
Zerodium expects iOS exploit prices to drop as it announces surplus - jwiley
https://www.securityweek.com/zerodium-expects-ios-exploit-prices-drop-it-announces-surplus
======
londons_explore
How about another theory...

The kind of organisations that use these exploits rarely want to use the same
one twice. That would link the two uses, which could reveal who was attacking
who or why.

However, anti-rooting protections on iOS devices are such that the vast
majority of organisations don't have any kind of logging or analysis
infrastructure set up which could trace which devices have a specific exploit
run against them.

The exploit is probably delivered by an encrypted channel, so even if you did
full traffic logging from all employee devices to the internet, you still
wouldn't have enough info to know which devices were infected, since the
attacker will surely use a different server each time to deliver the exploit.

That suddenly makes it much safer to reuse exploits, so there isn't such a big
market for a new exploit for every covert operation.

The same isn't true of Android - there are plenty of apps which will trace
syscalls, dump logs, send suspicious files for analysis, etc. That makes
reusing an exploit a risky business for three letter agencies, especially if
you're attacking another three letter agency who probably has their own custom
anti-malware type software just waiting for you to trip a tripwire.

------
fpoling
I wonder what is the reason for that? I doubt Apple code quality dropped
significantly. Is it simply because more people started to look for
vulnerabilities? Or was it because better tools to discover the bugs became
available?

~~~
Silhouette
_I doubt Apple code quality dropped significantly._

I'm not sure that's a safe bet. iOS updates have become notorious for things
breaking, sometimes in very obvious ways. I have an iPhone and a recent update
caused some _very_ obvious degradation of battery lifetime between charges,
for example. Given that I have an unmodified phone running almost nothing but
the standard Apple software, and the tiny number of apps I do have installed
haven't been used since before that update, there isn't much excuse for this.

Meanwhile, I currently have email disabled on my phone pending a fix for a
known security vulnerability that is reportedly going to be included in a
firmware update delivered several _weeks_ after the vulnerability was out in
the wild and doing the rounds on tech sites.

Neither of these is reassuring when it comes to the current state of iOS
robustness and security, and five minutes with Google will show that my
experience is not unusual among iPhone users in recent times.

~~~
spideymans
There's been widespread claims of dropping quality in iOS updates nearly as
long as iOS has been around. I don't doubt that there's been issues with
software quality (that'll be true in any organization), but I suspect there's
a great deal of recency bias with these claims.

~~~
Silhouette
I've used iOS devices of one kind or another since around the 2nd and 3rd
generations, and seen some of those devices through years of major updates.
Anecdotally, I have never seen things as bad as they have been in the past
couple of years, other than Apple's seemingly arbitrary policy on abandoning
support for older (but not necessarily old by most standards) devices
entirely.

The really sad thing is that iOS devices still seem to be relatively robust
compared to either Windows 10 or macOS on the desktop. It feels like Apple and
Microsoft have both decided they are so dominant now that quality control
doesn't need to be a business priority, and as a result we've left behind the
"golden age" up to the mid-2010s when your OS mostly Just Worked(TM) and
entered a new age where the most basic reliability of our essential IT systems
is in question.

------
saltedonion
What is the business model of this company? Are they selling such exploits to
whoever is willing to pay the most?

And does this mean Android is more secure?

~~~
newacct583
If you take the press release at face value, it means Android has fewer newly-
discovered vulnerabilities on the open market right now. That's probably good
news for Android, but there are alternative explanations too: maybe Google is
paying more for their exploits to keep them hidden, for example. Or maybe
Zerodium is trying to get Apple to sign a new/bigger contract and applying
pressure.

This is all, indeed, a pretty shady business. I don't think there's anything
authoritative we can say from the outside.

~~~
softwarejosh
or maybe being closed source didnt help apple in the long run

~~~
whynotminot
Too simplistic of an answer, though it could be part of it.

I think we wrap ourselves in a bit of false security when we say something is
open source and think that automatically makes it more secure. We assume
_someone_ has looked at the source. But has anyone really? And those with the
most incentive to look into these things might not be inclined to share the
vulnerabilities back to the community for safety's sake, given the princely
sums being offered by companies like Zerodium.

------
masnao
seems like a guerrilla marketing campaign to make researchers know sandbox is
broken but they are still shopping for persistence.

~~~
vsareto
The price has been downgraded before: [https://www.wired.com/story/android-
zero-day-more-than-ios-z...](https://www.wired.com/story/android-zero-day-
more-than-ios-zerodium/)

And going back further:
[https://twitter.com/cBekrar/status/1128702955555713024](https://twitter.com/cBekrar/status/1128702955555713024)

Pretty sure it's not marketing

------
captn3m0
I made a few guesses on a previous thread:
[https://news.ycombinator.com/item?id=23170237](https://news.ycombinator.com/item?id=23170237)

