iOS Vulnerabilities Have ‘Flooded’ the Zero-Day Market; Android Exploits Now More Premium

iOS has always been known for its privacy and security. The walled garden approach from Apple has meant that iOS exploits have been hard to find which is why there has always been a premium on them in the grey market. However, after a series of major security lapses this year, the value of iOS exploits has gone down in the market.

Zerodium — “the world’s leading exploit acquisition platform” — which is known to pay big bounties to security researchers to acquire unreported 0-day vulnerabilities has updated its payouts to reflect this. For the first time, a zero-click Android exploit that allows one to completely take over the device is priced at up to $2.5 million while a similar iOS exploit is priced at $2 million.

The company has adjusted its pricing based on market trends. Zerodium founder Chaouki Bekrar said that the price of iOS exploits have gone down because the market is “flooded” with them and that iOS security and mitigations have been “absolutely destroyed.” Apple will need to rework the security of major iOS features like Safari and iMessage to fix these issues.

“The zero-day market is flooded by iOS exploits, mostly Safari and iMessage chains, mainly due to a lot of security researchers having turned their focus into full time iOS exploitation. They’ve absolutely destroyed iOS security and mitigations. There are so many iOS exploits that we’re starting to refuse some of them.”

On the flip side, it has become hard to develop full Android exploit chains. Among other things, the fragmentation of Android itself is helping it in this regard as a universal exploit chain that works across different versions of Android is extremely difficult.

This year definitely has been rough for iOS from a security viewpoint. A number of major security lapses were found in iOS including the FaceTime and Walkie-Talkie eavesdropping bug. Google’s Project Zero team also detailed a chain of exploits which could hack iPhones just by visiting a website and installed an implant which uploaded personal data of users and their live location to its control server every minute. Project Zero’s Ian Beer called this one of the largest attacks on iPhone users and found that it worked on iOS 10 through iOS 12.

Let’s not also forget that an error from Apple’s part led to an exploit being re-released with iOS 12.4 which paved the way for a public jailbreak for the latest iOS release after years.

Our Take

Things might not be as dire as the picture pained by Zerodium shows. However, there’s no denying the fact that iOS security has taken a major beating this year. Apple is likely already working on this front as can be seen from the renewed focus on its bug bounty program in which it is now providing security researchers with special iPhones with ssh, root shell, and other advanced debugging capabilities.

[Via Vice]