The $1 million iOS bug bounty is bad for security research

22 Sep 2015 | Author: | No comments yet »

$3 million reward for finding vulnerabilities in Apple’s iOS 9.

Zerodium, which is described as a bug broker and spy agency crack facilitator, is the organisation dangling the dollars. The cybersecurity firm Zerodium announced on Monday that it will reward $1 million to anyone able to crack Apple’s AAPL 0.08% recently launched iOS 9 operating system, which the startup’s website claims is “the world’s most secure mobile OS.” “Apple iOS, like all operating system, is often affected by critical security vulnerabilities, however due to the increasing number of security improvements and the effectiveness of exploit mitigations in place, Apple’s iOS is currently the most secure mobile OS,” the company stated in its blog post. “But don’t be fooled, secure does not mean unbreakable, it just means that iOS has currently the highest cost and complexity of vulnerability exploitation and here’s where the Million Dollar iOS 9 Bug Bounty comes into play.” Zerodium was founded this past summer by Chaouki Bekrar, a well-known merchant of zero-day exploits—or computer code that attacks previously unknown software vulnerabilities. A few days after the release of the new iPhone software upgrade, a company named Zerodium has announced what is believed to be the world’s biggest zero-day bug bounty program. Apple, which is often lauded for its tight security, did not immediately respond to Fortune’s request for comment. (In an unrelated incident that was a rare lapse for the company, malware-laced apps recently made their way into the company’s app store in China.) Bekrar also founded the controversial French cybersecurity firm Vupen, a brokerage built on the sale of computer bugs and exploits. Chaouki Bekrar, the founder of Zerodium, is infamous for founding the French hacking firm Vupen–which specializes in buying up zero-day exploits and selling them to governments.

Recently we have seen something of a spike in Apple-related threats, so perhaps a bounty system that would encourage problem-spotters to disclose what they find rather than exploit it is a positive development. The program is open until October 31, and may be terminated prior to its expiration if the total payout to researchers reaches three million US dollars, says the company. Both companies, however, rely on not disclosing their vulnerability findings to affected companies, such as Apple, Google GOOG 0.98% , or Microsoft MSFT 1.45% .

Wired’s Andy Greenberg reports: Bekrar’s past customers for such undisclosed hacking techniques have included the NSA as well as other NATO countries and “NATO partners” that Bekrar declines to name. When the so-called Stagefright vulnerability, which affected Google’s Android operating system, went public earlier this year, Bekrar said he would have paid the researcher who discovered the flaw $100,000 for it. (For more on Stagefright, read this.) Christopher Soghoian, chief technologist at the American Civil Liberties Union, has referred to such businesses as “modern-day merchants of death,” since it can be difficult to keep track of where sold exploits end up and just as hard to prevent them from falling into the hands of oppressive regimes. Bekrar declined to identify any of Zerodium’s potential customers, but he has previously revealed that they’re limited to certain government agencies. The zero-day trade industry is one which often operates out of the public spotlight, although a recent hacking of the Italian spyware firm Hacking Team helped expose some of its inner workings through leaked emails and other documents. In order to claim the prize, which is the largest on record for an exploit of this sort, hackers must be able to demonstrate that they can remotely take control of the latest iOS devices such as the iPhone 6s or new iPads.

For a full rundown of the rules and stipulations, see Zerodium’s website. “For obvious security reasons, ZERODIUM does not maintain any web infrastructure dedicated to zero-day submissions. All submissions to ZERODIUM must be achieved through encrypted emails,” the website states (where one might expect a submission form). “We reserve the right, at our sole discretion, to make or to not make an offer to acquire a vulnerability for any/no reason.” Katie Moussouris, chief policy officer at the bug bounty startup HackerOne, told Fortune via email that such high prices for zero-day exploits could cause problems for tech companies attempting to secure their products. “These are not generally sustainable reward levels for defensive markets,” she wrote, “due to the difficulty in maintaining the necessary developer and tester employees who might just leave their day jobs if bounties like this are more common.”

Here you can write a commentary on the recording "The $1 million iOS bug bounty is bad for security research".

* Required fields
All the reviews are moderated.
Our partners
Follow us
Contact us
Our contacts

ICQ: 423360519

About this site