Hacker News new | past | comments | ask | show | jobs | submit login
Zerodium expects iOS exploit prices to drop as it announces surplus (securityweek.com)
73 points by jwiley on May 17, 2020 | hide | past | favorite | 24 comments

How about another theory...

The kind of organisations that use these exploits rarely want to use the same one twice. That would link the two uses, which could reveal who was attacking who or why.

However, anti-rooting protections on iOS devices are such that the vast majority of organisations don't have any kind of logging or analysis infrastructure set up which could trace which devices have a specific exploit run against them.

The exploit is probably delivered by an encrypted channel, so even if you did full traffic logging from all employee devices to the internet, you still wouldn't have enough info to know which devices were infected, since the attacker will surely use a different server each time to deliver the exploit.

That suddenly makes it much safer to reuse exploits, so there isn't such a big market for a new exploit for every covert operation.

The same isn't true of Android - there are plenty of apps which will trace syscalls, dump logs, send suspicious files for analysis, etc. That makes reusing an exploit a risky business for three letter agencies, especially if you're attacking another three letter agency who probably has their own custom anti-malware type software just waiting for you to trip a tripwire.

I wonder what is the reason for that? I doubt Apple code quality dropped significantly. Is it simply because more people started to look for vulnerabilities? Or was it because better tools to discover the bugs became available?

I doubt Apple code quality dropped significantly.

I'm not sure that's a safe bet. iOS updates have become notorious for things breaking, sometimes in very obvious ways. I have an iPhone and a recent update caused some very obvious degradation of battery lifetime between charges, for example. Given that I have an unmodified phone running almost nothing but the standard Apple software, and the tiny number of apps I do have installed haven't been used since before that update, there isn't much excuse for this.

Meanwhile, I currently have email disabled on my phone pending a fix for a known security vulnerability that is reportedly going to be included in a firmware update delivered several weeks after the vulnerability was out in the wild and doing the rounds on tech sites.

Neither of these is reassuring when it comes to the current state of iOS robustness and security, and five minutes with Google will show that my experience is not unusual among iPhone users in recent times.

There's been widespread claims of dropping quality in iOS updates nearly as long as iOS has been around. I don't doubt that there's been issues with software quality (that'll be true in any organization), but I suspect there's a great deal of recency bias with these claims.

I've used iOS devices of one kind or another since around the 2nd and 3rd generations, and seen some of those devices through years of major updates. Anecdotally, I have never seen things as bad as they have been in the past couple of years, other than Apple's seemingly arbitrary policy on abandoning support for older (but not necessarily old by most standards) devices entirely.

The really sad thing is that iOS devices still seem to be relatively robust compared to either Windows 10 or macOS on the desktop. It feels like Apple and Microsoft have both decided they are so dominant now that quality control doesn't need to be a business priority, and as a result we've left behind the "golden age" up to the mid-2010s when your OS mostly Just Worked(TM) and entered a new age where the most basic reliability of our essential IT systems is in question.

> I doubt Apple code quality dropped significantly.

Oh it did. Earlier OS X releases were way more stable and didn't break shit for no reason.

Quality assurance has gone downhill over the last years, that's what happens when the people in control are no longer engineers taking pride in high quality bug free code but rather managers whose incentives are to push as many new features out as possible - which IMO was also the reason why 86 support was dropped in Catalina, it was too expensive to keep supporting, but heh who cares about users of stuff like VSTs for sound people or people wanting to use their Mac for gaming...

Optimization is not the same as security. The first iPhone was jail broken and unlocked within days of its release IIRC. As the years went on, we were lucky to get a jailbreak at all. In fact, checkra1n was the newest exploit in a long time. Yes, their quality has gone down a bit, but don’t confuse that with their security measures.

No, but QA is necessary for security. If they're letting through bugs that cause crashes or product misbehaviour, then they're also more likely to be letting through security issues.

Apple effectively put an end to the jailbreak scene by allowing people to compile their own applications without paying a dime. Put the incentive away and suddenly there's a lot less eyes on the code.

Every release breaks something - libraries getting disconnected for no reason, not being able to do `sudo ls` because suddenly there's an uberadmin and I have to grant privileges for terminal to run sudo, stuff breaking for no reason, because suddenly logs/tmp/var is not writable anymore (recently - mongodb). Last hilarity that ensued was me trying to get into zoom meeting, which required restart because sound was turning off and THAT required hard restart (something something sound driver stopped working? even though restarting zoom fixes the issue for 2m?); alongside this an update occurred, because why not which actually set hard drive encryption that was supposed to happen 3 months ago (I did restart my computer after that mandatory policy change and was expecting it to have been in effect since then).

How do you do sudo ls on iOS?

Sorry, vented about MacOS. Ignore me.

What is the business model of this company? Are they selling such exploits to whoever is willing to pay the most?

And does this mean Android is more secure?

If you take the press release at face value, it means Android has fewer newly-discovered vulnerabilities on the open market right now. That's probably good news for Android, but there are alternative explanations too: maybe Google is paying more for their exploits to keep them hidden, for example. Or maybe Zerodium is trying to get Apple to sign a new/bigger contract and applying pressure.

This is all, indeed, a pretty shady business. I don't think there's anything authoritative we can say from the outside.

This sounds really logical to me but also raises yet more questions.

How much is Zerodium charging people for these exploits if Apple isn’t paying?

Sure, they could stick the knife in if Craig Federeghi calls up to ask how much, but you’d assume it’s nothing to Apple to spin up an arms-length subsidiary with a folksy name to buy the info through.

or maybe being closed source didnt help apple in the long run

Too simplistic of an answer, though it could be part of it.

I think we wrap ourselves in a bit of false security when we say something is open source and think that automatically makes it more secure. We assume someone has looked at the source. But has anyone really? And those with the most incentive to look into these things might not be inclined to share the vulnerabilities back to the community for safety's sake, given the princely sums being offered by companies like Zerodium.

Funny how Microsoft is now saying they were "on the wrong side before" with open source.

Let that sink in...

Apple is the device to exploit right now which drove supply. Meanwhile Google, Project Zero and companies like Copperhead are actively securing Android.

Companies can subscribe to a feed of 0-day exploits ("Zero-Day Research Feed"), for what I assume is a hefty fee, large enough to make a profit despite millions of dollars spent on exploit acquisition.

Their website says they mostly sell to North American and European governments.

I can only assume this is for offensive purposes, since they can’t patch the kernel/software even if they know how the exploits work.

seems like a guerrilla marketing campaign to make researchers know sandbox is broken but they are still shopping for persistence.

The price has been downgraded before: https://www.wired.com/story/android-zero-day-more-than-ios-z...

And going back further: https://twitter.com/cBekrar/status/1128702955555713024

Pretty sure it's not marketing

I made a few guesses on a previous thread: https://news.ycombinator.com/item?id=23170237

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact