Reports emerged last week that a security exploit broker paid $1,000,000 for a browser-based iOS 9 attack, setting a record for buying and selling a computer exploit, at least in public. Security firm Zerodium announced the news via its Twitter feed and stated that the exploit is an “untethered jailbreak” that works on all the latest versions of iOS. This was the conclusion of a contest the company initiated on 21 September 2015. Zerodium hasn’t released more about the attack technique, so we don’t know if it works by browsing a malicious Web site, reading an email message, or receiving a text message (all were open options in the contest).
As is typical with Apple security stories these days, you shouldn’t be overly concerned, but it should raise a few hairs on the back of your neck. Zerodium plans to sell the exploit to government and defense customers. Based on rumors (and really, just rumors) among my security contacts, a reliable iOS exploit can be worth into the low six figures on exploit markets. Government agencies use such exploits for surveillance and law enforcement purposes, and iOS is consistently a tough nut to crack. While we know next to nothing about Zerodium, the odds are very low that the exploit will be used for cybercrime. The agencies that do purchase it will most likely use it judiciously in order to lengthen the lifespan of the attack and minimize the chances of Apple fixing it. Some readers most definitely need to worry, but not most.
Other organizations might buy it to incorporate into their defensive security tools. This could be security companies wanting to show they protect against the latest and greatest attacks (the truth is, all of them miss many attacks so the value is more for sales and PR than actual defense). Some organizations, typically high-value targets in defense and financial services, may even buy it to defend themselves.
Zerodium is a new startup in the burgeoning digital exploits marketplace. The company was founded by Chaouki Bekrar, formerly of the controversial firm Vupen, which was based in France. While Vupen was known for developing and selling their own exploits to governments, Zerodium appears to be focusing on purchasing and reselling exploits. By developing a customer base with big pockets, Zerodium can pay researchers rates far above what they could get from other sources, but still make money by playing middleman and reselling those exploits to multiple buyers for more typical amounts.
If Zerodium sounds like an arms dealer, you are exactly correct. This kind of activity isn’t illegal, but it isn’t exactly ethical either, especially since these companies withhold exploit details from software vendors to ensure they remain unpatched for as long as possible. This is quite different from “bug bounty” firms who mediate between security researchers and software firms and outsource communications, negotiations, and validation of vulnerabilities and exploits. A bug bounty is cash paid by a company to researchers who find security issues in their products. It provides an incentive for researchers (and others) to report the bugs to the vendor for patching instead of making them public or selling them to bad guys.
Zerodium is a dangerous entrant into the market since it alters the economics of online security: now researchers can make more money by selling their bugs to Zerodium than by notifying the vendor. Governments and other groups have long paid for exploits, but a broker increases the value of certain exploits, and will sell to multiple buyers, transferring added risks to users. This could pressure buyers to use their exploits more quickly and more often since they don’t know or trust other buyers, which may create a “race to exploit” before the value of the investment is lost. There’s also nothing restricting who Zerodium can sell to, and while it claims to sell only to NATO governments and partners, there’s no way to know for sure. Bug bounty firms make money by helping collect and report bugs so they are fixed; exploit brokers make money by leaving you vulnerable to as many clients for as long as possible.
If you think this all sounds insane, join the club.
There are a few dynamics working in favor of us normal iOS users. While those who purchase the bug have incentive to use it before Apple patches it, odds are they will still restrict themselves to higher-value targets. The more something like this is used, the greater the chance of discovery. That also means there are reasonable odds that Apple can get its hands on the exploit, possibly through a partner company, or even by focusing its own internal security research efforts. And the same warped dynamics that allow a company like Zerodium to exist also pressure it to exercise some caution. Selling to a criminal organization that profits via widespread crime is far noisier than selling quietly to secretive government agencies out to use it for spying.
In large part, this is mostly a big publicity stunt. Zerodium is a new company and this is one way to recruit both clients and researchers. There is no bigger target than iOS, and even if Zerodium loses money on this particular deal, the company certainly made a splash.
Keep in mind that we know there have been multiple exploits for all major computer platforms sold quietly for years now. Spy agencies and even some law enforcement agencies have not-so-secret programs to collect these bugs. This situation isn’t any different, other than being public, and you shouldn’t expect your iPhone to be any less secure tomorrow than it was a week ago.
One interesting aside. Apple sometimes comes under criticism for not offering bounties, especially for iOS exploits. But when a firm is willing to pay a million dollars for a single bug, the economics don’t work in Apple’s favor, bounty program or not.