A new security company known as Zerodium has come up with a 7-figure way to make a very loud splash as it enters the field.
It’s got $1 million (about £651,000) in bug bounty money burning a hole in its pocket, and it’s looking to spend it on what’s thought to be the biggest bounty ever publicly offered for a technique that can successfully break into an iPhone or iPad running Apple’s newly released iOS 9.
The statement on Zerodium’s website announcing the bounty describes iOS as being a worthy target, given Apple’s work to make it secure:
Due to the increasing number of security improvements and the effectiveness of exploit mitigations in place, Apple's iOS is currently the most secure mobile OS.
But just because it’s tough to break it doesn’t make breakage impossible, Zerodium says:
Don’t be fooled, secure does not mean unbreakable, it just means that iOS has currently the highest cost and complexity of vulnerability exploitation and here’s where the Million Dollar iOS 9 Bug Bounty comes into play.
The company says it’s willing to pay the bounty multiple times, though it may cap the payouts at $3 million.
According to its site, Zerodium is willing to pay out more for zero-days than other bug bounty programs because it’s interested in quality more than quantity:
The majority of existing vulnerability acquisition programs focus on the quantity instead of quality so they usually acquire any kind of vulnerabilities but pay researchers low rewards. At ZERODIUM we pay higher rewards as we only focus on and acquire high-risk vulnerabilities with fully functional/reliable exploits affecting modern operating systems, software, and devices.
To qualify for the hefty bounty, the initial attack has to work through:
- A webpage targeting either the mobile Safari or Google Chrome browsers in their default configuration,
- A webpage targeting any app reachable through the browser, or
- A text message or a media file delivered through an SMS or MMS message.
Zerodium, launched in July, may well be new, but founder Chaouki Bekrar is a familiar face in the zero-day industry, and he’s no stranger to discovering zero-days and figuring out how best to cash in on them.
Bekrar is the founder of the French firm Vupen, which has been atypically, unabashedly frank about developing intrusion techniques for popular software that it then sells to government agencies around the world.
Likewise, Zerodium describes its customers as being “major corporations in defense, technology, and finance, in need of advanced zero-day protection, as well as government organizations in need of specific and tailored cybersecurity capabilities.”
During the 2012 Pwn2Own contest, Vupen was responsible for bringing Chrome’s boastful track record of fending off attacks crashing down.
As Forbes told the story, Vupen had declined to enter Google’s contest and instead dismantled Chrome’s security to win an HP-sponsored hackathon at the same conference.
Bekrar couldn’t be bothered with Google’s piddly $60,000 award, paid to each of the two hackers who won its event on the condition that they tell Google every detail of their attacks and help the company fix the vulnerabilities they had used.
Bekrar said that Vupen never had the slightest intention of telling Google its secret techniques – and most certainly not for chump change:
We wouldn't share this with Google for even $1 million. We don't want to give them any knowledge that can help them in fixing this exploit or other similar exploits. We want to keep this for our customers.
Saving serious zero-days for paying customers to use in secret – instead of alerting the companies whose technologies are being picked apart – is likewise going to be the modus operandi for Zerodium, which is requiring that any iOS bug discovered is not to be reported to Apple or publicly disclosed.
In fact, Bekrar has admitted in past interviews that he’s not sure where his tools wind up or what they’re used for.
From a 2012 interview with Forbes’s Andy Greenberg:
We do the best we can to ensure it won't go outside that agency. But if you sell weapons to someone, there's no way to ensure that they won’t sell to another agency.
The practice of turning a blind eye to what buyers do with the hacking tools, and whether they’re being used with or without warrants or in violation of human rights, has caused ACLU lead technologist Chris Soghoian to deem Vupen a “modern-day merchant of death” that sells “the bullets for cyberwar.”
As Wired frames it, the fat iOS bounty ushers Bekrar into a new role: instead of just creating zero-days, he’s now entering into the business of brokering them.
If any of the zero-days Zerodium is setting itself up to broker reaches our attention, we’ll be sure to bring it to public attention.
But with its business plan and hush-hush practices, it seems highly unlikely that we’ll hear about these zero-days – at least, perhaps not until another Edward Snowden rises to enlighten us all.
Image of $1M dollar bill courtesy of Shutterstock.com
Sammie
I guess a zero day on iOS9 will be worth a lot more. Put it on an auction site and the figures could be many fold.
Anonymous
so with those rules I can’t win. Anyone want to buy an update backdoor? all you need is the phone number. jk
Ian T
Neat idea – effectively crowd-sourced vulnerability analysis. Small money compared to actually running a team to do the work on an hourly rate basis I expect – they don’t have to pay for the failures.
Colin P
Bug bounty programmes have a place when run by the software owner for the purpose of improving the software, but for so-called ‘security’ companies to operate is this way is a step too far. Sad to see not even a slight suggestion that this is immoral, even if not technically illegal.
Paul Ducklin
I think the idea of the article is to get you to reach your own decision…
To me, the interesting thing is how the jailbreaking world will deal with this. I expect there will be some jailbreakers to whom $1,000,000 – no matter how desirable in quantity – earned this way would be tainted money. But it would only take one insider to take the collective work of the community and sell it to Zerodium…and that would sort of crush the jailbreaking world, but not in the way that even Apple probably wants.
Best reaction, IMO, might be for Apple to open up to the jailbreakers, and give them something community-sprited to work towards (officially-sanctioned jailbreaks, perhaps in return for legally-voided warranties). That may very well lead to a world in which the sort of holes Zerodium are after will probably get responsibly disclosed anyway, not hoarded for sale to who knows whom.