Over the last week, we learned more about a chain of malicious website exploits that targeted iPhone users for years. This evening, a new report from Vice dives deeper into the current state of the security industry, and how the number of iOS exploits continues to grow.
Ecobee HomeKit Thermostat
Zerodium, one of the many “vulnerability brokers” out there, announced a new pricing structure that values Android exploits higher than iOS exploits. Android exploits that allow “for the complete takeover” of devices without requiring that the user click on anything are now worth $2.5 million, whereas the same iPhone vulnerability is worth $2 million.
Meanwhile, Zerodium has also decreased the value of a 1-click iOS exploit from $1.5 million to $1 million.
Zerodium founder Chaouki Bekrar says this is due to the zero-day market being “flooded” with iOS exploits:
“The zero-day market is flooded by iOS exploits, mostly Safari and iMessage chains, mainly due to a lot of security researchers having turned their focus into full time iOS exploitation. They’ve absolutely destroyed iOS security and mitigations. There are so many iOS exploits that we’re starting to refuse some of them.”
Meanwhile, on the Android side of things, Bekar says that “it’s very hard and time consuming to develop full Android exploit chains.” He added that until Apple “re-improves the security of iOS components such as Safari and iMessage,” Android exploits are more valuable.
Crowdfense is another company that buys zero-day exploits with a particular focus on selling them to governments. Crowdfense director Andrea Zapparoli Manzoni corroborated that there are now far more iOS exploits than Android, but with a caveat:
“There are more iOS chains on the market but not all of them are ‘intelligence-grade,’” he wrote in an email. “Many researchers are trying to get top payouts (like the ones we pay) but not all of them can deliver the ‘right stuff,’” he wrote, adding that this adds to the “noise” of the market.
In this instance, Android’s fragmentation is actually helpful, Zapparoli Manzoni said:
“Android is such a fragmented landscape that a ‘universal chain’ is almost impossible to find; much harder than on iOS which is a ‘monoculture.’”
Of course, the important thing to note here is that Crowdfense and Zerodium make up only one part of the exploit market, as Vice notes. That means they might not tell the whole story.
Furthermore, Apple itself recently doubled down on its own bug bounty program, announcing higher payouts and a new iOS Security Research Device program that will see it distribute pre-jailbroken iPhones to researchers. This signals a renewed focus on bounty programs from Apple, and could end up helping counteract what some exploit vendors are seeing.