The fact that hackers sell exploits to spy agencies, governments and companies is not a secret. However, September 21, 2015, has made a history. On this day, the biggest exploit bounty has been offered publicly by the sum of $1 million. Hackers have an opportunity to become millionaires by finding and exploiting iPhone and iPad running iOS9.
The bounty was offered by an exploit trader Zerodium, however they stated that exploit should be able to take over device remotely via a web page the victim visits, a vulnerable app on the victim’s device, or by text message. The company is ready to pay a bounty multiple times but with a maximum amount of $3 million.
In iOS, software downloads and updates are managed by App Store and because of this it should be hard to exploit Apple devices. However, after the discovery of XcodeGhost nothing seems impossible. According to Zerodium:
“Due to the increasing number of security improvements and the effectiveness of exploit mitigations in place, Apple’s iOS is currently the most secure mobile OS.But don’t be fooled, secure does not mean unbreakable, it just means that iOS has currently the highest cost and complexity of vulnerability exploitation and here’s where the Million Dollar iOS 9 Bug Bounty comes into play.”
So why would Zerodium pay such a huge bounty for iOS9?:
- First of all security requires money, but insecurity costs even more.
- According to Apple, iOS9 adoption is ‘fastest ever’ with 50 percent of devices upgraded in first days.
- In 2012 iOS exploit sold for $250,000, $500,000 in 2013 and now its $1 000 000.
- Secret agencies LOVE similar exploits
Zerodium has many ‘famous’ customers including NSA, NATO countries and NATO partners. According to company’s website, their service is used by “major corporations in defense, technology, and finance, in need of advanced zero-day protection, as well as government organizations in need of specific and tailored cybersecurity capabilities.”
We can say for sure that exploit trading is the new, booming niche. Due to the fact that iOS exploit price increases every year it is clear that business pays well and in the future more players will join the market.