iOS jailbreaks now worth $2m as WhatsApp and iMessage exploits hit $1m

  • Liam Tung (CSO Online)
  • 08 January, 2019 09:15

Exploit broker Zerodium has doubled some rewards for exploits affecting popular operating systems and messaging platforms. 

Zerodium is in the business of buying software exploits and selling them to buyers, which could be government agencies interested in acquiring data on persons of interest. 

Based in Washington DC, Zerodium markets itself as paying higher rewards than any other organization, offering far more to researchers who might otherwise report flaws they find to bug bounty programs run by Google, Microsoft, and Apple, which would aim to patch them. 

The company has always placed the highest value on iOS exploits, in 2016 setting the price for a jailbreak at $1.5 million, up from $500,000 a year prior. 

Today, Zerodium said it will pay $2 million for a remote iOS jailbreak that can be achieved without user interaction and survive a reboot. That's ten times more than Apple currently offers for an exploit affecting secure boot components of iOS firmware. 

Exploits for secure messaging apps are also getting higher priority based on the top payouts. Now, researchers who exclusively divulge remote code execution flaws in WhatsApp or Apple’s iMessage to Zerodium could receive a payout of $1 million, up from $500,000.  

Though attacks for desktop systems aren't as lucrative, this category has also seen significant increases in the past year. 

In mid-2017 Zerodium introduced a $300,000 reward for a remote code execution bug in Windows 10 that use the file-sharing protocol SMB, which was employed in the WannaCry and NotPetya malware attacks, or RDP, a commonly abused and powerful protocol for remotely accessing and controlling Windows desktops.      

Today, Zerodium is offering $1 million for a remote code execution bug using SMB, RDP or other protocols, up from its most recent offer of $500,000 for this type of bug. 

Researchers considering the upcoming bug bounties funded by the European Commission for open source software could also be swayed by Zerodium’s new payout levels. The company notes that payouts were increased for Mozilla-backed Thunderbird, OpenSSL, Apache, and 7-Zip. 

It’s also on the hunt for less prestigious but no less effective attacks that can achieve remote code execution on a host system through documents, man-in-the-middle attacks, or by undermining OS- and kernel-level exploit mitigation technologies.