Exploit broker's iOS 9 prize puts all of us at risk

Researchers deserve to get paid well for finding serious vulnerabilities, but it shouldn't be at the expense of overall software security

How much is an iOS bug worth? Vulnerability broker Zerodium is willing to pay up to $1 million for a working exploit -- but that payout will come at the expense of everyone else’s security.

Zerodium launched a month-long bounty program looking for “an exclusive, browser-based, and untethered jailbreak for the latest Apple iOS 9 operating system and devices.” To qualify for the $1 million prize, researchers must put together a working submission -- including a chain of unknown, unpublished, and unreported vulnerabilities and exploits that is able to bypass the numerous mitigations native to iOS 9, such as ASLR, code signing, and bootchain -- before Oct. 31.

The company has set aside $3 million, leaving open the possibility of multiple payouts to researchers with qualifying methods.

“The whole exploitation/jailbreak process should be achievable remotely, reliably, silently, and without requiring any user interaction except visiting a Web page or reading a SMS/MMS,” Zerodium said in its announcement.

Zerodium is one of several companies operating in this gray market of finding bugs or buying them from researchers, then selling them to other interested parties. The customer list could include other companies, but typically runs to government agencies, both domestic and abroad. The software company whose product is being exploited -- Apple in this case -- will not be notified of the flaw, so customers can use the exploit for their own purposes for as long as the vulnerability remains unpatched.

While a windfall for researchers, $1 million may not be that high for Zerodium to pay for an iOS 9 exploit. The bounty amount is on par with existing prices. An iOS exploit was worth $250,000 to $500,000 only a few years ago, according to Jonathan Cran, vice president of operations at Bugcrowd. The fact that a full exploit is worth more today indicates that Apple has been successful in its attempts to harden iOS. Even if Zerodium sells the resulting exploit for a mere $300,000, it needs to find only four customers to make a profit.

“My guess is Zerodium already has customers lined up willing to pay considerably more than the bounty for these exploits," said Ken Westin, a security analyst for Tripwire.

Zero-days for spying

Chaouki Bekrar, the founder of French company VUPEN, launched Zerodium in July. Whereas VUPEN developed exploits based on its own research and development efforts, Zerodium pays a premium to acquire high-end research and exploits for critical vulnerabilities. The size of the bounty offered is an indicator of the quality of submissions Zerodium expects to receive.

High-end vulnerabilities and exploits are in high demand. Intelligence agencies, law enforcement organizations, and other government agencies worldwide rely on a stockpile of zero-day vulnerabilities to develop offensive security capabilities. Exploits for undisclosed vulnerabilities have been used in law-enforcement investigations and surveillance activities. For example, the National Security Agency purchased zero-day vulnerabilities and exploits from VUPEN for use in its operations.

The biggest problem with the business of buying and selling zero-days: There is no way to control who winds up with the exploits. Even if the exploit broker claims to sell only to democratic governments (as VUPEN does), once an item is sold, nothing is stopping the customer from passing on the exploit to another party.

Italian company Hacking Team, another player in this marketplace, previously denied selling to dictatorships and other repressive regimes. After Hacking Team was breached, leaked documents showed the company had sold to the governments of Sudan, Egypt, and Ethiopia, all regimes under European Union sanctions.

“Zerodium is able to run a million-dollar bounty not because they want to fix security issues in iOS, but because they will sell them to the highest bidder, typically a government or nation state,” Cran said. “The ethics of this are questionable.”

Selling our security

Zerodium’s program, while calling itself a bounty program, goes counter to the vendor-run bug bounties administered by companies such as Google, Facebook, Microsoft, and Mozilla, Cran said. Researchers submit flaws to vendor-run bug bounties to identify and fix vulnerabilities in software. “This one doesn't make the consumer any safer,” Cran said.

In this case, if Zerodium actually gets a working iOS 9 exploit, Apple will remain in the dark about the zero-day flaws or how the exploit triggers the bug. Until someone else notifies Apple, Zerodium’s customers will be free to exploit iOS devices without anyone knowing. Remaining silent about the vulnerability and exploit is in fact a requirement of the winning submission.