One of the biggest buyers of iOS zero-day exploits says the market is flooded with new iPhone bugs due to weakened security components in Safari and iMessage.
Zerodium, which pays $2 million for iOS exploits, recently announced it’s increasing its payout for Android exploits to $2.5 million. iOS used to be the most locked-down mobile operating system, but the company says Android’s security has improved with every new OS release while iOS has been slacking, leading to a glut of new exploits.
“The zero-day market is flooded by iOS exploits, mostly Safari and iMessage chains, mainly due [to] a lot of security researchers having turned their focus into full-time iOS exploitation,” said Zerodium founder Chaouki Bekrar in an online chat. “They’ve absolutely destroyed iOS security and mitigations. There are so many iOS exploits that we’re starting to refuse some of them.”
Another exploit broker, Crowdfense, told Vice that security researchers are trying to cash in on iOS exploits, but many of them don’t deliver the ‘right stuff.’ Zero-click exploits — ones that can hack an iPhone without the user touching anything — are the most sought after. Other exploits that require the user to click a link are still valuable but don’t pay out as much.
Apple announced last month that it’s expanding its bug bounty program to include all of its software platforms. The iPhone-maker pays out $1 million for zero-day exploits, which is the biggest payout by a major tech company, but still far below what a security researcher can make selling an exploit to Zerodium or Crowdfense.
One of the reasons iOS has become the easier software to hack is because of Android’s fragmentation. An exploit that works on one version of Android might not work on different handsets. Meanwhile, because the majority of iOS devices are all running on iOS 12, one exploit will work on tens of millions of iOS devices.