What is the current state of iOS security? According to exploit acquisition firm Zerodium, iOS security is not doing that great anymore.
Five years ago, Zerodium was offering a reward of $1 million for a browser-based, untethered jailbreak in iOS 9. Currently, the company said it will not pay anything at all for some iOS bugs. Why? Because there is an oversupply.
“We will NOT be acquiring any new Apple iOS LPE [local privilege escalation], Safari RCE [remote code execution], or sandbox escapes for the next two to three months due to a high number of submissions related to these vectors,” Zerodium said in a tweet. In addition, prices for iOS one-click chains without persistence, for instance in Safari, will likely drop in the near future.
What is the current price for iOS exploits?
Zerodium’s price list shows that Safari remote code execution and local privilege escalation flaws had been eligible for payments of up to $500,000. A more thorough exploit, such as a zero-click iOS full chain with persistence can cost up to $2 million, if the exploit broker accepts it.
Apparently, iOS 13 has been consistent in having issues. The operating system has had 12 updates since its initial release in September 2019. Most of the updates had no cited CVEs, researchers point out.
In short, “iOS Security is fucked,” according to a tweet by Zerodium’s founder Chaouki Bekrar.
Only [Pointer Authentication Codes] and non-persistence are holding it from going to zero…but we’re seeing many exploits bypassing PAC, and there are a few persistence exploits (0days) working with all iPhones/iPads. Let’s hope iOS 14 will be better, Bekrar added in the same tweet.
The market for mobile exploits shifted last September, when Zerodium stated it would pay more for Android bugs than iOS bugs. An Android zero-click exploit chain that requires no user interaction could get researchers a payout of up to $2.5 million, whereas the same exploit chain in iOS was estimated at $2 million.
Compared to what Zerodium was offering in 2018, the price for Android exploits has jumped multiple times, as the payout used to be up to $200,000.
Considering the nature of Zerodium’s work, the price changes may be linked to the growing interest in Android exploits from law enforcement and government agencies.