A security breach merchant is sounding the alarm: those that victimize Apple systems, iOS in particular, are so numerous that they lose their value.
When an IT security breach is exposed, it is usually already plugged. Security researchers test devices and systems year-round and, when they discover a security defect, discreetly alert manufacturers and publishers so that they can correct it. The latter, which have dedicated funding procedures (programs of the type bug bounty), then pay more or less generously these experts who help them keep their creations as impervious to attack as possible.
Of course, sometimes things don’t happen that way. And without reaction from the companies concerned, security researchers end up from time to time placing them before the fait accompli, pointing the spotlight on important security holes always open and inviting somewhere the pirates to rush into it .
In short, we describe there very succinctly the classic operation of the discovery of security vulnerabilities in the tech industry. In reality, things have become a little more complex. Faced with the immensity of the task facing the security researchers, as well as the problems of funding their work, a “fault market” has been created. Here, “wholesalers” buy loopholes from experts before trying to get paid from manufacturers, developers of software and other operating systems, or even publishers of antivirus solutions.
A disturbance in the fault
This preamble – a bit long, sorry – helps to better understand the position expressed by the platform Zerodium, one of these intermediaries, which made an announcement very detrimental to the image of Apple products.
This company specializing in the trade of security vulnerabilities announced on Twitter the suspension of its purchases of vulnerabilities related to Apple products. Evoking too many offers, she will thus refuse “For a period of two to three months” the more or less critical flaws identified for iOS and Safari, among others.
We will NOT be acquiring any new Apple iOS LPE, Safari RCE, or sandbox escapes for the next 2 to 3 months due to a high number of submissions related to these vectors.
Prices for iOS one-click chains (e.g. via Safari) without persistence will likely drop in the near future.
– Zerodium (@Zerodium) May 13, 2020
Chouaki Bekrar, security researcher and boss of Zerodium, indicates that the price of Apple vulnerabilities has already dropped, and that those that require user action to be exploitable will more particularly be demonetized. He also fears that the global market for iOS vulnerabilities will eventually sink.
The one who talks about iOS security as simply “crappy” finds that the security of iOS is more than a few barriers that hackers sometimes manage to bypass.
The most profitable Android vulnerabilities
So that to date, the discovery of flaws in Android has more value for Zerodium than those in iOS, a first. It is true that more and more 0-day flaws (completely unknown before, but present in systems for a long time) are highlighted on the side of Apple in recent times. In these conditions, it is clear that the security component of iOS 14 will be expected at the turn. The fault traders are no doubt hoping that the system will be more robust, which would cause this strange market to rise.