Zerodium raises remuneration for remote jailbreak for iOS

    While Apple hosted a private event for a narrow circle of security resellers of its products (the recently announced bug bounty program), Zerodium announced an increase in the rewards it pays for discovered vulnerabilities. In particular, the reward for a remote jailbreak device running iOS 10 has grown to $ 1.5M. Recall that the 10 iOS on the iPhone 7 already been compromised by a 19-year security-resercherom also invited to the closed Apple event.


    We have repeatedly mentioned in our posts on the corporate blog the founder of the company Zerodium Chaouki Bekrar, who is known for his scandalous remarks about Apple and Google due to insufficient payments of remuneration to security researchers. In one of his tweets, Bekrar confirmed that Zerodium had nothing to do with the Trident exploits that we wrote about earlier. A bunch of these exploits allowed remote jailbreak iOS 9 and was priced by Zerodium at $ 1M.


    Fig. New prices of Zerodium.

    The concept of remote jailbreak iOS, which Zerodium mentions, is the most technically sophisticated method of compromising this mobile OS. It means remote code execution in iOS with maximum root privileges, which, in some cases, can lead to a complete reflashing of the device to return it to its original state. In this process, several vulnerabilities in various iOS components should be involved at once: the WebKit web browser engine and in the kernel itself. A classic case of remote jailbreak is the recently discovered Trident exploit bundle. It used three types of vulnerabilities: RCE vulnerability in the WebKit engine, SFB vulnerability in the kernel to bypass KASLR, and LPE vulnerability in the kernel to elevate its privileges to root level.


    Fig. Apple's bug bounty pricing.

    As you can see, the main technical difference between the bug bounty programs of Apple and Zerodium is that the latter are interested in exploits for vulnerabilities that have a more practical purpose. That is, we are talking about remote code execution, which may be of interest to Zerodium customers with whom it works. It is not necessary to be a great specialist in noticing what is actually being discussed in the case of Zerodium, RCE + LPE exploits (i.e., bypassing sandbox) are used in cyber attacks, including intelligence services.

    Unlike Apple, Google, Microsoft, and other vendors with bug bounty programs, Zerodium does not burden itself with ethical issues. Clients of the company can also be special services that use advanced exploits for cyber attacks in the interests of their state. Similar exploits have been used more than once by such elite state-sponsored groups as the Equation Group (FiveEyes, Tilded Team) and Animal Farm (Snowglobe).


    Fig. Stages of the exploit submission and deciding on the amount of payment in the case of Zerodium.

    Bekrar also tweeted that the bug bounty of the vendors is characterized by a “protracted” decision-making process for sending a demonstration of exploitation of the vulnerability. In contrast, Zerodium offers only a seven-day period from the exploit submission to the payment of the reward.

    The head of Zerodium himself previously had a relationship with the well-known security company VUPEN, which was developing its own exploits and finding vulnerabilities for selling this information to its customers. After the adoption of the Wassenaar Agreements and the imposition of restrictions on the trade in exploits, as well as dual-use technologies in other countries, VUPEN was terminated. After that, Bekrar founded Zerodium (USA), which also recruits security-managers in R&D.

    Note that suspicions of Zerodium or VUPEN about the sale of exploits to special services that may be involved in state-sponsored cyber attacks are not fictitious . In particular, among the customers of VUPEN there was also the NSA, which was related to the Equation Group. VUPEN collaboratedand with the Hacking Team, a massive compromise of which occurred last year. Hacking Team worked with state. authorities and private companies around the world, selling them information about exploits.

    Also popular now: