Companies Are Now Offering Seven Figures For Hacks That Allow Spies, Cops To Steal Chat App Messages

Zerodium, a startup that buys and sells hacking tools and exploits to governments around the world, announced on Monday price increases for almost everything they are looking for, such as iOS remote jailbreaks and Windows exploits. "It said it will now pay security researchers $1,000,000 for exploits in WhatsApp, iMessage, and SMS/MMS apps for all mobile operating systems," reports Motherboard. From the report: Compromising the whole iPhone, sometimes referred to as remote jailbreaking or rooting the phone, can cost $2 million or more, and usually involves a series of bugs and exploits. The price increase shows that mobile devices in general are getting more and more secure, and thus harder to hack. That means that it's becoming increasingly hard for hackers to break into iOS and Android devices. That makes the life of folks like spy agencies and police departments harder too. That's where Zerodium and other similar companies, such as Azimuth and Crowdfense, come in: they act as intermediaries between security researchers and government agencies looking for tools -- often called zero-days -- to break into targets. Before today, Zerodium was willing to pay $500,000 for WhatsApp and iMessage exploits, according to an archived version of the company's site. These new prices are in line with the market, according to Maor Shwartz, who used to run a company that acquired and sold exploits to government agencies.

For that kind of money

[nehumanuscrede]

I hope the aforementioned companies are paying their own engineers well.

Once bounties get this high, the thought would cross the minds of many to build in a vulnerability for use later on.

Then again, I suppose the various three letter agencies with their unlimited budgets probably have an engineer or
several on the payroll already. . . .

Re:For that kind of money

[Aighearach]

Why wait for the engineers to build it in, why not just include it as a feature from the start?

Or does that only work for privately held companies?

Re:For that kind of money

[s_p_oneil]

"I'm gonna write me a new mini-van this afternoon!" (https://dilbert.com/strip/1995-11-13)

Re:For that kind of money

[Powercntrl]

I hope the aforementioned companies are paying their own engineers well.

Yeah, because the fear of getting caught clearly doesn't factor in. It wouldn't take a genius to catch someone attempting to cash in on their own "exploit", and I'm sure these companies have some very expensive lawyers which could make your life really miserable.

Re:For that kind of money

[TheGratefulNet]

I'm guessing that every company that has a worthwhile target in their product offering, has a mole or two in their employ.

I'd go farther: a known set of moles and an unknown (to the company) set.

this includes the build system and binary modules. hardware has its analogs, too.

yes, we *are* post-snowden. and we damned well know it.

Re:For that kind of money

[MrKaos]

Why wait for the engineers to build it in, why not just include it as a feature from the start?

Or does that only work for privately held companies?

This is the point of Australia's Assistance Access bill that the US can access via intelligence sharing arrangements.

Re:For that kind of money

Hacks are NOT sold - they are strictly licensed. Will one intel agency tip off other agencies or share the details? You bet.
Australian leaked Swedish propeller designs to USA the moment they got them, then lied about it - so Australia is not trustworthy. USA stole IP off the guy who had the patent on optic fiber taps without paying until caught.

Anyway at 1-2 Million, it is now worthwhile to use a STM, shaving all chips, laser test point taps and lithium nicobate to take hidden code and work on it and nab the keys. As stated elsewhere the bios/security routines are trash. So is this nonsense about security when the govt sides with the dark forces, and not close all CVE's when discovered.

State level testing is where the money is - protocol checking is still sheet.

Re:For that kind of money

[misnohmer]

Not even close. Someone can compromise an algorithm of "forget" an equals sign or any other compromises which are not obvious to prove as intentional. The person who cashes in is going to cash their reward in secret, the companies who buy the exploits do not broadcast them to the public.

Also, I guarantee you that security researchers in the past have found vulnerabilities in the code written by people they know - a lot of security guys know each other already from conferences, academia, working for the same company, or inter-company partnerships. Security community doesn't change that fast, what changes most often is who they work for (hence whenever they meet at conferences, one of the first questions is "who do you work for today?").

Re:For that kind of money

[misnohmer]

That is a new business model for a startup. Pay for exploits to be inserted, then sell them.

Re:For that kind of money

[MrKaos]

Hacks are NOT sold - they are strictly licensed. Will one intel agency tip off other agencies or share the details? You bet.

You really missed the point about there now being a legal avenue to do this.

Re:For that kind of money

[Spamalope]

And how many of them monetize that properly?
A counter-intel team that sells the exploits they find so the group is self funding, then waits juuuust long enough they'll be able to sell the next time before patching.
Done right that could be an intentional extra revenue stream. It's not like these companies have any ethics to complicate matters.

Re:For that kind of money

[MrKaos]

Nope there always was a legal avenue.

I don't disagree with the point you are making however the point I'm making is there has never been a legal mechanism for government to compel a software company into installing "front-doors" into their software products specifically for government to use until the law was passed at the end of 2018. There has never been a legal mechanism for government to coerce information technologists with fines and jail terms for not co-operating until now.

Spies?!?

[Known+Nutter]

If you're conducting your secret spy business on WhatsApp and SMS, you're doing it wrong. I may not know the right way, exactly, but I think it looks more like NCIS: Los Angeles than it does WhatsApp.

Re:Spies?!?

[Aighearach]

Pigeons. Definitely pigeons.

It's almost tempting

[raymorris]

I've been doing computer security for over 20 years.
A million bucks might be tempting if I didn't already have a job I like, and what some would call an overinflated sense of ethics.

Re:It's almost tempting

[TheGratefulNet]

how safe can your life be, if you are perceived to be that valuable or that dangerous to party A or B or C?

personally, I'm glad I don't know that much ;)

Spies or Cops

[dohzer]

So they're only interested in ones for spies and cops, not just the average joe using an exploit?

Yep

[Dunbal]

America, where only the government is allowed to break the law.

Re: Yep

[astrofurter]

In Soviet America law breaks you!

Re:Yep

[mlw4428]

They wouldn't be so easily able to do this if corporations and for-profit companies didn't work to throw the American citizen under the bus in the name of $$$$PROFITS$$$$. It seems to me the real issue is that these companies are allowed to exist at all.

You know not everyone is a US citizen, right?

[Goonie]

The US government can surveil me and the other 7.4 billion-odd people who aren't US citizens whenever it damn well pleases, no warrant required.

Re: You know not everyone is a US citizen, right?

[c6gunner]

These people (companies) are paying monetary bounties to enable the local police forces (who are SUPPOSED to be upholding constitutional law) to perform unlawful searches

That's your assumption, which you pretty much pulled out of your ass. As the other guy pointed out, TLAs can use these to conduct lawful surveillance outside of your country. Additionally local police and TLAs can make use of this tech to surveil citizens legally, by first obtaining a warrant.

The fact that any given technology can be abused does not mean that it does not have legitimate uses. It's just that when you're paranoid you always tend to see only the potential for abuse.

and will the law enforcement dmca exempt cover

[Joe_Dragon]

and will the law enforcement dmca exempt cover this or is there to many subcontractors in the mix?

Re:pointless

[phantomfive]

The point isn't to patch the backdoor. The point is to exploit it. This is a company that sells exploits to government agencies (presumably. They don't tell who their customers are, so it could be to the mafia, too).

Re:Kashoggi killing

Get your facts straight. Khashoggi was NOT a US citizen.