Slashdot Mirror

← Back to Stories (view on slashdot.org)

Companies Are Now Offering Seven Figures For Hacks That Allow Spies, Cops To Steal Chat App Messages (vice.com)

Posted by BeauHD on from the more-the-merrier dept.

Zerodium, a startup that buys and sells hacking tools and exploits to governments around the world, announced on Monday price increases for almost everything they are looking for, such as iOS remote jailbreaks and Windows exploits. "It said it will now pay security researchers $1,000,000 for exploits in WhatsApp, iMessage, and SMS/MMS apps for all mobile operating systems," reports Motherboard. From the report: Compromising the whole iPhone, sometimes referred to as remote jailbreaking or rooting the phone, can cost $2 million or more, and usually involves a series of bugs and exploits. The price increase shows that mobile devices in general are getting more and more secure, and thus harder to hack. That means that it's becoming increasingly hard for hackers to break into iOS and Android devices. That makes the life of folks like spy agencies and police departments harder too. That's where Zerodium and other similar companies, such as Azimuth and Crowdfense, come in: they act as intermediaries between security researchers and government agencies looking for tools -- often called zero-days -- to break into targets. Before today, Zerodium was willing to pay $500,000 for WhatsApp and iMessage exploits, according to an archived version of the company's site. These new prices are in line with the market, according to Maor Shwartz, who used to run a company that acquired and sold exploits to government agencies.

73 comments

  1. Re:Traitor Drumpf must HANG! by Anonymous Coward · · Score: 0

    Rent-free.

  2. pointless by Anonymous Coward · · Score: 0

    As soon as you patch one of these backdoors, the next update will just have a new one.

    1. Re: pointless by Anonymous Coward · · Score: 0

      Then go make an easy two million, right? Oh wait...

    2. Re:pointless by phantomfive · · Score: 1

      The point isn't to patch the backdoor. The point is to exploit it. This is a company that sells exploits to government agencies (presumably. They don't tell who their customers are, so it could be to the mafia, too).

      --
      "First they came for the slanderers and i said nothing."
  3. Re: Traitor Drumpf must HANG! by Anonymous Coward · · Score: 0

    Any day that the US govâ(TM)t is shut down is a good day. Itâ(TM)s too big, too powerful, and too evil.

  4. For that kind of money by nehumanuscrede · · Score: 5, Interesting

    I hope the aforementioned companies are paying their own engineers well.

    Once bounties get this high, the thought would cross the minds of many to build in a vulnerability for use later on.

    Then again, I suppose the various three letter agencies with their unlimited budgets probably have an engineer or
    several on the payroll already. . . .

    1. Re:For that kind of money by Aighearach · · Score: 1

      Why wait for the engineers to build it in, why not just include it as a feature from the start?

      Or does that only work for privately held companies?

    2. Re:For that kind of money by s_p_oneil · · Score: 2

      "I'm gonna write me a new mini-van this afternoon!" (https://dilbert.com/strip/1995-11-13)

    3. Re:For that kind of money by Powercntrl · · Score: 1

      I hope the aforementioned companies are paying their own engineers well.

      Yeah, because the fear of getting caught clearly doesn't factor in. It wouldn't take a genius to catch someone attempting to cash in on their own "exploit", and I'm sure these companies have some very expensive lawyers which could make your life really miserable.

      --

      ---
      DRM is like antifreeze, to the MPAA/RIAA it's sweet, to the consumers it's poison.
    4. Re:For that kind of money by Anonymous Coward · · Score: 0

      People get caught all the time, nothing comes of it if they're above the law - https://www.cnn.com/videos/politics/2019/01/07/trump-border-sarah-sanders-brianna-keilar-pushing-lies-crn-vpx.cnn

    5. Re:For that kind of money by Anonymous Coward · · Score: 0

      You use these vulnerabilities to steal more vulnerabilities.

