Windows 10 News and info | Forum
February 27, 2020, Loading... *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: This is a clean Ad-free Forum and protected by StopForumSpam, Project Honeypot, Botscout and AbuseIPDB | This forum does not use audio ads, popups, or other annoyances. New member registration currently disabled.
  Website   Home   Windows 8 Website GDPR Help Login Register  
By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy.
Pages: [1]
Share this topic on Del.icio.usShare this topic on DiggShare this topic on FacebookShare this topic on GoogleShare this topic on MySpaceShare this topic on RedditShare this topic on StumbleUponShare this topic on TechnoratiShare this topic on TwitterShare this topic on YahooShare this topic on Google buzz
Author Topic: Exploit resellers report glut of iOS vulnerabilities  (Read 94 times)
Hero Member
Online Online

Gender: Male
United States United States

Posts: 31098

I Do Windows

WWW Email
« on: September 04, 2019, 11:32:25 AM »

Software vulnerability brokers have lowered payout rates for iOS exploits, saying a recent "flood" of iPhone zero-days makes the bugs less valuable than comparable attacks designed to penetrate Android.

Exploit reseller Zerodium on Tuesday announced higher going rates for Android vulnerabilities, with the firm now paying out up to $2.5 million for so-called zero-click zero-days, reports Motherboard.

As the value of Android exploits increases, the market health of zero-days designed to thwart iOS protections stagnates due to what can be characterized as a supply glut. Zerodium, for example, pays out $2 million for zero-click vectors targeting iPhone, and decreased payouts for one-click attacks from $1.5 million to $1 million, the report said.

Zero-click exploits refer to vulnerabilities that can be leveraged to hack a device without user interaction, while zero-days are defined as bugs, exploits and other flaws that are as yet unknown to platform operators. Zero-days are particularly prized assets for hackers both lawful and nefarious looking to break into locked-down devices like iPhone.

"The zero-day market is flooded by iOS exploits, mostly Safari and iMessage chains, mainly due [to] a lot of security researchers having turned their focus into full time iOS exploitation," said Zerodium founder Chaouki Bekrar. "They've absolutely destroyed iOS security and mitigations. There are so many iOS exploits that we're starting to refuse some of them."

The director of exploit buyer Crowdfense, Andrea Zapparoli Manzoni, agrees with Bekrar's assessment of the market, but notes not all iOS chains are "intelligence-grade." Still, it appears the supply of vulnerabilities more than sates demand.

Bekrar added that Android is becoming increasingly difficult to crack, in part due to fragmentation. The multi-version, multi-device nature of Google's operating system has long been considered a weakness in terms of consistency and stability, but it is this very "feature" that might prove useful in protecting against widespread attack, the report said.

"Android is such a fragmented landscape that a 'universal chain' is almost impossible to find; much harder than on iOS which is a 'monoculture,'" said Zapparoli Manzoni.

Bekrar elaborated, saying Android's constantly improving security is making bug discovery more difficult for researchers. He seemingly implies Apple is not keeping pace with its iOS efforts.

"The security of Android is however improving with every new OS release. It's very hard and time consuming to develop full Android exploit chains and it's even harder for zero-click vectors (not requiring any user interaction)," Bekrar said. "We believe that the time has come to pay the highest bug bounty for Android exploits until Apple re-improves the security of iOS components such as Safari and iMessage."

As noted by Motherboard, brokers like Zerodium and Crowdfense comprise only a subsection of a much wider market dealing in software vulnerabilities. Other players include firms who broker deals solely with law enforcement and government agencies, regional research firms and rogue actors.

Zerodium's new bounty pricing arrives days after Google's Project Zero announced the discovery of a massive iPhone hacking operation. Over a period of what is thought to be years, a series of hacked websites took advantage of multiple vulnerabilities to disseminate a software implant capable of swiping sensitive user information and tracking the location of modern iPhones running the latest versions of iOS.


Pages: [1]
Jump to:  

Powered by SMF 1.1.21 | SMF © 2017, Simple Machines

Google visited last this page September 15, 2019, 01:33:48 AM