The Million Dollar iOS Hack (Isn’t)
Reports emerged last week that a security exploit broker paid $1,000,000 for a browser-based iOS 9 attack, setting a record for buying and selling a computer exploit, at least in public. Security firm Zerodium announced the news via its Twitter feed and stated that the exploit is an “untethered jailbreak” that works on all the latest versions of iOS. This was the conclusion of a contest the company initiated on 21 September 2015. Zerodium hasn’t released more about the attack technique, so we don’t know if it works by browsing a
malicious Web site, reading an email message, or receiving a text message (all were open options in the contest).
As is typical with Apple security stories these days, you shouldn’t be overly concerned, but it should raise a few hairs on the back of your neck. Zerodium plans to sell the exploit to government and defense customers. Based on rumors (and really, just rumors) among my security contacts, a reliable iOS exploit can be worth into the low six figures on exploit markets. Government agencies use such exploits for surveillance and law enforcement purposes, and iOS is consistently a tough nut to crack. While we know next to nothing about Zerodium, the odds are very low that the exploit will be used for cybercrime. The agencies that do purchase it will most likely use it judiciously in order to lengthen the lifespan of the attack and minimize
the chances of Apple fixing it. Some readers most definitely need to worry, but not most.
Other organizations might buy it to incorporate into their defensive security tools. This could be security companies wanting to show they protect against the latest and greatest attacks (the truth is, all of them miss many attacks so the value is more for sales and PR than actual defense). Some organizations, typically high-value targets in defense and financial services, may even buy it to defend themselves.
Zerodium is a new startup in the burgeoning digital exploits marketplace. The company was founded by Chaouki Bekrar, formerly of the controversial firm Vupen, which was based in France. While Vupen was known for developing and selling their own exploits to governments, Zerodium appears to be focusing on purchasing and reselling exploits. By developing a customer base with big pockets, Zerodium can pay researchers rates far above what they could get from other sources, but still make money by playing middleman and reselling those exploits to multiple buyers for more typical amounts.
If Zerodium sounds like an arms dealer, you are exactly correct. This kind of activity isn’t illegal, but it isn’t exactly ethical either, especially since these companies withhold exploit details from software vendors to ensure they remain unpatched for as long as possible. This is quite different from “bug bounty” firms who mediate between security researchers and software firms and outsource communications, negotiations, and validation of vulnerabilities and exploits. A bug bounty is cash paid by a company to researchers who find security issues in their products. It provides an incentive for researchers (and others) to report the bugs to the vendor for patching instead of making them public or selling them to bad guys.
Zerodium is a dangerous entrant into the market since it alters the economics of online security: now researchers can make more money by selling their bugs to Zerodium than by notifying the vendor. Governments and other groups have long paid for exploits, but a broker increases the value of certain exploits, and will sell to multiple buyers, transferring added risks to users. This could pressure buyers to use their exploits more quickly and more often since they don’t know or trust other buyers, which may create a “race to exploit” before the value of the investment is lost. There’s also nothing restricting who Zerodium can sell to, and while it claims to sell only to NATO governments and partners, there’s no way to know for
sure. Bug bounty firms make money by helping collect and report bugs so they are fixed; exploit brokers make money by leaving you vulnerable to as many clients for as long as possible.
If you think this all sounds insane, join the club.
There are a few dynamics working in favor of us normal iOS users. While those who purchase the bug have incentive to use it before Apple patches it, odds are they will still restrict themselves to higher-value targets. The more something like this is used, the greater the chance of discovery. That also means there are reasonable odds that Apple can get its hands on the exploit, possibly through a partner company, or even by focusing its own internal security research efforts. And the same warped dynamics that allow a company like Zerodium to exist also pressure it to exercise some caution. Selling to a criminal organization that profits via widespread crime is far noisier than selling quietly to secretive government agencies out to use
it for spying.
In large part, this is mostly a big publicity stunt. Zerodium is a new company and this is one way to recruit both clients and researchers. There is no bigger target than iOS, and even if Zerodium loses money on this particular deal, the company certainly made a splash.
Keep in mind that we know there have been multiple exploits for all major computer platforms sold quietly for years now. Spy agencies and even some law enforcement agencies have not-so-secret programs to collect these bugs. This situation isn’t any different, other than being public, and you shouldn’t expect your iPhone to be any less secure tomorrow than it was a week ago.
One interesting aside. Apple sometimes comes under criticism for not offering bounties, especially for iOS exploits. But when a firm is willing to pay a million dollars for a single bug, the economics don’t work in Apple’s favor, bounty program or not.
We are talking about a jailbreak. It almost looks like the author of the article doesn't understand at all what a jailbreak is: it is a flaw that allows you to modify your own device. It's most probably not something an attacker could ever use against you. The article seems to blur this ditinction, either deliberately, or because of a misunderstanding. It's interesting that a jailbreak is worth that much: maybe Apple has the incentive of keeping their customers away from it. Maybe the government has some interest in keeping it under lock as well, as a jailbreak would probably enable SW piracy, which means lost income for Apple and lost tax income for the government. Then again, the vast majority of iOS users don't want to jailbreak their devices, I would think, it was always a thing for a small minority of users.
Actually, that is incorrect. A "Jailbreak" is a security flaw. An untethered jailbreak is a security flaw on iOS that is persistent. One that can be triggered by a browser provides root access to the device.
Calling it a jailbreak is basically a code for exploit buyers. In the security industry, it's a way to say you cracked iOS without saying "iOS exploit". This is pretty well known and common, but only for us that are living it every day. Kind of sneaky, to be honest.
Interesting, I stand corrected then, and apologize.
Regardless of the content of this conversation, I applaud the civility of the posters.
It's refreshing to witness.
I had the same thoughts. I think the uninformed on security (me) limit the term "Jailbreak" to messing with one's own phone. That it has a wider definition is probably not well known.
What?!? They plan on selling this to the government? But not to worry, right? The government is our friend and they are just here to help.
How do we know this doesn't end up as just another tool for government surveillance, with no warrant needed, of course?
That's the problem - Zerodium isn't just selling this to "the" government (whichever one you're referring to); they could be selling it to multiple governments, along with large corporations in the defense contracting business. But it's quite unlikely to be used against everyday users because it's more valuable as something to use against specific high-value targets.
Of course, as Rich said, this isn't really new either. It's just the first time a company has done it so publicly.