Complaining of 'Surplus' of iOS Exploits, Zerodium Stops Buying Them (securityweek.com) 37
wiredmikey writes: An abundance of iOS exploits being submitted to be sold should alarm iPhone/iPad users, according to the CEO of exploit acquisition firm Zerodium. The company announced that it was no longer buying certain types of iOS exploits in the next two to three months [including local privilege escalation, Safari remote code execution, and sandbox escape exploits] due to a surplus. And the company expects prices to drop in the near future.
"iOS Security is fucked," Chaouki Bekrar, CEO of Zerodium said on Twitter, noting that they are already seeing many exploits designed to bypass pointer authentication codes and a few zero-day exploits that can help an attacker achieve persistence on all iPhones and iPads. "Let's hope iOS 14 will be better," he added.
Bekrar said that only pointer authentication codes — which provide protection against unexpected changes to pointers in memory — and the difficulty to achieve persistence "are holding [iOS security] from going to zero."
"iOS Security is fucked," Chaouki Bekrar, CEO of Zerodium said on Twitter, noting that they are already seeing many exploits designed to bypass pointer authentication codes and a few zero-day exploits that can help an attacker achieve persistence on all iPhones and iPads. "Let's hope iOS 14 will be better," he added.
Bekrar said that only pointer authentication codes — which provide protection against unexpected changes to pointers in memory — and the difficulty to achieve persistence "are holding [iOS security] from going to zero."
Maybe so, but .... (Score:2)
Without knowing Zerodium's budget or goals, statements like this are only somewhat meaningful.
After all, they could have a "surplus" of exploits for iOS because they can't cost-justify buying more than a dozen or so at a given time? And maybe their business model demands they buy FAR more of them for platforms like Windows right now?
I have no doubt iOS is full of exploits. That's perhaps a bit disappointing, given how much Apple talks up security as a "value" of theirs these days. But you have to realize t
You only need 1-3 to own the device (Score:4, Insightful)
One remote code escalation and one privilege escalation is all I need to completely own the device. Amd maybe a pointer bypass.
If I were in the business of buying and selling them, I'd have to assume that Apple will fix some, so I'd want to keep in my inventory at least three different types of each. That is to say, not three variations or three different ways to exploit the same fundamental problem, but three fundamentally different remote code execution flaws, three very different privilege escalations, and three ways to bypass pointer authentication. That would he all I need to gain full control of iOS devices for the next couple of years.
.
Re: (Score:2)
"If I were in the business of buying and selling them..."
This isn't the business Zerodium is in, though. Selling exploits and "gain[ing] full control of iOS devices" is not what they do.
Re:You only need 1-3 to own the device (Score:4, Informative)
> > Well Zerodium disagrees with "If I were in the business of buying and selling them..."
> This isn't the business Zerodium is in, though.
about what business they are in. Here's where they buy them:
https://zerodium.com/program.h... [zerodium.com]
And here is where they sell them:
https://zerodium.com/solutions... [zerodium.com]
Maybe you should email them and tell them what business you think they are in.
On a completely unrelated note, whatcha drinking today?
Re: (Score:2)
"And here is where they sell them:
https://zerodium.com/solutions [zerodium.com]... [zerodium.com]
"
Except that's NOT what that says, it's just what you want to claim it says to suit your narrative.
Also, suggesting that I am "Zerodium" as you have above is a sleazy move and suggests that you have no problem with the ethics of bad faith arguments.
Re: (Score:2)
"Additionally to acquired zero-day research (aka they are buying fucking exploits,) ZERODIUM conducts its own internal research efforts (attacking and gaining control of iOS devices in their fucking possession) and provides all the zero-day intelligence including fully function exploits, along with protective measures and security recommendations, to its clients as part of the ZERODIUM Zero-Day Research Feed" (sells the fucking exploits)
It ABSOLUTELY says that and your reading comprehension skills have gone
Re: (Score:2)
"...provides all the zero-day intelligence including fully function exploits..."
This does NOT say they sell exploits, this says they provide "zero-day intelligence". Yes, their product includes information on exploits but they offer value add to that, they are more than a middleman for criminal activity. The OP has made a gross and deliberate mischaracterization of their business, and now you rush in to support it.
On their about page it says "ZERODIUM rewards security researchers to acquire their zero-day
Then why are they not buying? (Score:2)
Occam's Razor suggests that Zerodium are a front for the companies that build hacking tools for American and allied intelligence agencies.
Re: (Score:1)
Again, they are in the business of providing intelligence which includes analysis and documentation of exploits.
So no, they are not in the business of selling exploits.
You're right - they are in the business of selling analysis, documentation AND fully-functioning exploits ;-)
"ZERODIUM conducts its own internal research efforts and provides all the zero-day intelligence including fully function exploits"
Re: (Score:1)
"This does NOT say they sell exploits"
Because of course you'd fucking refuse to read any further than that, even two words afterwards gets into "along with protective measures and security recommendations, to its clients"
In other words, they sell the exploit, protection against the exploit, and information regarding how they made the exploit and what it targets.
Go the fuck back to school.
Re: (Score:2)
I have no doubt iOS is full of exploits. That's perhaps a bit disappointing, given how much Apple talks up security as a "value" of theirs these days.
Considering how much effort and expense Apple put into their security team, it is surprising they haven't done better. TPM chip isn't much good if there's an open back door.
I take this to mean that security can't be attached later as an afterthought. It's a team effort, and you need to teach your team to write secure code, because otherwise they will write insecure code.
Another possible explanation (Score:5, Interesting)
The number of -actually exploitable vulnerabilities- is relatively low. (Otherwise, we'd see a heluva lot of actual infections.) Thus these people could decide to not spend money on exploits they can't use.
