Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hack iOS 10, Get $1.5 Million

Posted by msmash on from the moral-dilemma dept.

Reader Trailrunner7 writes: The stakes in the vulnerability acquisition and bug bounty game have just gone up several notches, with a well-known security startup now offering $1.5 million for a remote jailbreak in iOS 10.The payout was put on the table Thursday by Zerodium, a company that buys vulnerabilities and exploits for high-value target platforms and applications. The company has a set of standing prices for the information it will buy, which includes bugs and exploits for iOS, Android, Flash, Windows, and the major browsers, and the top tier of that list has been $500,000 for an iOS jailbreak. But that all changed on Thursday when Zerodium announced that the company has tripled the standing price for iOS to $1.5 million.

10 of 32 comments (clear)

  1. Re:I have a sneaking suspicion by npslider · · Score: 3, Insightful

    The question is: which ones?

    CIA? NSA? FBI?

    KGB?

  2. Sell you soul by mseeger · · Score: 3, Insightful

    If you sell to them, you're a weapon dealer of the shadier kind. You'll help oppressive regimes to jail dissidents.

    1. Re:Sell you soul by ilsaloving · · Score: 3, Insightful

      At least until Apple patches the flaw. In the meantime, it's amazing how a large stack of cash can assuage one's guilt.

  3. Re:I have a sneaking suspicion by NotInHere · · Score: 4, Informative

    Its pretty obvious that some of their customers are governments. Who else would be interested in tor browser exploits:

    https://www.zerodium.com/image...

  4. Re:I have a sneaking suspicion by Anonymous Coward · · Score: 3, Insightful

    Short answer: ALL of them. Governments are become the Great Enemy.

  5. How secure is Apple itself? by swb · · Score: 3, Insightful

    Given the FBI complaining about its encryption, this bug bounty, etc, the general impression (and yes, it might be wrong) is that the iOS platform is pretty secure.

    So how secure is Apple in terms of physical security, employee security, etc?

    You would think the next level of attack would be the HQ itself -- getting somebody inside, either secret agent style or compromising an Apple employee somehow.

    Are people who work on iOS device security watched 24/7 by security themselves? Do they work in some kind of high security vault? Is the guy pushing the mail cart actually a deep cover FSB agent?

    If you work for Apple on iOS security do you think twice when some pretty girl at the bar starts talking to you, especially if she says her name is Natasha?

  6. Re:Get ready for the bidder show off by edtice1559 · · Score: 2

    Yes but I don't risk going to jail selling the exploit. So if I could find this, I'd happily take the $1.5 million selling it legally rather than risk going to jail in order to try to get more. Hopefully by selling it, it would actually get fixed. I'd prefer to sell it a bug bounty program administered by the vendor, though, so I don't have to worry about the moral consequences of the sale.

  7. Re: No problem! by AlphaBro · · Score: 2

    If you actually had a chance, you wouldn't be talking about it here.

  8. Re:Is this proof by 93+Escort+Wagon · · Score: 2

    Then you look at the bottom of the list, and see how little they'll pay for exploits of pretty much ANY web-content management system (Drupal, Joomla, Wordpress)... and, if you're unfortunate enough to be responsible for any of these, you go weep softly in a corner somewhere.

    --
    #DeleteChrome
  9. Re:I have a sneaking suspicion by Anonymous Coward · · Score: 2, Insightful

    Why wouldn't they? At a minimum, modern governments have an obligation to protect their constituents from espionage, and in some cases that means using software exploitation to gain the upper hand.

    If the goal is to protect constituents from espionage, I argue that they'd be more effective in this task if they took exploits to the various vendors and convinced/helped them close the holes.