A year ago, vulnerability broker Zerodium made the headlines when it offered a stonking one million dollars to anybody who could come up with a zero-day remote exploit for iOS 9. Sure enough, someone came up with the goods: a browser-based, untethered jailbreak for iOS 9 using a zero-day vulnerability.
Of course, Zerodium wasn’t being altruistic. It offers huge prizes to vulnerability researchers if they can find ways to crack into operating systems, because they know that those exploits can then be sold on (at profit) to governments and intelligence agencies. Zerodium’s customers then use them to spy on suspected criminals, terrorists, foreign nations and other people they want to keep tabs on.
Who loses out? Well, we all do – apart from Zerodium, the intelligence agency and the guy who picks up the pay cheque. Zerodium doesn’t share details of the exploit with vendors like Apple, Google, Microsoft or Adobe who might be able to fix the security hole to make our devices and communications safer.
Of course, the likes of Apple, Google, and others do offer bug bounties for researchers who wish to share details of their vulnerability discoveries responsibly, and want to see them fixed for the increased safety of all of us. But the tech companies don’t come anywhere close to offering the same kind of monetary reward as Zerodium.
So, if you had a zero-day vulnerability for remotely hacking an iPhone would you tell Apple or Zerodium?
The good news is that it’s not quite as black-and-white choice as the sheer monetary rewards would suggest. Many of the folks who uncover security holes in software feel passionately about what they are doing, and the importance of privacy. Even with Zerodium offering such huge sums of money, they may find the idea of their exploit being used by an oppressive government to spy upon its citizens too big a price to pay.
Zerodium needs exploits, however, for its eager customers. And so it has upped its rewards even further. It’s offering $1.5 million to anyone who can come up with a working remote iOS 10 jailbreak vulnerability.
The prices aren’t as high if you can do something similar on Android. The bounty for that has doubled, increasing to $200,000, emphasising that Android is not only an easier nut to crack, but also that there is simply a greater demand for ways to spy upon users of Apple iOS devices.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.