Zerodium revamps exploit bounty payouts

Exploit acquisition platform Zerodium has increased the amount it is prepared to pay for mobile exploits in a revamp of its price list that makes Android exploits more lucrative than those for iOS attacks for the first time.

The realignment, announced Tuesday, comes just days after last week’s bombshell disclosure from Google researchers about how an attack group chained together a number of zero-day exploits to carry out the mass-hack of iPhones.

The operation – unprecedented in its scale – relied on tricking iOS device users into visiting booby-trapped websites.

A new entry of the list – ‘Android full chain (zero-click) with persistence’ – is priced at up to $2.5 million. By comparison, Apple iOS persistence exploits or techniques (another new category) is worth just $500,000.

The potential payout for an ‘Apple iOS full chain (one-click) with persistence’ exploit has been reduced from $1.5 million to $1 million.

An iMessage-based one-click exploit that yields remote code execution (RCE) but without granting persistence previously offered a payout of up to $1 million. This has been halved to $500,000.

Persistent pwnage

While the reward for so-called ‘one-click’ attacks that require tricking targets into allowing a malicious action has gone down, the price Zerodium is prepared to offer for exploits that work without any user interaction has been increased.

For example, the payout for an RCE attack against WhatsApp that works without any user interaction has been increased from $1 million to $1.5 milllion, even in cases where an attack fails to yield persistent pwnage.

Zerodium said that the change-up reflected (unspecified) changes in market trends in the mobile exploit marketplace. The prices the organization offers for desktop and server-targeting exploits and vulnerabilities remains unchanged.

“We’ve updated our prices for major mobile exploits,” the exploit broker explained in an update on Twitter.

“For the first time, we will be paying more for Android than iOS. We've also increased WhatsApp & iMessage (0-click) but reduced the pay-out for iOS (1-click) in accordance with market trends.”

The Daily Swig asked the firm to explain these market trends and comment on what effect, if any, recently disclosed mass hacking of iPhones has had on the exploit marketplace.

Infosec watchers expressed some surprise at the direction of the mobile exploit price changes.

“You’d think burning a giant pile of iOS 0day would make the iOS price shoot up,” said security researcher Dean Pierce.

“Maybe demand dropped since NSO etc isn’t allowed to sell to Saudis anymore, though I’d be surprised if just one intel org really caused that much price swing.

“Bugonomics is fun,” he added.

RECOMMENDED Bug Bounty Radar // August 2019