As both Google and Apple continue patching out vulnerabilities and exploits, new ones are introduced each time as an update comes out. Efforts towards finding these vulnerabilities pays off as well, potentially benefiting hacking groups and intelligence agencies.
Vulnerability/Exploit brokers buy and sell information about these from the ones who discover the exploits to the ones that will use it. They even make millions of dollars thanks to just a single exploit.
Zerodium, An Exploit Broker
Yesterday Zerodium, an exploit broker company announced to give $1.5 million to anyone who discloses zero day exploits for Apple’s iOS 10. Last year the highest amount going out for zero day exploits was $1 million. Anyone who can remotely jailbreak the latest iOS 10 will receive the $1.5 million.
Last year iOS 9’s bugs were going for $500,000 while Windows and Android flaws were going for around $100,000. Android 7.0 Nougat bugs/exploits will fetch a $200,000 reward this year due to increased difficulty of finding flaws in it. Zerodium announced a limited $1 million bounty in winter last year for iOS vulnerabilities. It even offered to pay multiple $1 million sums. Eventually a hacker group claimed the full reward.
Zerodium’s $1.5 million bounty is for all time, and not just limited to a specific time period. Zerodium’s founder, Chaouki Bekrar says,
We’ve increased the price due to the increased security for both iOS 10 and Android 7. We would like to attract more researchers all year long.
iOS 10 Jailbroken in Just a Day
iOS 10 was successfully jailbroken by a teenager, which he claims to have done in just 24 hours. That is all well and good, but being able to do it remotely without making changes to the phone in person is something completely different. Which is why it deserves a hefty $1.5 million.
Bekrar’s company sells these exploits to North American governments and corporations. He also sells to agencies in “allied governments”.
It is a little scary that such a large incentive is available for anyone who jailbreaks an iPhone remotely. But then again it shows just how hard it actually is to do so.