Reprinted from TidBITS by permission; reuse governed by Creative Commons license BY-NC-ND 3.0. TidBITS has offered years of thoughtful commentary on Apple and Internet topics. For free email subscriptions and access to the entire TidBITS archive, visit http://www.tidbits.com/ The Million Dollar iOS Hack (Isn't) Rich Mogull Reports emerged yesterday that [1]a security exploit broker paid $1,000,000 for a browser-based iOS 9 attack, setting a record for buying and selling a computer exploit, at least in public. Security firm Zerodium announced the news [2]via its Twitter feed, and stated that the exploit is an 'untethered jailbreak' that works on all the latest versions of iOS. This was the conclusion of a [3]contest the company initiated back in September. Zerodium hasn't released much more about the attack technique, so we don't know if it works by browsing a malicious website, reading an email message, or receiving a text message (all were open options in the contest). As is typical with Apple security stories these days, you shouldn't be overly concerned, but it should raise a few hairs on the back of your neck. Zerodium plans to sell the exploit to government and defense customers. Based on rumors (and really, it's just rumors) among my security contacts, a reliable iOS exploit can run into the low-six figures on exploit markets. Government agencies use these for surveillance and law enforcement, and iOS is consistently a tough nut to crack. While we know next to nothing about this company, the odds are very low this will be used for cybercrime. The agencies that do purchase it will most likely use it judiciously in order to lengthen the lifespan of the attack and minimize the chances it will end up in Apple's hands. Some readers most definitely need to worry, but not most. Other organizations will buy it to incorporate into their defensive security tools. This could be security companies wanting to show they protect against the latest and greatest attacks (the truth is, all of them miss many attacks so the value is more for sales and PR than actual defense). Organizations will even buy it to defend themselves, typically high-value targets in defense and financial services. Zerodium is a new startup in the burgeoning digital exploits marketplace. The company was founded by Chaouki Bekrar, formerly of the controversial firm [4]Vupen, which was based in France. While Vupen was known for developing and selling their own exploits to governments, Zerodium appears to be focusing on purchasing and reselling exploits. By developing a customer base with big pockets, Zerodium can pay researchers rates far above what they could get from other sources, but still make money by playing middleman and reselling those exploits to multiple buyers for more typical amounts. If Zerodium sounds like an arms dealer, you are exactly correct. This kind of activity isn't illegal, but it isn't exactly ethical, especially since these companies withhold exploit details from software vendors, to ensure they remain unpatched for as long as possible. This is quite different than 'bug bounty' firms who intermediate between security researchers and software firms and outsource communications, negotiations, and validation of vulnerabilities and exploits. A bug bounty is cash paid by a company to researchers who find security issues in their products. It provides an incentive for researchers (and others) to report the bugs to the vendor for patching instead of making them public or selling them to bad guys. Zerodium is a dangerous entrant into the market since they alter the economics of online security: now researchers can make more money by selling their bugs to Zerodium than notifying the vendor. Governments and other groups have long paid for exploits, but a broker increases the value of certain exploits, and will sell to multiple buyers, spreading the risks to users. This could pressure buyers to use their exploits more often and more quickly since they don't know or trust other buyers, which may create a 'race to exploit' before the value of their investments are lost. There's also nothing restricting who Zerodium can sell to, and while it claims it only sells to NATO governments and partners, there's no way to know for sure. Bug bounty firms make money by helping collect and report bugs so they are fixed; exploit brokers make money by leaving you vulnerable to as many clients for as long as possible. If this all sounds insane, you wouldn't be wrong. There are a few dynamics working in favor of us normal iOS users. While those that purchase the bug will have incentives to use it before Apple patches it, the odds are they will still restrict themselves to higher-value targets. The more something like this is used, the greater the chance of discovery. That also means there are reasonable odds that Apple can get their hands on the exploit, possibly through a partner company, or even by focusing their own internal security research efforts. And the same warped dynamics that allow a company like Zerodium to exist also pressure it to exercise a little caution. Selling to a criminal organization that profits via widespread crime is far noisier than selling quietly to government agencies out to use it for spying. In large part this is merely a big publicity stunt. Zerodium is a new company and this is one way to recruit both clients and researchers. There is no bigger target than iOS, and even if they lose money on this particular deal they certainly placed themselves on the map. Keep in mind that we know there have been multiple exploits for all major computer platforms sold quietly for many years now. Spy agencies and even some law enforcement have not-so-secret programs to collect these bugs. This isn't any different, other than being public, and you shouldn't expect your iPhone to be any less secure tomorrow than it was last week. There is one interesting aside, though. Apple sometimes comes under criticism for not offering bounties, especially for iOS. But when a firm is willing to pay a million dollars for a single bug, the economics don't work in Apple's favor, bounty program or not. References 1. http://www.macrumors.com/2015/11/02/zerodium-ios-9-jailbreak-bounty/ 2. https://twitter.com/Zerodium/status/661240316331069443 3. https://zerodium.com/ios9.html 4. https://en.wikipedia.org/wiki/Vupen .