MobileNews

Report: Exploit market ‘flooded’ with iOS vulnerabilities, driving down their value

Over the last week, we learned more about a chain of malicious website exploits that targeted iPhone users for years. This evening, a new report from dives deeper into the current state of the security industry, and how the number of iOS exploits continues to grow.

Zerodium, one of the many “vulnerability brokers” out there, announced a new pricing structure that values Android exploits higher than iOS exploits. Android exploits that allow “for the complete takeover” of devices without requiring that the user click on anything are now worth $2.5 million, whereas the same iPhone vulnerability is worth $2 million.

Meanwhile, Zerodium has also decreased the value of a 1-click iOS exploit from $1.5 million to $1 million.

Zerodium founder Chaouki Bekrar says this is due to the zero-day market being “flooded” with iOS exploits:

“The zero-day market is flooded by iOS exploits, mostly Safari and iMessage chains, mainly due to a lot of security researchers having turned their focus into full time iOS exploitation. They’ve absolutely destroyed iOS security and mitigations. There are so many iOS exploits that we’re starting to refuse some of them.”

Meanwhile, on the Android side of things, Bekar says that “it’s very hard and time consuming to develop full Android exploit chains.” He added that until Apple “re-improves the security of iOS components such as Safari and iMessage,” Android exploits are more valuable.

Crowdfense is another company that buys zero-day exploits with a particular focus on selling them to governments. Crowdfense director Andrea Zapparoli Manzoni corroborated that there are now far more iOS exploits than Android, but with a caveat:

“There are more iOS chains on the market but not all of them are ‘intelligence-grade,’” he wrote in an email. “Many researchers are trying to get top payouts (like the ones we pay) but not all of them can deliver the ‘right stuff,’” he wrote, adding that this adds to the “noise” of the market.

In this instance, Android’s fragmentation is actually helpful, Zapparoli Manzoni said:

“Android is such a fragmented landscape that a ‘universal chain’ is almost impossible to find; much harder than on iOS which is a ‘monoculture.’”

Of course, the important thing to note here is that Crowdfense and Zerodium make up only one part of the exploit market, as notes. That means they might not tell the whole story.

Furthermore, Apple itself recently doubled down on its own bug bounty program, announcing higher payouts and a new iOS Security Research Device program that will see it distribute pre-jailbroken iPhones to researchers. This signals a renewed focus on bounty programs from Apple, and could end up helping counteract what some exploit vendors are seeing.

Check out the latest Apple iPhones at great prices from Gizmofashion – our recommended retail partner.


Author:
Source: 9TO5Mac


Related posts
AI & RoboticsNews

Mike Verdu of Netflix Games leads new generative AI initiative

AI & RoboticsNews

Google just gave its AI access to Search, hours before OpenAI launched ChatGPT Search

AI & RoboticsNews

Runway goes 3D with new AI video camera controls for Gen-3 Alpha Turbo

DefenseNews

Why the Defense Department needs a chief economist

Sign up for our Newsletter and
stay informed!