The market for
unpatched vulnerabilities has grown so much that an exploit reseller is willing
to pay $1 million dollars for an attack that can compromise iOS 9 devices.
How to build a mobile
app on Azure Deep Dive promo
Among the major clouds
offering mobile back ends as a service, InfoWorld judged Microsoft’s to be the
Zerodium, an exploit
acquisition company, promises to pay $1 million to researchers who can provide
it with an "exclusive, browser-based, and untethered jailbreak for the
latest Apple iOS 9 operating system and devices."
In the context of iOS
devices, jailbreaking refers to bypassing the security restrictions enforced by
the mobile operating system in order to install applications that haven't been
authorized by Apple and are not distributed through the official app store.
The process involves
chaining together exploits for different vulnerabilities in the OS and its
components in order to gain the highest possible privilege on the system --
root access.
The only difference
between jailbreaks and malicious attacks is their payload -- the code that gets
executed on the system. Traditional jailbreaks usually deploy an alternative
app store, but in the hands of hackers or government agencies, the same
exploits can be used to install stealthy Trojans or surveillance software.
"Eligible
submissions must include a full chain of unknown, unpublished, and unreported
vulnerabilities/exploits (aka zero-days) which are combined to bypass all iOS 9
exploit mitigations including: ASLR, sandboxes, rootless, code signing, and
bootchain," Zerodium said on its iOS 9 Bug Bounty page.
The company is only
interested in exploits that are reliable, silent and don't require any user
interaction except from visiting a Web page or reading a text or MMS message.
Such jailbreaks have
existed before. For example, the JailbreakMe.com website that ran between 2007
and 2011 allowed iPhone users to intentionally jailbreak their devices by
simply pressing a button. The button was added to get user consent, but was not
technically necessary.
However, Apple's mobile
operating system has come a long way since then. Even the Zerodium researchers
acknowledge that, while not unbreakable, iOS "is currently the most secure
mobile OS."
Zerodium was set up
earlier this year by Chaouki Bekrar, the founder of now defunct French
cybersecurity firm Vupen Security that was known for creating and selling
exploits to governments. Its goal seems to be similar to that of Vupen, but
instead of creating its own exploits, it acquires them from third-party
researchers.
"Zerodium
extensively analyzes and documents all acquired vulnerability research and
provides it, along with protective measures and security recommendations, to
its clients as part of the Zerodium Security Research Feed (Z-SRF)," the
company says on its website.
While its customers
supposedly include major corporations from the defense, technology and finance
industries who are in need of "advanced zero-day protection," the
company also shares the information with "government organizations in need
of specific and tailored cybersecurity capabilities."
Zerodium makes it clear
that it wants "exclusive" iOS 9 exploits, meaning that once they sell
the exploits to the company, researchers are not allowed to share them with
anyone else, including Apple.
The company probably
plans to sell the acquired iOS 9 exploits to multiple governments, said Robert
Graham, the CEO of cybersecurity firm Errata Security, in a blog post Monday.
Graham believes that
such an iOS 9 exploit chain that needs to take advantage of multiple
vulnerabilities in order to achieve its goal would normally be worth around
$300,000.
"If they can sell
it to four different countries for $300,000, they'll make a profit," he
said. "On the other hand, some countries will pay more for exclusive
access to a bug -- paying for the privilege of cyber-superiority."
According to Graham,
other companies or researchers who are in the business of selling zero-day
exploits likely already have working attacks for iOS 9. That's because prior to
its official launch recently, the OS was available for developers as a beta
version, so there was enough time to find exploitable bugs in it.
The offer of $1
million, however, could provide enough incentive for some people working on
public jailbreaks for the iOS community, to sell them instead.
By Lucian
Constantin
IDG News Service
No comments:
Post a Comment