Zerodium, a zero-day vulnerability company that specializes in buying and selling exploits, announced that it will offer a record-breaking $1 million for a full iOS 9 browser-based exploit delivered to it by October 31. The company will be able to offer up to three such prizes for a total of $3 million.
Zerodium was created by Chaouki Bekrar, the founder of VUPEN, a company akin to the Hacking Team, which created its own exploits and then sold them to the highest bidder (even if that was a country that often uses such exploits to violate human rights).
After the Hacking Team hack and all the media and political attention that came with it, the founder of VUPEN decided to focus on only buying and selling premium exploits instead of developing them.
His new firm, Zerodium, now wants to focus on getting unique iOS 9 exploits and is willing to pay $1 million for up to three such exploits. The amount is 10 times more than what the company usually pays for a mobile vulnerability.
The reason Zerodium is willing to pay this much is in part because it must have also realized it would garner much attention from zero-day vulnerability developers, but also in part because iOS 9 comes with many security enhancements and patches, which make it much harder to exploit.
The company had the following to say about its motives for the new exploit prize:
“Apple iOS, like all operating systems, is often affected by critical security vulnerabilities, however due to the increasing number of security improvements and the effectiveness of exploit mitigations in place, Apple's iOS is currently the most secure mobile OS. But don't be fooled, secure does not mean unbreakable, it just means that iOS has currently the highest cost and complexity of vulnerability exploitation and here's where the Million Dollar iOS 9 Bug Bounty comes into play."
Zerodium wanted an exploit that can beat the iOS 9 zero-day mitigations such as ASLR, sandboxes, rootless, code signing and bootchain. It also wants it to work on the latest version of iOS 9 at the time of delivery, and it should be able to allow installation of an arbitrary app such as Cydia.
The company also required that the exploit worked silently, without any interaction from the user other than loading a web page in Safari or Chrome, or receiving a media file in an SMS or MMS.
The announcement should get malware developers' attention, but also that of the media and governments, which are already working on an arrangement to increase the limitations they put on those who work with security vulnerabilities (which can also lead to negative consequences).
If Zerodium is willing to pay up to $3 million for three zero-day iOS 9 exploits, that could also mean that it already has one or multiple buyers that are willing to pay them back even more for these exploits. The likely candidates could be either other governments or criminal organizations.
The NSA, for instance, is known for buying such exploits regularly, and was even willing to pay "billions" for something that could break into Skype's former ultra-secure P2P architecture a few years ago. Of course, since then, Microsoft has already completely replaced Skype's P2P architecture with one that is more centralized and more mobile-friendly, but also more wiretap-friendly.
Now that Zerodium has made this announcement, it could also make Apple's security engineers even more vigilant about the security architecture of iOS, and they may work even harder to fix whatever flaws it may have left in it. The data of hundreds of millions of iOS 9 users could be at risk.