A company that pays hackers to submit serious security vulnerabilities says it’s made aware of so many flaws in various Apple operating systems that it will temporarily stop acquiring new attack techniques.
In a tweet Wednesday, Zerodium said it will stop accepting Apple iOS bugs that lead to “local privilege escalation,” which attackers use to dig deeper into an infected device, remote code execution bugs in the the company’s Safari web browser, or “sandbox escape” tools, which enable attackers to move from an app to other areas of a device.
We will NOT be acquiring any new Apple iOS LPE, Safari RCE, or sandbox escapes for the next 2 to 3 months due to a high number of submissions related to these vectors.
Prices for iOS one-click chains (e.g. via Safari) without persistence will likely drop in the near future.
— Zerodium (@Zerodium) May 13, 2020
In a follow-up tweet, Zerodium chief executive Chaouki Bekrar said Zerodium also is aware of “a few” zero-day vulnerabilities affecting “all iPhones/iPads,” though he declined to provide more details when asked by CyberScoop. The update comes eight months after Zerodium said that for the first time, exploit sellers offering new ways of breaking into Android devices could earn more money than for similar hacks on iOS products.
“The zero-day market is based on supply and demand,” Bekrar said. “A spike in supply of zero-day exploits for a specific product means that the security level of that product is decreasing, and the price goes down as there are too many exploits available.”
For the past two months, Zerodium has offered up to $200,000 for a Safari RCE with a sandbox escape working with the latest version of iOS on updated iPhones, down from $500,000, Bekrar said. The firm is now paying “$0 for such exploits as we don’t want them anymore,” he said.
Apple did not respond to a request for comment Wednesday.
Apple announced in September it would expand its bug bounty program to offer $1.5 million under certain conditions to hackers who disclosed new ways of breaching the iPhone’s operating system. That change occurred after researchers from Google’s Project Zero team disclosed that suspected Chinese hackers apparently had exploited 14 Apple vulnerabilities, within five kill chains, to spy on the Uighur Muslim population.
The company also said in September it would open its bug bounty program to the public after previously working with researchers on an invite-only basis.
Zerodium’s Bekrar declined to speculate on why so many Apple exploits have “flooded” the market.
Other researchers suggested the recent public invitation to probe Apple systems may have resulted in more people finding issues in the company’s technology, but not reporting them to Apple because of difficulties working with the company.
“Apple has a poor history of paying hackers or recognizing when payment for work should occur,” said researcher Jake Davis. “They’re also not keen on researchers picking apart their products, which is exactly what’s required for discovering problems to begin with.”