5

Zerodium, a "premium exploit acquisition platform", bought an iOS jailbreak vulnerability from a child in UK for around 1.5 million USD. They are offering the same amount on their website currently, but my question is, why are they worth so much? What property of a jailbreak makes them cost over one million dollars, as compared to regular exploits like Windows RCE, or even an Android jailbreak.

noodles
  • 83
  • 4

3 Answers3

4

Any exploit worths much more before the vulnerability is known (AKA, 0-day) than after. The reason is simple, there are no available patches for an "unknown" vulnerability, so the exploit works in every device using the vulnerable software given the proper conditions for the exploit to work.

Once the vulnerability is known (publicly, or to the authors of the vulnerable software) the patch is developed, this may take some time but is happening. Once the patch is available the exploit only works on outdated software, which is much less than before it's patched

That explains why it worths more as a 0-day than as an exploit abusing a known vulnerability. The specific price for an iOS 0-day exploit worthing 1.5 million USD is probably cause Apple was paying up to 500.000 USD last year for a 0-day in their devices, if the "legal market" raises the price the "dark market" will raise it too, if not why would someone sell a new exploit in the dark market with all the legal implications it has if the company already pays more without any legal implication?

Edit: Just as a reference (Real price may vary) you can check how much it's estimated to worth an exploit before and after the vulnerability is known here, and you'll see that proportion between both prices remains aproximately the same for every CVE

noodles
  • 83
  • 4
Mr. E
  • 1,954
  • 9
  • 18
  • It doesn't explain why ios 0day pays so much higher than android 0day or even Windows 0day. – wireghoul Jul 15 '17 at 06:03
  • It's due to market adoption, the security of the target, whether or not there's a lot of eyes trying to audit the target and more marketable bug bounties. The more people use a more secure product, the more profitable an exploit. – grepNstepN Oct 06 '17 at 18:59
3

There are several contributing factors, but these seem to be the major contributing factors:

complexity

Untethered remote jailbreaks typically requires a series of special bugs. This means that the price tag per bug used is a part of the overall price. It also means that development requires several people for significant periods of time and this cost has to be covered and some profit has to be made.

supply and demand

Supply is limited as the number of groups that can provide these remote untethered jailbreaks can be counted on your fingers. Thus you need to pay top dollar to outbid the competition. Demand is driven by the iPhone market share, which is much larger when you consider that most android exploits are only likely to work on a small subset of handsets/providers as they are not all the same, unlike iPhones.

It is basic economics at work despite media and others screaming about 0days and the sky falling.

wireghoul
  • 5,745
  • 2
  • 17
  • 26
3

There are a couple possible reasons for this:

  1. Government contractors often mark up the prices for 0days significantly. Selling a reliable exploit chain for Chrome to Raytheon SI may net you 300,000 USD. Selling the same chain to J. Random Hacker over on IRC may get you a fraction of that price.

  2. Simply knowing an exploit is a jailbreak does not tell you what the exploitation vector is. A jailbreak exploit that requires you install privileged software and connect your device to a computer via USB will be worth a lot less than one which can be done simply by visiting a webpage, which itself will be worth a lot less than one which exploits the baseband wirelessly.

  3. Simply put, iOS is actually quite secure. While it's common knowledge that Apple devices are not great for privacy, people often equate that with being insecure, which is untrue. Additionally, because it is so centralized, updates are guaranteed to be released frequently. With Android, you often have to wait for your security-ignorant OEM to actually send out vital updates even though AOSP (the Google project that develops Android) has already created it.

  4. Android uses the Linux kernel internally and includes many other widely-used libraries. The fact that it uses popular open source software does not make the software less secure, but it does mean that an exploit that works on Android may not be specific to Android. Because of the specificity of iOS exploits, people may charge more for them.

forest
  • 64,616
  • 20
  • 206
  • 257