      It's vulnerabilities all the way down

    6. Re:For that kind of money by TheGratefulNet · · Score: 1

      I'm guessing that every company that has a worthwhile target in their product offering, has a mole or two in their employ.

      I'd go farther: a known set of moles and an unknown (to the company) set.

      this includes the build system and binary modules. hardware has its analogs, too.

      yes, we *are* post-snowden. and we damned well know it.

      --

      --
      "It is now safe to switch off your computer."
    7. Re:For that kind of money by MrKaos · · Score: 1

      Why wait for the engineers to build it in, why not just include it as a feature from the start?

      Or does that only work for privately held companies?

      This is the point of Australia's Assistance Access bill that the US can access via intelligence sharing arrangements.

      --
      My ism, it's full of beliefs.
    8. Re:For that kind of money by Anonymous Coward · · Score: 1

      Hacks are NOT sold - they are strictly licensed. Will one intel agency tip off other agencies or share the details? You bet.
      Australian leaked Swedish propeller designs to USA the moment they got them, then lied about it - so Australia is not trustworthy. USA stole IP off the guy who had the patent on optic fiber taps without paying until caught.

      Anyway at 1-2 Million, it is now worthwhile to use a STM, shaving all chips, laser test point taps and lithium nicobate to take hidden code and work on it and nab the keys. As stated elsewhere the bios/security routines are trash. So is this nonsense about security when the govt sides with the dark forces, and not close all CVE's when discovered.

      State level testing is where the money is - protocol checking is still sheet.

    9. Re:For that kind of money by misnohmer · · Score: 1

      Not even close. Someone can compromise an algorithm of "forget" an equals sign or any other compromises which are not obvious to prove as intentional. The person who cashes in is going to cash their reward in secret, the companies who buy the exploits do not broadcast them to the public.

      Also, I guarantee you that security researchers in the past have found vulnerabilities in the code written by people they know - a lot of security guys know each other already from conferences, academia, working for the same company, or inter-company partnerships. Security community doesn't change that fast, what changes most often is who they work for (hence whenever they meet at conferences, one of the first questions is "who do you work for today?").

    10. Re:For that kind of money by misnohmer · · Score: 1

      That is a new business model for a startup. Pay for exploits to be inserted, then sell them.

    11. Re:For that kind of money by MrKaos · · Score: 1

      Hacks are NOT sold - they are strictly licensed. Will one intel agency tip off other agencies or share the details? You bet.

      You really missed the point about there now being a legal avenue to do this.

      --
      My ism, it's full of beliefs.
    12. Re:For that kind of money by Spamalope · · Score: 1

      And how many of them monetize that properly?
      A counter-intel team that sells the exploits they find so the group is self funding, then waits juuuust long enough they'll be able to sell the next time before patching.
      Done right that could be an intentional extra revenue stream. It's not like these companies have any ethics to complicate matters.

    13. Re:For that kind of money by Anonymous Coward · · Score: 0

      Nope there always was a legal avenue. The term Goldhat has been around for ages. Many in CERT jumped ship when pay scales failed to reward brilliance.There is also darknet, and auctions have taken place.
      Physically exporting taking a box may be a different matter, and they are touchy about intrusion detection software.

      The advantage of a big player is they should be better at enforcing licencing breaches, and sharing ROM dumps to accelerate discovery. 2Pin serial eeproms and hiding stuff in the battery management board are some of the tricks used. Now same firm can share STM images and lithium nicobate traces.

    14. Re:For that kind of money by MrKaos · · Score: 1

      Nope there always was a legal avenue.

      I don't disagree with the point you are making however the point I'm making is there has never been a legal mechanism for government to compel a software company into installing "front-doors" into their software products specifically for government to use until the law was passed at the end of 2018. There has never been a legal mechanism for government to coerce information technologists with fines and jail terms for not co-operating until now.

      --
      My ism, it's full of beliefs.
  5. Re: Traitor Drumpf must HANG! by Anonymous Coward · · Score: 0

    You're saying 10-30 million Americans who pick up trash, sweep floors, sterilize instruments, calculate mortgage rates, catch criminals, process rape kits, trace stolen guns, save children from drug addict parents are evil?

