The iPhone may be more vulnerable than we thought. A company that buys hacking tools is claiming the market is now "flooded" with exploits that can crack iOS security protections.
Cyber arms dealer Zerodium is known for purchasing attacks on unpatched vulnerabilities in iOS and Android, and then selling access to them to government clients. The company currently offers up to $2 million for exploits that can hack an iPhone without any interaction from the user.
However, the supply for iOS exploits has been getting crowded. "The last few months, we have observed an increase in the number of iOS exploits, mostly Safari and iMessage chains, being developed and sold by researchers from all around the world," Zerodium CEO Chaouki Bekrar told BleepingComputer.
"The zero-day market is so flooded by iOS exploits that we've recently started refusing some [of] them," he added.
Announcement: We've updated our prices for major Mobile exploits. For the first time, we will be paying more for Android than iOS. We've also increased WhatsApp & iMessage (0-click) but reduced the payout for iOS (1-click) in accordance with market trends:https://t.co/0NBRnq4I4y pic.twitter.com/XqpmAKmmKF
— Zerodium (@Zerodium) September 3, 2019
As a result, Zerodium is now paying more for Android exploits than iOS bugs for the first time: up to $2.5 million for a full chain, zero-click attack on Google's operating system, it announced on Tuesday. (Chains refers to using several vulnerabilities in a product to hack a victim. Usually exploiting one vulnerability isn't enough, but must be linked with additional flaws to gain full compromise.)
At the same time, the company has lowered payouts for "one-click" exploits on iOS and iMessage, which require the victim to click on a link in order for the attack to activate.
Bekrar claims that Android security has been improving with every new release of the OS, which is now entering Android 10. "So it became very hard and time consuming to develop full chains of exploits for Android and it's even harder to develop zero-click exploits not requiring any user interaction," he said.
Not everyone agrees with Zerodium's assessment. A separate company that also buys hacking tools, Crowdfense, told PCMag there are, indeed, more iOS exploits on the market than before. However, not all the exploits are truly "intelligence-grade," and useable by government clients.
"To put it differently, many researchers are now trying to get top payouts (like the ones we offer) researching iOS exploits, but not all of them can deliver the 'right stuff,'" the company said in an email.
"So (at least in our case) the higher number of iOS chains being offered is not impacting the number of good [exploit] chains that we are selecting nor their economic value," the company added. "It is only complicating our scouting and evaluation work, adding 'noise' to the market."
So far, Apple hasn't commented on Zerodium's claim. But iOS security has faced heightened scrutiny after Google security researchers discovered that a mysterious group of hackers were secretly installing spyware on numerous iPhones for at least two years. The attacks, which involve exploiting 14 previously unknown vulnerabilities in iOS, can be delivered by simply getting the victim to visit a hacker-rigged website.
Recommended by Our Editors
Although Google had refrained from attributing the attacks, there's evidence to suggest the hackers were affiliated with the Chinese government, and targeting members of the Uyghur Muslim ethnic minority. The attacks were able to steal files from installed apps including WhatsApp, Gmail, and iMessage, in addition to products from Chinese companies such as Tencent and Netease. Fortunately, Apple patched the vulnerabilities in February, but Zerodium's statements suggest plenty of other flaws in iOS still remain.
Crowdfense said when government clients refuse to buy lower-quality iOS exploits they can end up in the hands of other customers, such as cybercriminals. "So we might see a surge of attacks targeting iOS devices due to the increased availability of low-value, non intel-grade [iOS exploits]," the company said.
To entice security researchers and hackers to disclose vulnerabilities to Apple, Cupertino is set on expanding the company's bug bounty program, which was previously invite-only. The program will be open to all this fall and Apple says it'll pay anyone $1 million for a zero-click iOS exploit chain.
Editor's Note: This story has been updated with comment from Crowdfense.
iPhone 11 may come with Apple Pencil support
Like What You're Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
Sign up for other newsletters
