For information about the hacking of WhatsApp and iMessage, a reward of $ 1 million has been announced
There are quite a few companies in the world that work in the field of information security, but in the opposite direction. Such organizations buy information about hacking methods of well-known and not-so-great services and applications, as well as buy exploits.
One such organization, Zerodium, announced a reward of $ 1 million for running hacking tools from WhatsApp and iMessage. The same amount will be paid to those who provide the exploits that allow access to SMS / MMS applications of mobile operating systems.
And all this is in an absolutely legal legal field. The organization works in the interests of government services around the world. “Messaging applications, including WhatsApp, sometimes work as a communication channel for intruders, and encryption makes it difficult for security forces to get the necessary data,” said Zerodium founder Chauki Bekrar. He believes that the ability to gain remote access to various applications of this kind helps the security services to work more efficiently.
It is worth noting that the compromise of the iPhone attackers could cost the state $ 2 million or even more.
Such a high price is an indicator that gadgets do become better protected. They are harder to crack even highly skilled professionals, and this applies to both iOS and Android. The life of the special services is complicated, because even if the phone fell into the hands of the police or the intelligence department, it is not always possible to extract information from it.
Until today, Zerodium was ready to pay half a million US dollars for hacking WhatsApp and iMessage. Now the issue price has become higher, apparently, government intelligence agencies are willing to pay more for "solving the issue".
$ 1 million is not the limit. Governments are willing to pay more, it all depends on the urgency of the task that needs to be solved and the scale of the work that needs to be done. Naturally, no one will share information with the companies - developers of the instant messengers in question. This is not the case. Vulnerabilities buy in order to use their own, keeping secretly information about the possibility of hacking.
Due to the large reward, the hacking of instant messengers can be handled by entire teams of specialists, and not singles, as it was before. The head of the Zerodium startup says that in the “zero-day industry” there are now so many “goods” that they have never had before. "You can not even imagine what is being developed and sold in this market," - says Bekrarar.
It should be noted that Zerodium remuneration is significantly higher than the “prizes” of the bounty programs of many organizations. Thus, developers who have found this or that vulnerability are in no hurry to share information about their discovery with developers of compromised software. As a result, there are funny situations. For example, Apple launched a rewards program for vulnerabilities found back in 2016. But it is still unclear whether anyone has received a reward. In 2017, there were no such people .
And who wants to share such data, if Zerodium pays $ 2 million for a remote iOS jailbreak? This is 10 times more than that of Apple - as part of a bounty program, a corporation can pay no more than $ 200 thousand, and the payment may not happen at all if specialists from Cupertino do not like something. Just a few months ago, Zerodium was ready to pay $ 500 thousand less than it is now - apparently, requests from start-up clients are growing. And not only vulnerabilities for iOS "become more expensive". For the Chrome RCE + LPE exploit, the payout amount is $ 500,000. This is less than in the case of receiving tools for hacking iOS, but the amount is still very significant.
Previously, the startup clients were such government units as Equation Group (FiveEyes, Tilded Team) and Animal Farm (Snowglobe). The information security specialists appeal to the company who would like to get more than from companies whose products were hacked, and there is no desire to wait several months (reviewing information about hacking on Apple, Facebook, Microsoft, etc. is a long process). In Zerodium, the money is paid out within a week after the start of the review of the data on the instrument proposed by the burglar.