I have no way of testing this hypothesis directly. But I'm not losing sleep over this, based on the overall track record for IOS.
They never bought stuff they couldn't use (Score:2)
They never bought stuff that wasn't usable. That hasn't changed.
They now have more than enough for them to be able to own the devices, including after Apple fixes somw of the flaws.
The mobile operating systems do have some distinct security advantages versus Windows, so they aren't widely exploited within a few minutes of being connected to the internet like Windows boxes are. When an exploit DOES start to become widely used, Apple and Google shut it down. The value, what this company buys, is exploits tha
Re: (Score:2)
"The value, what this company buys, is exploits that are not widely used because they are not widely known, and therefore probably won't be fixed real soon. Once an issue starts causing widespread infections it's no longer worth buying because Apple and Google will quench it pretty quickly."
How do you know this? Either you don't or you are violating some kind of NDA. I'm betting on the first one.
Re:They never bought stuff they couldn't use (Score:4, Insightful)
Or after 20 years I have half a clue how my industry works.
Besides what we call "common sense" - would YOU buy useless stuff? Do you think you would build a business bases on buying and selling useless stuff? Really?
Re: They never bought stuff they couldn't use (Score:1)
Oh I don't know. That is just *how the current economy works*.
Two words: WeWork.
Though the vast majority of modern products are useless, as they differ from existing products either merely by selling illusions, or offering a convoluted stupid solution that only is more complicated and error-prone and costly because for some reason some tech has to be added that nobody needs.
Smartphone "thinspiration", removal of headpone jacks, removal of modularity and of compatibility (e.g. WhatsApp differs from other XMP
Re: (Score:2)
How do you know "your industry" is "their industry"? Also, if it's called "common sense", why have you bothered posting it and why are they so secretive about it? "Useless stuff"? Again, you're implying you know what they are "selling" when they don't claim to be "selling" what you say they are.
They state that they are in the intelligence business. You claim that are in the business of "selling" exploits. Those are very different things, the later of which could well be illegal.
Some notable posturing h
Re: (Score:2)
Or maybe they are currently inundated with vulnerabilities that don't work, or are pointless.
There are plenty of "security researchers" that love to submit bugs that are along the lines of "if you do this, you'll get root" but "to do this" you need root, so somewhere along the line, you already had root and you gave yourself root again.
Then there are plenty more along the lines of "I can spy on your computer's clipboard - I can record down what you copy and send it over the internet". Given that's the whole
Well, at least we have choices (Score:2, Troll)
So apparently our iPhones are blatantly hackable. And Android's app store is apparently about half malware, not to mention that The Google is openly predatory with respect to your private data and respects no boundaries.
Maybe we should just give in and go for Huawei's unique flavour of Android. The Chinese government is big enough and mean enough to ensure they'll be the only people sorting through your personal life, rather than a few major corporations plus whatever low-rent grifter feels like expending
Re: (Score:2)
or don't keep sensitive information on your phones.
Re: (Score:2)
or don't keep sensitive information on your phones.
You mean like not using your phone for anything except phone calls? That's blasphemy! How else are people supposed to check their bank accounts or pay without using cash or make plane reservations?
Re: (Score:2)
No that's not what I mean, and you've presented an intentional false choice.
Re: (Score:2)
No. Don use it for phone calls also.
Re: (Score:2)
When you say "sensitive information", do you not believe contacts or your location or the people around you or any question you might ask online or websites you visit or who you call/text through your cell count?
Because all of that, and much more, is available to your service provider and whoever they choose to share it with.
Re: (Score:2)
Not in the context of your original post that I responded to, I don't. I am not concerned that people can use remote exploits to access my location data and contacts.
Also, you seem to be confused. Service providers have access to the kinds of information you list regardless of remote exploits so it's irrelevant to the conversation. Regarding my call/text records, hackers don't care and law enforcement has access to that anyway, smart phone or no, exploit or no.
You should focus on what this topic actually
Why does Apple not buy up and fix most exploits? (Score:5, Insightful)
Re: (Score:1)
Re: Why does Apple not buy up and fix most exploit (Score:2)
Uh, what?
I would assume Apple buys all of them it can. Why wouldn't they?
Re: Why does Apple not buy up and fix most exploit (Score:2)
That would be a admission that apple is less than perfect. apple does not do that until a some kind of legal action is taken against them. Until then apple relies on paid shills and the rest of their cult to downplay any kind of story like this
And so since you are obviously on Appleâ(TM)s Board of Directors, you will have no problem backing that statement of corporate policy with an official citation, right?
Re:Why does Apple not buy up and fix most exploits (Score:5, Informative)
Re: (Score:2)
Re: (Score:2)
They do, they have a bug bounty programme, but they don't pay enough. A really good iOS exploit is worth millions.
Also there is the risk of contacting Apple. It might sound odd that selling on the black market is safer but Apple want your details and a bank account to pay money in to, they don't send Bitcoins. People involved are worried about subsequently getting investigated to see what other nefarious stuff they have been up to.
You're looking at the problem wrong (Score:4, Interesting)
The problem is the exploits are costing them too much money, so they are trying to soften the market a bit.
Mostly these can be used to hack older, out of date phones; it would be great if they were for Android because most phones are out of date. iOS on the other hand, most phones are up to date. That's why the exploits cost them a pretty penny. They also don't last long. 3-4 months and they stop being valid.
So the TLAs will be happy creepy campers, right? (Score:1)
I presume, given that they will definitely use ALL the exploits to break the constitution and human rights whenever they possibly can.