AS IOS AND Android mature, the stand-off between platforms and hackers escalates in kind. Each release brings new security measures, while those who want to break in—nation-state intelligence agencies and law enforcement among them—redouble their efforts. And one security startup that buys and sells exploits is offering to pay more than ever for exclusive access to premium vulnerabilities.
On Thursday, exploit broker Zerodium announced that its bug bounty for zero-day (previously undisclosed) exploits now tops out at $1.5 million for Apple’s new iOS 10. That’s a big jump over last year’s $1,000,000 max, and it’ll go to anyone who can pull off a remote jailbreak of the iPhone’s latest operating system.
In 2015, Zerodium’s inaugural year, top iOS 9 bugs went for $500,000, while Android and Windows Phone flaws could command up to $100,000. (Under this year’s revised pricing, Android 7 Nougat zero-day exploits will fetch up to $200,000.) But last fall Zerodium also offered a limited-time$1 million bounty on iOS vulnerabilities. The company said at the time that it was willing to pay out multiple $1 million rewards, but only one group of hackers ended up claiming the full amount.
This year, Zerodium will offer the full $1.5 million bounty permanently, not just for a short duration. “We’ve increased the price due to the increased security for both iOS 10 and Android 7,” company founder Chaouki Bekrar wrote to WIRED. “We would like to attract more researchers all year long.”
There’s been an uptick in news about iOS zero days lately, and smartphone security generally, thanks in no small part to the FBI’s very public dispute with Apple earlier this year. And while the act of jailbreaking an iPhone remains relatively accessible—a respected teen hacker claimed to have successfully jailbroken iOS 10 within a few days of release—doing so elegantly and remotely takes significant time and resources. Zerodium’s pricing reflects that.
Bekrar says that Zerodium’s clients are mostly North American governments and corporations, and a few government agencies in “allied countries.” He is also the founder of the French hacking firm Vupen, which expressly works to develop software intrusion techniques to sell to private clients—especially governments—worldwide.
Zerodium’s increased bounty comes two months after Apple announced its own bug bounty program. The tech giant is one of the last major companies to offer such an incentive, but says it will pay up to $200,000 for vulnerabilities in Apple’s secure boot firmware components. That’s the biggest corporate payout currently on offer, though still a fraction of what Zerodium will pay.
Bekrar says his company’s price shift is unrelated to Apple’s bounty program. He tweeted that while Apple prizes vulnerabilities in iOS’s Secure Boot and Secure Enclave first-line defenses, Zerodium is more interested in browser and kernel exploits. He also told WIRED, “Apple’s bounty is private and invite-only, it cannot compete with our bounty which is open to all and available all year long.” Apple’s bug bounty program is only available to certain researchers for now.
Bekrar’s companies do controversial work that civil liberties and privacy advocates say contribute to the spread of cyberwar and wrongful surveillance. But, for better or worse, business seems to be good. “We hope to receive multiple submissions for the iOS bounty, as we can afford to buy many of them for $1.5M each,” he told WIRED.
In a way, yes, it’s a little alarming that there’s so much incentive for someone to crack the iPhone. Then again, this also means it’s that much harder to crack.