    You're a fucking moron. Get the fuck out of my country, don't visit, don't write. You don't fix the problems of America's overreaching government by NOT dealing with it, all this does is freeze the current policy in place and fuck up worse.

    Mindless cowards who want to play Libertarian nihilist faggot games need to walk the plank. Basta, traitors. America is going to be great again - we're going to hang some fucking traitor Republican scumbags. Booya.

  6. Re:Traitor Drumpf must HANG! by Anonymous Coward · · Score: 0

    orange man bad

  7. Spies?!? by Known+Nutter · · Score: 1

    If you're conducting your secret spy business on WhatsApp and SMS, you're doing it wrong. I may not know the right way, exactly, but I think it looks more like NCIS: Los Angeles than it does WhatsApp.

    --
    Beware of the Leopard.
    1. Re:Spies?!? by Aighearach · · Score: 1

      Pigeons. Definitely pigeons.

    2. Re:Spies?!? by Anonymous Coward · · Score: 0

      Pigeons with tiny vodka bottles wearing leather jackets and blue jeans and riding around in tiny black mercedes m-class with tinted windows listening to dubstep. You know, pigeons.

  8. Mueller? Ready. by Anonymous Coward · · Score: 0

    Bad? Objectively. Liar? Ubiquitously. Traitor? Provably. Putin? Loving every minute, you treasonous faggot.

    Which would you prefer, the gallows or the firing squad? Traitors hang. Choice made.

    1. Re: Mueller? Ready. by Anonymous Coward · · Score: 0

      Fuck off commie. You brown butthole aoc lovinâ(TM) pos. I will end u fag

  9. Re:Traitor Drumpf must HANG! by Anonymous Coward · · Score: 0

    Like Dotard and Rocket Man, at Singapore.

  10. Re: Traitor Drumpf must HANG! by Anonymous Coward · · Score: 0

    Elections have consequences and the more people suffer, the more they might pay some fucking attention to who they're voting for, next time. Make no mistake about it, this shutdown is because there's a big baby in the White House who is throwing a tantrum because mommy and daddy won't buy him a wall.

  11. Kashoggi killing by Anonymous Coward · · Score: 0, Interesting

    Consider the Kashoggi killing, which was likely a Whatsapp video call between Prince MBS and the torture team. WhatsApp is always pretend secure, but they forget who owns it, so they use it thinking its secure.

    Only Skype and Whatsapp are unblocked in Saudi Arabia, and Jared Kushner has a backchannel to Prince MBS via WhatsApp.... since the henchmen of the Saudi prince would fit in with the prince, it follows that they would also be using WhatsApp rather than Skype. (I've seen claims it was Skype, but those claims don't hold water, Skype is known to be backdoored).

    How else do they have both sides of a two way conversation, including video, including Kashoggi screaming as they cut him up, and know that the prince was definitely involved.

    If you cut someone up alive, then its for show. If its for show its for the client. We know the client was MBS, Jared's buddie. So we know the snuff show was done live for MBS.

    And the remaining questions: Why did Trump and Jared help MBS cover it up, why did Kashoggi get banned from Saudi Arabia after the critical press conference of Trump and does Jared involved in the torture/murder. i.e. how come a US reporter can be murdered with clear evidence and Trump helps conceal the murder.

    1. Re: Kashoggi killing by Anonymous Coward · · Score: 0

      Haha! Now *that* is a conspiracy soliloquy

    2. Re: Kashoggi killing by Anonymous Coward · · Score: 0

      Orange man BAD!!!!1!!

    3. Re: Kashoggi killing by Anonymous Coward · · Score: 0

      Orange traitor tortured then hung for treason.

    4. Re:Kashoggi killing by Anonymous Coward · · Score: 1

      Get your facts straight. Khashoggi was NOT a US citizen.

