According to Motherboard, some unspecified (software) hacker just won a $1 million bounty for an iPhone exploit. But this is no ordinary there’s-a-glitch-in-your-Javascript bug bounty.
On September 21, “Premium” 0day startup Zerodium put out a call for a chain of exploits, starting with a browser, that enables the phone to be remotely jailbroken and arbitrary applications to be installed with root / administrator permissions. In short, a complete remote takeover of the phone. And they offered $1 million. A little over a month later, it looks like they’ve got their first claim. The hack has yet to be verified and the payout is actually made.
But we have little doubt that the hack, if it’s actually been done, is worth the money. The NSA alone has a $25 million annual budget for buying 0days and usually spends that money on much smaller bits and bobs. This hack, if it works, is huge. And the NSA isn’t the only agency that’s interested in spying on folks with iPhones.
Indeed, by bringing something like this out into the open, Zerodium is creating a bidding war among (presumably) adversarial parties. We’re not sure about the ethics of all this (OK, it’s downright shady) but it’s not currently illegal and by pitting various spy agencies (presumably) against each other, they’re almost sure to get their $1 million back with some cream on top.
We’ve seen a lot of bug bounty programs out there. Tossing “firmname bug bounty” into a search engine of your choice will probably come up with a hit for most firmnames
. A notable exception in Silicon Valley? Apple. They let you do their debugging work for free. How long this will last is anyone’s guess, but if this Zerodium deal ends up being for real, it looks like they’re severely underpaying.
And if you’re working on your own iPhone remote exploits, don’t be discouraged. Zerodium still claims to have money for two more $1 million payouts. (And with that your humble author shrugs his shoulders and turns the soldering iron back on.)
There’s nothing questionable about the ethics here IMO, it’s unethical as all hell.
Same kind of ethical as a well entrenched company leaving open well known security holes and doing nothing about it?
I’m just checking.
Worse? Here the security holes aren’t well known at all, so third parties would have a harder time mitigating the problem
So the same as well entrenched company leaving open security holes and cutting middle mans like that 0day startup while selling to NSA et al?
Well, If the exploits eventually get to apple and get fixed, then that could benefit everyone. That’s the real moral question, who gets information on the exploits?
Except Apple does not _bother_ to spend the money to find the bugs. And yet people put them on a moral high-ground. It’s basically like seeing someone drowning, and instead of jumping in and rescuing them yourself, you just sit and watch until someone else does.
They do spend money to find and fix bugs. It just so happens they spend that money on employees to do the job. And no, it is not at all like watching someone drown.
No, it’s an almost perfect analogy. Just without the people, and the drowning.
What most online commenters think of corporate behavior is contingent on which company you’re talking about. There’s not much point debunking ridiculous fanboy claims on the internet, because the other guy isn’t listening.
That’s all good in theory, but in practice, iPhones are losing their reputation for “products that just work” even amongst the general public. If the employees can’t release an operating system that doesn’t have bugs the general public pick up on, what hope do they have of closing security flaws?
Imagine apple has $1,000 bug finding budget (just an example) they could spend that on their own guys who may or may not find anything important, They could use that $1,000 as a bounty and have many people searching for free until something is found then pay out when something can be fixed. Apple is rich I mean super rich they have huge resources to find and fix bugs themselves and payout a bounty, If they choose not to payout people will find another way to make money that could endanger apple users.
@M: The analogy would only be true if Apple is doing nothing about bugs they know about. However, if they didn’t do anything about bugs they were aware of then they wouldn’t be in business for very long.
on a side note:
I notice a trend in the comments of people believing that Apple should offer up lots of money for a bounty so people aren’t tempted to do something morally wrong or “gray” with the information. Yes, let’s pay people to do the right thing…… No one sees the issue with this?
jack laidlaw, This is a a really poor way to do security. You are encouraging thousands of people to poke holes in your code, but you can only give them $1000. So what would a hacker,who is PURELY motivated by financials at this point, do when they find a really nasty bug? Settle for Apple’s $1000? Or sell it for a LOT more to someone else (and yes, government pockets would be much deeper than Apple’s).
Essentially, you encourage a bunch of morally gray people to start hacking your stuff just for the money, then hope that they don’t screw you with it. Its a bad idea. Apple has hired at least one or two of the old jailbreakers, which is a MUCH better investment. Spend your money on the talent. You sit here and act like they aren’t catching bugs inside apple all the time. Just because you don’t hear about it doesn’t mean they are not effective. I can recall (I don’t jailbreak anymore so I don’t follow it anymore) that before big releases the JB community would have multiple exploits of Apple’s beta software, only to be foiled when the final was released. Clearly Apple is not sitting idle.
