Zerodium, a broker for security exploits, has announced that it will not be purchasing new iOS Local Privilege Escalation, Safari Remote Code Execution, or sandbox exploits, for the next few months. The reason shared by Zerodium is that there has been a high number of submissions lately for such exploits, which does not bode well for iOS security.
The company will still be accepting iOS one-click chains (e.g. via Safari) without persistence, however, the prices paid out for them will be lowered soon.
Here is the complete tweet from Zerodium's official account:
"We will NOT be acquiring any new Apple iOS LPE, Safari RCE, or sandbox escapes for the next two to three months due to a high number of submissions related to these vectors. Prices for iOS one-click chains (e.g. via Safari) without persistence will likely drop in the near future."
We will NOT be acquiring any new Apple iOS LPE, Safari RCE, or sandbox escapes for the next 2 to 3 months due to a high number of submissions related to these vectors.
Prices for iOS one-click chains (e.g. via Safari) without persistence will likely drop in the near future.
— Zerodium (@Zerodium) May 13, 2020
Zerodium's CEO had an interesting choice of words to explain the state of iOS security, basically stating that it is in a terrible state and only Pointer Authentication Code and non-persistence exploits are its saving grace. He also said that there are still enough exploits in these categories, which should be a concern for Apple.
iOS Security is fucked. Only PAC and non-persistence are holding it from going to zero...but we're seeing many exploits bypassing PAC, and there are a few persistence exploits (0days) working with all iPhones/iPads. Let's hope iOS 14 will be better.
iOS Security is fucked. Only PAC and non-persistence are holding it from going to zero...but we're seeing many exploits bypassing PAC, and there are a few persistence exploits (0days) working with all iPhones/iPads. Let's hope iOS 14 will be better.https://t.co/39Kd3OQwy1
— Chaouki Bekrar (@cBekrar) May 13, 2020
Whether iOS 14 will improve the state of security for iOS is anyone's guess. Apple's improvements to iOS 14's development process are expected to have a positive impact.
Zerodium was paying as much as $500,000 for Safari Local Privilege Escalation and Remote Code Execution exploits, and the cost is still reflected on its website. For iOS Full Chain with Persistence bugs, the company is still paying up to $2,000,000. On the other hand, Android Full Chain with Persistence exploits can fetch up to $2,500,000. The price list depends on the importance of the exploit, and the price that the buyer is willing to pay to Zerodium.
Apple has a bug bounty program, it does not pay as well as Zerodium.
Back-to-back exploits reported in iOS 13, and even older versions, have had an impact on the value of exploits. We have covered some of these in the past, which impact iOS versions as old as iOS 6. A number of security bugs reported in iOS 13 have been from Google Project Zero, which even led Apple to claim that the company is "stoking fear among all iPhone users that their devices had been compromised".
On the other hand, Android is notoriously popular for the existence of data stealing apps that are downloaded through official means via Google Play Store, for years without getting caught. Malware littered apps are a common occurrence in Play Store. Meanwhile, iOS security bugs are not as easy to execute.
Things are not as doom and gloom as Zerodium and its CEO might be making them out to be. Ryan Naraine, a security strategist for Intel, called it out as PR/marketing shenanigans. After all, a company that buys exploits to profit off them, would not want to paint the world as a secure place.
Nope. This is pure PR/marketing shenanigans https://t.co/rOG5mLnnnv
— Ryan Naraine (@ryanaraine) May 13, 2020
In a statement given to The Register, Patrick Wardle, principal security researcher at Jamf Security said:
"To iOS security researchers/hackers, it's unlikely that Zerodium's statement comes as a surprise," he said. "iOS, is just another operating system, meaning it will have exploitable bugs. And yes, they may be harder to (remotely) exploit, but we've seen it fall time and time again (as both Google Project Zero and groups such as NSO have shown)."
He also theorized that a lot of researchers might have extra time at hand due to staying at home, and having lost their jobs, which might have increased the number of exploits being found recently.
"There are likely a lot of hackers stuck at home with extra time on their hands, or perhaps who have lost their jobs or are in a financial squeeze, as is a large portion of the population,"