Considering that Zerodium is a zero-day vendor (this is continuation of Vupen) the payout for the bounty will probably would bring them ten fold than what they've paid out.
This type of practice has to be regulated just like the arm trade is there shouldn't be any reason for a US company to be paying out god knows who how much money and then selling it to who ever they want considering that for all intents and purposed those zero-days would likely to be used against US targets.
On HN front page is an article about the feds wanting access to an iPhone 5. FBI, NSA, CIA... They'll buy and probably make sure such holes aren't fixed for a long time
So you want security researchers to have to get the equivalent of Federal Firearms License? I see no reason to relive the Crypto Wars again. Anyway I thought Vupen was a French company?
I'm pretty skeptical as well. Can't say I know a lot about going rates for 0days like these, but something tells me 1M isn't even that much. If this "anonymous hacker collective" doesn't mind selling to the highest bidder, why not take it to the market themselves?
1) trust problems between the seller and the buyer. either the seller needs to trust that the buyer will deliver a working exploit or the seller will give the chance for the buyer to evaluate and the seller then needs to trust that the buyer won't steal the vulnerability.
2) issues of access. sellers don't know how to get in touch with buyers.
Also, some buyers may want to purchase an exploit library instead of negotiating for each sale and middleman can offer value here.
Also it is possible zerodium offered over the market value (or over what the usually pay) in this situation in order to generate publicity. Other companies that buy vulnerabilities have offered larger one off bounties in the past.
the company that payd $1m for the exploit can make multiple sales of the same exploit to various governments and agencies. The hacker collective either dont have the connections or dont want to deal with the NSA, US Govt, GCHQ et al.
Would you want to end up on their list of interesting people?
Better to have all 0day trading above board than below I think. The genie is out of the bottle, it's senseless to outlaw this kind of behaviour since the people and the skills are already out there.
Even AnglerEK uses 0days sometimes, we'd only be increasing the underground economy if these practices were to be outlawed completely. The only way to go is for companies to offer higher bug-bounty payouts than their offensive competitors. Which is a reasonable thing to do if you look at the damages caused by malware campaigns powered by 0days.
until recently the market for these exploits was for jailbreaking. Apple didnt need to pay for the exploit, just wait until it was released and then patch it. Buying the exploit does nothing for them and actually allowing jailbreaks means more people buy iPhones (because they can jailbreak) then they have to decide whether they want new features or jailbreak features. Either way the are in Apple's ecosystem and have paid apple some money.
These days the exploits are wanted by companies like Hacking Team or agencies like NSA, I dont see there being too many more free jailbreak exploits being released as a result.
edit: Also if Apple doubled their bug bounty they would be paying 2 * $0.00
This isn't your run of the mill jailbreak, this is a proven remote jailbreak that can be automatically triggered by either visiting a website, receiving an SMS or by triggering any of the built in application "magnet links" to qualify for the bounty the exploit most also be interaction free so no interaction other than opening an SMS or clicking on a link is required. So effectively this is a remote code execution exploit that allows you to remotely bypass any restrictions and protections provided by the IOS OS and take full control over the device.
You'll probably still see local jailbreaks, that require you to connect the IOS device to a computer and launch the exploits from there manually, Pangu has updated their jailbreak to support IOS 9.0.X already.
15 comments
[ 2.9 ms ] story [ 27.2 ms ] threadResearchers not really, companies that out right sell malware and zero days need to be regulated.
Reputable hacking team taking credit perhaps?
Smart PR though. "Watch me do a magic trick behind this sheet."
https://twitter.com/i0n1c/status/658751231154913280
1) trust problems between the seller and the buyer. either the seller needs to trust that the buyer will deliver a working exploit or the seller will give the chance for the buyer to evaluate and the seller then needs to trust that the buyer won't steal the vulnerability.
2) issues of access. sellers don't know how to get in touch with buyers.
Also, some buyers may want to purchase an exploit library instead of negotiating for each sale and middleman can offer value here.
Also it is possible zerodium offered over the market value (or over what the usually pay) in this situation in order to generate publicity. Other companies that buy vulnerabilities have offered larger one off bounties in the past.
Would you want to end up on their list of interesting people?
Even AnglerEK uses 0days sometimes, we'd only be increasing the underground economy if these practices were to be outlawed completely. The only way to go is for companies to offer higher bug-bounty payouts than their offensive competitors. Which is a reasonable thing to do if you look at the damages caused by malware campaigns powered by 0days.
These days the exploits are wanted by companies like Hacking Team or agencies like NSA, I dont see there being too many more free jailbreak exploits being released as a result.
edit: Also if Apple doubled their bug bounty they would be paying 2 * $0.00
You'll probably still see local jailbreaks, that require you to connect the IOS device to a computer and launch the exploits from there manually, Pangu has updated their jailbreak to support IOS 9.0.X already.