Zerodium makes $1.5m iOS hack tougher, offers $500k for WhatsApp, Signal

  • Liam Tung (CSO Online)
  • 24 August, 2017 06:03

Exploit broker Zerodium has made it tougher to score its top payout of $1.5m for remotely iOS exploit, but it's also introduced a $500,000 offer for an attack on popular encrypted messaging apps like Whatsapp and Signal.

A year ago Zerodium raised the price for a remote iOS 10 jailbreak from $1m to $1.5m. The year before it only paid $500,000 for this attack. 

Today, the company revised its payment schedule to focus on a far rarer form of remote iOS jailbreak. Now, to qualify for the top payment, the exploit needs to be remote, work without the user clicking anything, and persist after a reboot. Hackers can however still earn $1m for a remote jailbreak with user interaction. 

Zerodium’s founder and CEO Chaouki Bekrar reckons the new threshold for a $1.5m payment is “a bit harder but feasible”. However, finding a bug that can be exploited without user interaction is incredibly rare. 

Responding to ethical hacker Charlie Miller on Twitter, Bekrar admitted the iOS SMS exploit Miller and fellow researcher Collin Mulliner disclosed in 2009 was the only publicly known example of such an iOS exploit. 

In the eight years since, no one has revealed an equally powerful flaw, however someone, somewhere may be sitting on one. They could have also secretly sold this hack to another entity.

Google’s Project Zero also offered a $200,000 prize for a remote Android exploit that worked without a click in a 2016 contest. However, at the conclusion of the six month contest, without a single valid bug submission, the Project Zero team conceded the requirement may have been too tough, given the timeframe.

Zerodium is different to hacking contests, bug bounties, and other programs aimed at acquiring bugs in order to patch an affected product. Instead it offers cash for software exploits but only shares the research with clients that pay for its zero-day research feed, such as governments. 

Prices offered by governments and firms like Zerodium may explain why Apple’s own bug bounty, which offers up to $200,000 for a vulnerability, have reportedly failed to attract bug submissions.   

Zerodium also introduced a new tier of $500,000 for remote code execution combined with local privilege elevation exploits for popular encrypted messaging platforms, including iMessage, Telegram, WhatsApp, Signal, Facebook, Viber, WeChat. 

Given persistent government concerns over messaging encryption, it is noteworthy that Zerodium's price for encrypted messaging app exploits are worth far more than exploits in baseband chips that have been used by law enforcement in "stingrays" or IMSI catchers. Zerodium offers a mere $150,000 for remote exploits affecting baseband chips. 

Other new categories include a $300,000 payment for a no-click remote code execution bug in Windows 10 that target built-in services like Server Message Block and Remote Desktop Protocol.