Over the last few days, we learned a lot about a series of malicious website exploits which targeted iPhone for a number of years. This evening, we know further about the current situation of the security industry and how the amount of iOS exploits keeps growing from Vice’s new report.
Zerodium, one of the numerous “vulnerability brokers” out there, stated a new pricing structure which values Android exploits higher than iOS exploits. Now, android exploits which allow the complete takeover of devices where it’s not necessary for the user to click on anything,
In the meantime, Zerodium has also reduced the value of 1-click iOS exploit from $1.5 million to $1 million.
Chaouki Bekrar, founder of Zerodium, says this is owing to the zero-day market being swamped with iOS exploits:
“The zero-day market is flooded by iOS exploits, mostly Safari and iMessage chains, mainly due to a lot of security researchers having turned their focus into full time iOS exploitation. They’ve absolutely destroyed iOS security and mitigations. There are so many iOS exploits that we’re starting to refuse some of them.”
While talking about the Android, Bekrar says that “it’s very hard and time consuming to develop full Android exploit chains.” Android exploits are more valuable until Apple “re-improves the security of iOS components such as Safari and iMessage,” he added.
Another company which buys zero-day exploits with the intention of selling them to governments, is Crowdfense. Its director Andrea Zapparoli Manzoni confirmed that now there are much more iOS exploits than Android but with a caveat:
In an email, he wrote, “There are more iOS chains on the market but not all of them are ‘intelligence-grade. Many researchers are trying to get top payouts (like the ones we pay) but not all of them can deliver the ‘right stuff.’
In this case, Android’s fragmentation is in fact, helpful, Zapparoli Manzoni said:
“Android is such a fragmented landscape that a ‘universal chain’ is almost impossible to find; much harder than on iOS which is a ‘monoculture.’”
Vice notes that of course, the important thing to consider here is that Crowdfense and Zerodium comprise only a part of the exploit market. That means we may not know the whole story.
Moreover, Apple itself recently made its own bug bounty program more enticing, announcing higher payouts and a new iOS Security Research Device program where it will distribute pre-jailbroken iPhones to researchers. This shows a renewed emphasis on bounty programs from Apple and could help to counteract what some exploit vendors are observing.