    5. Re: Kashoggi killing by Anonymous Coward · · Score: 0

      No one said he was a US citizen. He was a legal US resident and an employee of a US paper. Hence, he was a US reporter.

      So fuck off, you mud flinging whataboutist.

    6. Re: Kashoggi killing by Anonymous Coward · · Score: 0

      Go home, Comrade Wang. Your bleating grows tiresome.

  12. Re: Traitor Drumpf must HANG! by Anonymous Coward · · Score: 0

    I want a wall. I care nothing about the government being shut down, it doesn't affect me. IMO keep it closed down till the entire wall is funded.

  13. Re: Traitor Drumpf must HANG! by Anonymous Coward · · Score: 0

    10 to 30 million doing the work of 100 to 300 thousand. Yeah â" real useful.

  14. Re: Traitor Drumpf must HANG! by Anonymous Coward · · Score: 0

    The message above was brought to you by the Committee to Reelect Donald Trump in 2020.

    Remember voters - Democrats are deranged, mean-spirited wingnuts whose idea of political debate is hurling childish insults. Compared to Democrats President Trump is grown up, kind hearted, and a serious intellectual.

    Vote TRUMP in 2020 - for common decency!

  15. Re: Traitor Drumpf must HANG! by Anonymous Coward · · Score: 0

    Nobody cares what treasonous nazi eunuchs want. You will be hanged. Adults are taking back the government, Trump is a traitor. You are a traitor's faggot little bitchmop. The government > what you want, deplorable faggots.

  16. Re: Traitor Drumpf must HANG! by Anonymous Coward · · Score: 0

    https://www.nbcnews.com/politics/immigration/only-six-immigrants-terrorism-database-stopped-cbp-southern-border-first-n955861 - FACTS MATTER BITCH TRAITORS.

  17. It's almost tempting by raymorris · · Score: 1

    I've been doing computer security for over 20 years.
    A million bucks might be tempting if I didn't already have a job I like, and what some would call an overinflated sense of ethics.

    1. Re:It's almost tempting by TheGratefulNet · · Score: 1

      how safe can your life be, if you are perceived to be that valuable or that dangerous to party A or B or C?

      personally, I'm glad I don't know that much ;)

      --

      --
      "It is now safe to switch off your computer."
  18. factory p0wned by Anonymous Coward · · Score: 0

    I think it should be fairly obvious to all that any popular software produced by an American company is going to be factory p0wned by Uncle Sam. Likewise Chinese and Russian software by their respective governments.

    Don't believe the hype. If it's a mobile device, it's insecure.

    1. Re: factory p0wned by Anonymous Coward · · Score: 0

      Lots of stupid things seem fairly obvious to idiots.

  19. Re:Traitor Drumpf must HANG! by Anonymous Coward · · Score: 0, Interesting

    Of course be sure to mark this -1 because Anti-President Trump folks don't like facts.

    Even though I'm a Blue Dog Democrat, I'm sick and tired of the all the Anti-Trump crap on this website. It's about as productive as the new Democrat lead house passing legislation that will never get voted on in the Senate or signed by the President.

    Take tax dollars and build a one way bridge to what you think is better country and don't come back. Otherwise, next time around get better candidates to run. BTW, I voted for Trump, I wanted to shake things up and see what happens, like my parties flip-flopping on Illegal Immigration and yes I have citations to back up such claims which people will go ahead and deny because of this source or that source. Facts are sticky things

    -GeekPoet

  20. Spies or Cops by dohzer · · Score: 1

    So they're only interested in ones for spies and cops, not just the average joe using an exploit?

    1. Re:Spies or Cops by Anonymous Coward · · Score: 0

      Not sure how "allow" became "only for" in your head. If I'm looking for a truck that allows me to carry a washing machine, then that's a minimum requirement. It doesn't mean that the truck is only for carrying a washing machine.

