Over the last week, we learned more about a chain of malicious website exploits that targeted iPhone users for years. This evening, a new report from Vice dives deeper into the current state of the security industry, and how the number of iOS exploits continues to grow.
Ecobee HomeKit Thermostat
Zerodium, one of the many âvulnerability brokersâ out there, announced a new pricing structure that values Android exploits higher than iOS exploits. Android exploits that allow âfor the complete takeoverâ of devices without requiring that the user click on anything are now worth $2.5 million, whereas the same iPhone vulnerability is worth $2 million.
Meanwhile, Zerodium has also decreased the value of a 1-click iOS exploit from $1.5 million to $1 million.
Zerodium founder Chaouki Bekrar says this is due to the zero-day market being âfloodedâ with iOS exploits:
âThe zero-day market is flooded by iOS exploits, mostly Safari and iMessage chains, mainly due to a lot of security researchers having turned their focus into full time iOS exploitation. Theyâve absolutely destroyed iOS security and mitigations. There are so many iOS exploits that weâre starting to refuse some of them.â
Meanwhile, on the Android side of things, Bekar says that âitâs very hard and time consuming to develop full Android exploit chains.â He added that until Apple âre-improves the security of iOS components such as Safari and iMessage,â Android exploits are more valuable.
Crowdfense is another company that buys zero-day exploits with a particular focus on selling them to governments. Crowdfense director Andrea Zapparoli Manzoni corroborated that there are now far more iOS exploits than Android, but with a caveat:
âThere are more iOS chains on the market but not all of them are âintelligence-grade,'â he wrote in an email. âMany researchers are trying to get top payouts (like the ones we pay) but not all of them can deliver the âright stuff,'â he wrote, adding that this adds to the ânoiseâ of the market.
In this instance, Androidâs fragmentation is actually helpful, Zapparoli Manzoni said:
âAndroid is such a fragmented landscape that a âuniversal chainâ is almost impossible to find; much harder than on iOS which is a âmonoculture.'â
Of course, the important thing to note here is that Crowdfense and Zerodium make up only one part of the exploit market, as Vice notes. That means they might not tell the whole story.
Furthermore, Apple itself recently doubled down on its own bug bounty program, announcing higher payouts and a new iOS Security Research Device program that will see it distribute pre-jailbroken iPhones to researchers. This signals a renewed focus on bounty programs from Apple, and could end up helping counteract what some exploit vendors are seeing.
Subscribe to 9to5Mac on YouTube for more Apple news:
Gloss