Sorry I should have made clear the $1000 figure was an example to simplify what I was saying, I really don’t think $1,000 is anywhere near enough. I was pretenting that was their “bug fixing budget” for employees or bug bounty hunters. Apple has loads of cash and if I was them I wouldn’t put all my eggs in one basket so to speak. Apple needs their own bug hunters that much is for sure I was just trying to say they should not discude outsiders hunting aswell by not offering $$$ personally I think apple should be awarding atleast $100,000 medium threat to $1,000,000 for really bad 0day’s.
If you really think that nobody’s going to bother hacking Apple products (or any other) if there’s no bug bounty, you’re hopelessly naive.
People are going to try to hack any and every computer system out there. What these companies need to do is make it more profitable for the hackers to sell their exploit to the company than to sell it on the black market. Not having a bounty program is just going to make the hackers sell on the black market.
Anyone who has worked in intelligence will tell you that $1 million is cheap for a procurement effort like this. If the NSA is going to use our tax dollars to spy on people I’d much rather they bought zerodays on the open market than paid contractors like Booz and Mandiant tens of millions to find nothing. Sadly the public outrage if a US agency ever ran a program like this would probably be too much.
There are already plenty of good people working on things like this. It’s not often an exploit is discovered by the public before it has been used for espionage.
As much as all the recent hype has put a bad spin on spying, the spying has done more to benefit than it has to harm. It’s more the subterfuge that has been the short term problem.
In the hands of greedy criminals exploits like this can be very dangerous indeed but worse still if they become a tool for someone with a long term plan.
Let’s hope those on the cutting edge of it all know what they’re doing.
Large gaping holes may be very good for law enforcement they can walk right into everywhere, guess what so can criminals.
Zero days should be fixed, if law enforcement need access they should go to a court with oversight and then to the company and use legal intercept.
>>As much as all the recent hype has put a bad spin on spying, the spying has done more to benefit than it has to harm.
Even the ones doing the spying don’t make that claim. Out of the billions of dollars spent, they’ve -maybe- disrupted 1-2 plots. http://www.washingtonsblog.com/2013/10/nsa-spying-did-not-result-in-one-stopped-terrorist-plot-and-the-government-actually-did-spy-on-the-bad-guys-before-911.html
0-days have resulted in data breaches at multi-billion dollar companies, many of them defense contractors. The data is stolen as part of corporate espionage, but to say that these breaches are just the price of safety is ludicrous when safety isn’t even being increased by these programs. Stockpiling 0-days hurts national security and the economy in the long run. Not to mention pisses off allies when you get caught tapping their phone systems (ie; Germany).
We shouldn’t waste money on ineffective and damaging programs.
Spying isn’t about stopping terrorism it’s about oppression, The government wants to spy on citizens to use the information gathered for political smears, blackmail & stealing state and corporate secrets. Fascism is here government is made up of people with buisness interests not people interests.
Just splitting hairs a little bit. The US is technically not fascist state. It is an oligarchy.
the thing is, announcing this hack really lowers it’s value. Silent secret exploits are 900X more valuable than a undisclosed but announced, “I CAN HACK THIS” instantly put a lot of people on it to discover what it was. and when Apple finds it they will close it.
Unannounced can go years and years before it’s closed.
Hardly the case – obviously Zerodium aren’t about to make anything whatsoever about the sploit (if real) public, nor will the eventual purchaser, because _obviously_ it destroys its value as Apple will patch it. The only info released so far has been
a) There is a large cash bounty available to anyone who can do it
b) Someone has submitted something; no ack that it works, and there likely won’t be.
So.. why did zerodium even say they’d got a submission? Because right now they actively want the publicity so they can get more entrants in future. It’s not like the market for 0-days will go away any time soon.
I would agree with Timothy here. A little social engineering about the hacker would give you a LOT of insight as to what his attack vector was. He likely is not an expert in everything, so knowing what he is good at (his resume) will give you a very solid place to look. Any info about the existence of a hack is a clue.
Be the Mongolians to their Great Wall! SMASH IT TO THE GROUND!
Interesting analogy… I always thought they just went through or around it.
What’s stopping whoever found this exploit to offer it to the NSA for a lot more?
A contract
What’s stopping whoever found this exploit to offer it to the NSA for a lot more?
Heres what you should do
1. Sell it to both parties
2. Wait awhile show apple the hole/glitch
3. tell both parties shouldn’t be greedy
4. keep the money
5. Both companies take you to court.
6. The judge agrees with both companies and insists you bend over
7. You leave court feeling dirty, ashamed, and penniless.
5) Realize you just angered two very rich powerful groups of people and let the world know you can’t be trusted to do business.
6) Change name and live happily on an island somewhere?
“The NSA alone has a $25 million annual budget for buying 0days…”
Can you cite a credible source for this stement?