    2. Re:Spies or Cops by Anonymous Coward · · Score: 0

      It's right in the rhetoric. First of, it means exactly zilch on actual content. But then, it says lots about the speakers and their attitude. They could've asked for "exploits", the usual term. But no, they had to ask for "hacks!" which is the purview of "hackers!", those very special people who do this "hacking!" thing.

      What's so special about "hacks!"? Well, it's because only very special people called "hackers!" can do that. So you can use that either to imply you're somewhat safe-ish because only "hackers!" can handle "hacks!", or you can imply that you cannot possibly defend against those "hacks!" because those "hackers!" with their "hacking!" are all-powerful by dint of being the big unknown in your threat model. Certainly if they're the only variable in your entire threat model. An unknowable variable because you don't actually know what "hacking!" is. Nor do you particularly want to know.

      It's modern-day digital-age cyber-shamanism: You don't know what these people can do, so you assume they can do everything, their produce is obviously worth a lot. Or rather, you appease them with valuable offerings.

      It's not even (just) in GP's head. It's in the heads of the people running those bounty programs. And the journalists reporting on it. And BeauHD's pretty little head.

  21. time to quit my job by Anonymous Coward · · Score: 0

    these rates are looking good

  22. Whoever you provide "security" for must be dumbAF by Anonymous Coward · · Score: 0

    Nazi homosexual recruiter RAY MORRIS pushing debunked Nazi propaganda even after corrected, #ROPE

    You're not only a gullible faggot, you're a low IQ nazi pussy Ray. Your security chops are childlike at best. Literally, children know more about it than you. Riding your own hypothetical coattails goes nowhere, you fucking idiot lol.

    Get fucked to pieces like your traitor Fuhrer in about 6 months.

  23. So, uhm-- this 4th amendment thing... by wierd_w · · Score: 0

    You know, this thing?

    https://constitutioncenter.org...

    I am fairly certain that personal correspondence, which would be the modern equivalent of "papers" mentioned explicitly in the amendment, is something that cannot be obtained without a warrant.

    That is, unless the constitution is NOT a "Living document" that gets reinterpreted to suit modern climates and courts... and only paper based correspondence is covered explicitly.

    Oh, who the fuck am I kidding; The clowns are running the circus, and there are no constitutional rights anymore. Just velvet glove authoritarianism.

  24. Yep by Dunbal · · Score: 4, Insightful

    America, where only the government is allowed to break the law.

    --
    Seven puppies were harmed during the making of this post.
    1. Re: Yep by astrofurter · · Score: 1

      In Soviet America law breaks you!

    2. Re:Yep by mlw4428 · · Score: 1

      They wouldn't be so easily able to do this if corporations and for-profit companies didn't work to throw the American citizen under the bus in the name of $$$$PROFITS$$$$. It seems to me the real issue is that these companies are allowed to exist at all.

  25. You know not everyone is a US citizen, right? by Goonie · · Score: 2

    The US government can surveil me and the other 7.4 billion-odd people who aren't US citizens whenever it damn well pleases, no warrant required.

    --

    Any sufficiently advanced technology is indistinguishable from a rigged demo
    --Andy Finkel (J. Klass?)
    1. Re:You know not everyone is a US citizen, right? by wierd_w · · Score: 0

      Oh, I understand that they can and do, and that yes, the vast majority of the world population does not live in the US.

      That does not give my government the right to do so. (Or, to "Trade favors" with other governments to circumvent this restrictions. >.> Looking at you GCHQ in the UK... )

      I am sure it makes you feel morally superior to point obvious facts like this, but you are missing the point; These people (companies) are paying monetary bounties to enable the local police forces (who are SUPPOSED to be upholding constitutional law) to perform unlawful searches, presumably because the police (and often the feds as well) are dropping fat doses of velvet glove authoritarianism, and are willing to pay a lot for their fix.

      The intended group being surveiled is indeed US citizens. That the rest of the world can be likewise observed is just the nice excuse they use for attaining the technology.

