS efforts.
"The security of Android is however improving with every new OS release. It's very hard and time consuming to develop full Android exploit chains and it's even harder for zero-click vectors (not requiring any user interaction)," Bekrar said. "We believe that the time has come to pay the highest bug bounty for Android exploits until Apple re-improves the security of iOS components such as Safari and iMessage."
As noted by Motherboard, brokers like Zerodium and Crowdfense comprise only a subsection of a much wider market dealing in software vulnerabilities. Other players include firms who broker deals solely with law enforcement and government agencies, regional research firms and rogue actors.
Zerodium's new bounty pricing arrives days after Google's Project Zero announced the discovery of a massive iPhone hacking operation. Over a period of what is thought to be years, a series of hacked websites took advantage of multiple vulnerabilities to disseminate a software implant capable of swiping sensitive user information and tracking the location of modern iPhones running the latest versions of iOS.
A follow-up report claimed the Chinese government used the hack to monitor Uyghur Muslims.
David Schloss
Christine McKee
Amber Neely
Malcolm Owen
Andrew O'Hara
William Gallagher
Oliver Haslam
20 Comments
It’s not as if Apple would have difficulty attracting talent and hiring them. I wonder why they’re dropping the ball on exploits. They should be leading the pack.
I have no doubt there’s a large number of zero day exploits out there (over the course of a year). But, I’m not buying what this guy is selling.
The goal is to infect the most number of devices, that determines the “value” of an exploit. There are more Android devices out there so naturally they’re worth more. There’s no “glut” of iOS exploits affecting price.
The easy way to attack any device with a browser is the browser itself. The question is if social engineering is even easier with a browser, getting people to go to infected sites, or to download an infected app.
Is Apple’s “walled garden” App Store still better? Probably...
Google does spend quite a bit on security, so it’s possible they’ve done a better job sandboxing the apps. But, it’s not likely given they’re given deeper access to the system.
The biggest suspect thing that was said was about the fragmentation of Android being a positive. That has to be B.S. There’s a huge number of Android devices not getting updates, that means any exploit is going to have longer legs. If the fragmentation is referring to hardware, then it’s possible. Hardware related exploits would be the most difficult to find. So, while Apple would be more effected by an exploit, I’d think the number of exploits found would be small.
My main takeaway is Apple needs to focus on browser security. Last I checked, iOS device users are heavy browser users, so the importance of making Safari rock solid (with regards to security) can’t be understated. All the browsers on iOS use the same underpinnings unlike Android so that’s a huge potential problem.
Safari also does not allow browser plugins on iOS. Many of those plugins improve the browsers security (like NoScript). Apple has talked about a “desktop class browser” on iPad OS...so maybe that will change.
seanismorris
, I agree with you that many of the inferences in the article are poorly justified and not credible. The claim that a “glut” of exploits for iOS is responsible for the lower price of exploits being sold suggests that there is a limited budget for such sales and the prices fall when there are too many of them. I don’t think that there is evidence for such market limits.
One would also imagine that the more malicious and damaging the exploits, the higher price that organizations would pay for them, suggesting that Android exploits are more malicious and damaging.
As you point out, the other reason why prices for Android exploits are high is because there are more Android users.
More exploits for iOS is consistent with the greater wealth of iOS users. The fact that Apple responds quickly to the presence of exploits and almost all iOS users upgrade their operating systems relatively quickly means that exploits are more rapidly and definitively neutralized, reducing their value.