On Twitter, a well-known vulnerability broker, Zerodium, reported that in the next months the company would not buy new exploits for vulnerabilities in iOS.
Zerodium believes that there is too many exploits and supply has greatly exceeded demand.
We will NOT purchase any new LPE [local privilege escalation] for Apple iOS, RCE [remote code execution] for Safari or a sandbox escape within the next two to three months due to the large number of offers for these vectors. Prices for “one-click” exploit chains (for example, through Safari), which do not guarantee a constant presence in the system, are likely to significantly fall in price in the nearest future”, — says Zerodium.
In turn, the head of Zerodium, Chauki Beckrar, writes in his personal Twitter the following:
iOS Security is fu%ked. Only PAC and non-persistence are holding it from going to zero…but we’re seeing many exploits bypassing PAC, and there are a few persistence exploits (0days) working with all iPhones/iPads. Let’s hope iOS 14 will be better».
Let me remind you that according to the current price list of the company, RCE + LPE vulnerabilities in Safari were estimated at 500,000 US dollars. More serious iOS exploits, such as FCP (full chain with persistence), can still cost up to $2,000,000.
At the same time, in the fall of last year, exploits for Android for the first time in history began to cost more than exploits for iOS. Then Chauki Bekrar explained that by changing prices this way, his company only reacts to market trends, and already noted that the number of exploits for iOS is growing rapidly.
Shortly thereafter, in December last year, Apple opened the bug bounty program to the public, existing since 2016, but previously available only to selected researchers.
Ryan Narraine, Intel’s security strategist, described Zerodium’s current position as a “pure PR / marketing gimmick” and described the company’s claims as trolling.
Patrick Wardle, principal researcher at Jamf Security and founder of Objective-See, told The Register reporters that Zerodium’s statements probably have a little truth and a little trolling.
It is unlikely that the Zerodium application will come as a surprise to iOS researchers / hackers. After all, this is just another operating system that can contain vulnerabilities and can be exploited. Yes, it may be harder to use them remotely, but we saw how iOS responded again and again, as the Google Project Zero and the NSO Group demonstrated”, — says Wardle.
We add that we recently wrote about hackers that can get in an iPhone by simply sending a text message.