      You are mistaking my assertion of "They are not allowed to do this" for "Derp, I think the rest of the world is a state owned by the US! HERP!", when in fact, I am asserting "They were forbidden to do this for important reasons, and those reasons should not stop at the border; they should not do it anywhere."

    2. Re:You know not everyone is a US citizen, right? by Anonymous Coward · · Score: 0

      AFAIK constitutional rights apply to everyone unless it says differently in the wording. I'm sure there are more legitimate sources than this: https://www.maniatislawoffice.com/blog/2018/08/do-non-citizens-have-constitutional-rights.shtml . But can't be bothered to look for them right now.

    3. Re: You know not everyone is a US citizen, right? by c6gunner · · Score: 1

      These people (companies) are paying monetary bounties to enable the local police forces (who are SUPPOSED to be upholding constitutional law) to perform unlawful searches

      That's your assumption, which you pretty much pulled out of your ass. As the other guy pointed out, TLAs can use these to conduct lawful surveillance outside of your country. Additionally local police and TLAs can make use of this tech to surveil citizens legally, by first obtaining a warrant.

      The fact that any given technology can be abused does not mean that it does not have legitimate uses. It's just that when you're paranoid you always tend to see only the potential for abuse.

    4. Re: You know not everyone is a US citizen, right? by Anonymous Coward · · Score: 0

      These people (companies) are paying monetary bounties to enable the local police forces (who are SUPPOSED to be upholding constitutional law) to perform unlawful searches

      That's your assumption, which you pretty much pulled out of your ass. As the other guy pointed out, TLAs can use these to conduct lawful surveillance outside of your country. Additionally local police and TLAs can make use of this tech to surveil citizens legally, by first obtaining a warrant.

      The fact that any given technology can be abused does not mean that it does not have legitimate uses. It's just that when you're paranoid you always tend to see only the potential for abuse.

      yeah like Fisa stuff... amurican citizens are wonderfully spied upon...

    5. Re:You know not everyone is a US citizen, right? by Anonymous Coward · · Score: 0

      No matter where in the world you live, government is the enemy .

      Don't ever think otherwise!

  26. and will the law enforcement dmca exempt cover by Joe_Dragon · · Score: 1

    and will the law enforcement dmca exempt cover this or is there to many subcontractors in the mix?

  27. Re: Mueller? Ready. by Anonymous Coward · · Score: 0

    End a book, illiterate traitor bitch.

  28. Re: Traitor Drumpf must HANG! by Anonymous Coward · · Score: 0

    Killing Trump for his crimes will be the greatest decency this country has ever shown. Traitors hang, but Trump should burn while hanging to keep the treason stank from ruining the entire gallows. We need them clean for Don Jr and Ivanka.

  29. Re: Traitor Drumpf must HANG! by Anonymous Coward · · Score: 0

    Give it a rest, Comrade Wang.

  30. hilarious (ab)use by Anonymous Coward · · Score: 0

    Hey remember when going through someone's private messages was illegal?

    Yeah it's almost like some really smart people knew how to keep people safe, thus setting up safeguards

    Then we pretended electronic messages were different than physical messages because ease of access makes policing good for everyone (?)

  31. Re: Traitor Drumpf must HANG! by Anonymous Coward · · Score: 0

    Mommy said your tendies are ready upstairs. Don't forget to turn off the basement light!

  32. Setec astronomy. by Anonymous Coward · · Score: 0

    There's a fair number of people out there with money on the level of George Soros.

    It would be nice if even just one of them would spend a bunch of their money buying up all these exploits, just to put them up on a public repository and send copies to the developers of the affected software and systems.

    Why is it that all the billionaires who want to change the world want to do it in all the wrong ways?

  33. Everyone but Signal by Anonymous Coward · · Score: 0

    Of course they're willing to pay for WhatsApp and iMessage, but there's no need to pay for Signal because they already hand over your private keys to the NSA voluntarily, and I have proof.

    If you know what to search for, you'll find it.