The price of some iOS exploits has dropped recently, and at least one company buying exploits no longer buys certain types of vulnerabilities. Experts believe this is due to the increasing attention security researchers are paying to finding vulnerabilities in iOS.
Purchasing company Zerodium Exploits announced last week that it will not purchase certain types of iOS exploits in the next 2-3 months due to a surplus. It also announced that prices for iOS utility chains, which require some user interaction and do not offer endurance, are likely to fall in the near future.
In addition, Chauki Beckrar, CEO and founder of Zerodium, said that iOS security is broken and noted that they have seen many exploits to bypass Pointer Authentication Codes (PAC) – PAC provides protection against storage attacks – and several zero-day exploits that can help an attacker achieve persistence on all iPhones and iPads.
The Zerodium website offers up to $2 million for full iOS strings that achieve persistence and do not require user interaction. By comparison: The same type of operation for Android can cost up to $2.5 million.
The company also offers up to $500,000 for sustainable iOS operations, as well as remote code execution and local privilege escalation for iMessage or Safari vulnerabilities. Hackers can earn up to $200,000 to remotely run the Safari code without the sandbox evacuation component and the same amount for just the sandbox evacuation.
Beckrar, however, says they have seen an increase in iOS activity in recent months, including the implementation of remote code in Safari, the escape of sandboxes and the escalation of privilege. This forced his company first to reduce prices and then to suspend the purchase of such exploits completely for the next 2 or 3 months.
This increase is probably due to the growing number of researchers working on iOS, and probably to the availability of public escapes that make it easier for researchers to redesign iOS devices and find bugs more quickly. On the other hand, the number of Android entries remains stable, he explained.
added Mr. Beckrar: Our prices for Zero-Click-Exploits and Endurance remain the same so far, as these features are unicorns and only a few are available per year.
Zero offers high rewards for a wide range of vulnerabilities, but the company claims to only accept high quality operations that it only sells to government organizations, mainly in Europe and North America.
Alfonso de Gregorio, founder of the operating company Zeronomicon, confirms that there is a surplus of exploits to increase the local privileges of iOS.
Some of the ongoing containment activities have been successfully circumvented, indicating that security researchers are making significant progress. This will affect the price of these heroics, as long as the demand for them does not change significantly, said De Gregorio SecurityWeek.
Zeronomicon, which offers products for governments and private companies, claims to have more than 1,000 satisfied customers. The Company, which also claims to adhere to high ethical standards, claims to provide organizations with specific cybersecurity capabilities, vulnerability information that can be used to take action, and risk mitigation strategies.
I founded Zeronomicon to help my colleagues in the security industry turn their talent and knowledge into profit, which means that the amount paid for each security option always reflects the best market and other conditions at the time of purchase, according to De Gregorio.
Market prices reflect changes in supply and demand, he added. This is not the first or last time payments are adjusted to new values assigned to exploitation chains, as was the case for web browser exploits many years ago.
Zerodium and Zeronomikon did not want to say exactly how much prices have fallen or how much they could fall in the future.
Zuk Abraham, the founder of the mobile security company Zimperium and the cyber security automation company ZecOps, have also confirmed that the price of iOS exploits has dropped. According to him, iOS security research has become much more popular and many researchers are attracted by the high price of exploitations and the increasing number of resources they can learn from (e.g. vulnerability logging, blogs).
Much of the iOS code hasn’t been compromised for years, we know that many vulnerabilities have not been properly fixed and generally there are many vulnerabilities in iOS – much more than most people think or know, Avraham said in an interview with SecurityWeek.
It remains to be seen to what extent the next iOS 14 and A14 mobile processors will improve safety.
The A14 devices must include memory tag protection that can reduce the cost of some exploits – so many researchers are now leaving their exploits and trying to pay for them, Avraham said.
Both Zimperium and ZecOps have launched mobile exploit programs, but they focus on vulnerabilities that have already been fixed instead of zero-day bugs.
ZecOps recently reported that it has observed targeted attacks that exploit unparalleled vulnerabilities in the iOS messaging application. Apple confirmed the existence of defects, but rebutted claims relating to active use.
Charles Ragland, a security engineer at Digital Shadows, a San Francisco-based provider of digital risk protection solutions, believes Apple’s highly-paid bug fixing program has drawn attention to the platform, allowing researchers to identify a significant number of vulnerabilities.
With more attention and more heroism, it is no wonder that the prices of iOS have fallen, said Ragland. It is likely that researchers will opt for more cost-effective options in the coming weeks, and we will see an increase in the cost of using other devices or operating systems.
What do the prices say about the iOS security trials?
There has always been a discussion about whether Android or iOS is safer, and although many years ago agreed that iOS is better in terms of security, a significant number of vulnerabilities and platform attacks in recent years have shown that Apple’s mobile operating system is not as safe as many people think, especially against a wealthy opponent.
The zero-day market is based on supply and demand. An increase in the supply of zero-day exploits for a particular product means that the safety level of that product decreases and the price drops because there are too many exploits, Beckrar said. Of course, we cannot draw a definitive conclusion about the overall safety level of the system based only on the price per failure or the number of exploits present, but these are very strong indicators that cannot be ignored.
The fact that [Zerodium] will no longer pay for [certain types of iOS exploits] is an indication of the high availability and current state of this mobile platform, said Robert Nickle of SecurityWeek, a mobile security researcher at Lookout. Although iOS is a relatively secure mobile operating system, there are still ways to use it, so it’s beneficial for users to apply extra protection to these devices.
The Gregorio of Zeronomicon said that as far as the software developed by Apple is concerned, I can say that it has never been free of vulnerabilities. Their use has generally been prevented earlier by risk mitigation measures, both for hardware and software.
Apple did not respond to the request for comments.
That’s what it looks like: Zero offers $500,000 for VMware ESXi, Microsoft Hyper-V Exploits.
That’s what it looks like: Apple Researcher provides $75,000 worth of cameras for hacking security breaches.
That’s what it looks like: Corellium: Apple sued us after a failed purchase attempt
Related content: iOS 9.1 jailbreak brings Pirates $1 million in profits.
@EduardKovacs – Publisher of the Safety Week. He worked for two years as a high school computer science teacher before starting a career in journalism as a security reporter for Softpedia. Edouard has a bachelor’s degree in industrial computer sciences and a master’s degree in computer engineering for electrical engineering.
Previous chronicles of Eduard Kovacs :