Just a few days after Google revealed that sophisticated hackers—likely working for the Chinese government and who had access to a relatively large selection of iPhone attacks—had been hacking iPhones for years, a well-known broker of exploits said that the prices for iPhone exploits are not the most expensive in the market anymore.
On Tuesday, vulnerability broker Zerodium announced new prices for Android zero-days, which are bugs and exploits that are unknown to the companies that make the software or hardware, and coveted by sophisticated attackers such as law enforcement and intelligence agencies. Zerodium will pay $2.5 million to security researchers who provide exploits that allow for the complete takeover of Android phones without requiring the target to click on anything, while the same type of exploits for iOS are still worth $2 million.
“The zero-day market is flooded by iOS exploits, mostly Safari and iMessage chains, mainly due [to] a lot of security researchers having turned their focus into full time iOS exploitation," Chaouki Bekrar, the founder of Zerodium, said in an online chat. "They’ve absolutely destroyed iOS security and mitigations. There are so many iOS exploits that we’re starting to refuse some of them.”
Andrea Zapparoli Manzoni, director of Crowdfense, a company that buys zero-day exploits and sells them to governments, also said that there are more iOS exploit chains on the market, but with a caveat.
"There are more iOS chains on the market but not all of them are 'intelligence-grade,'" he wrote in an email. "Many researchers are trying to get top payouts (like the ones we pay) but not all of them can deliver the 'right stuff,'" he wrote, adding that this adds to the "noise" of the market.
The prices for iPhone exploit chains are still high and the chains themselves are relatively rare, though. As mentioned, a zero-click iOS exploit, meaning an exploit that can hack a phone without interaction from the user, will pay $2 million. Zerodium decreased the payout for a 1-click iOS chain, meaning an exploit that requires the user to click on a link, down from $1,500,000 to $1 million.
Do you work at a company selling these sorts of exploits? Do you work at Apple? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on firstname.lastname@example.org, or email email@example.com. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, OTR chat at firstname.lastname@example.org, or email email@example.com.
Google did not immediately respond to a request for comment. Apple declined to speak on the record about the price changes.
When it comes to Android, Bekrar said, “The security of Android is however improving with every new OS release. It’s very hard and time consuming to develop full Android exploit chains and it’s even harder for zero-click vectors (not requiring any user interaction)."
"We believe that the time has come to pay the highest bug bounty for Android exploits until Apple re-improves the security of iOS components such as Safari and iMessage," he added.
Zapparoli Manzoni said, "Android is such a fragmented landscape that a 'universal chain' is almost impossible to find; much harder than on iOS which is a 'monoculture.'" This means that if a team of researchers find a working exploit chain for iOS it will most likely work on all iPhones running that particular version of iOS. But with Android, there are so many different versions of the operating system, that an exploit chain on one may not necessarily work on another.
Zapparoli Manzoni said that the Chrome browser continues to be a hard target to hack, and that some "VIPs" are increasingly using Android products rather than Apple, making a good Android exploit chain "immediately more valuable."
It's important to bear in mind that Zerodium and Crowdfense only make up a particular slice of the exploit market. Some companies are more closed-off in their business, only dealing with clients from a limited list of countries, such as the Five Eyes alliance of the U.S., U.K., Canada, Australia, and New Zealand. Other countries, such as China, sometimes exert heavy control over exploit developers within their own borders. This may impact what exploits each company has visibility into, and with what frequency.
Subscribe to our new cybersecurity podcast, CYBER.