Five years ago, Zerodium offered a $1m reward for a browser-based, untethered jailbreak in iOS 9. On Wednesday, the software exploit broker said it won't pay anything for some iOS bugs due to an oversupply.
"We will NOT be acquiring any new Apple iOS LPE [local privilege escalation], Safari RCE [remote code execution], or sandbox escapes for the next two to three months due to a high number of submissions related to these vectors," the company said via Twitter. "Prices for iOS one-click chains (e.g. via Safari) without persistence will likely drop in the near future."
According to the firm's most recent price list, Safari RCE+LPE bugs had been eligible for payments of up to $500,000. A more comprehensive exploit, like a zero-click iOS FCP [full chain with persistence] flaw, should still qualify for a payout of up to $2m, if the company accepts it.
"iOS Security is fucked," said Zerodium's founder Chaouki Bekrar via Twitter. "Only [Pointer Authentication Codes] and non-persistence are holding it from going to zero...but we're seeing many exploits bypassing PAC, and there are a few persistence exploits (0days) working with all iPhones/iPads. Let's hope iOS 14 will be better."
Apple's iOS 13 has been particularly buggy, enough that SVP of software engineering Craig Federighi reportedly overhauled the company's internal software testing process to avoid a repeat when iOS 14 arrives later this year. The mobile OS has had 12 updates (about half with no cited vulnerabilities, or CVEs) since its release in September 2019.
If it feels like the software world is held together by string and a prayer, we don't blame you: Facebook SDK snafu breaks top iOS appsREAD MORE
The market for iOS vulnerabilities took a hit last September when Zerodium said for the first time that it would pay more for flaws in Android than in iOS. That was a month after Google's Project Zero disclosed five privilege escalation exploit chains affecting iOS versions 10-12.
Shortly after that, in December last year, Apple opened its bug bounty program, invitation-only since 2016, to the public. The phone-and-computer biz offers potential payouts of varying amounts, up to $1m (Network Attack without User Interaction: Zero-Click Kernel Code Execution with Persistence and Kernel PAC Bypass).
Neither Apple nor Zerodium responded to requests for comment.
Ryan Narraine, security strategist for Intel, dismissed Zerodium's remarks as "pure PR/marketing shenanigans" and characterized them as trolling.
Asked whether Zerodium's statement reflects the actual state of iOS security or should be taken as a company just trying to make waves, Patrick Wardle, principal security researcher at Jamf Security and founder of Objective-See, told The Register that it's probably a bit of both.
"To iOS security researchers/hackers, it's unlikely that Zerodium's statement comes as a surprise," he said. "iOS, is just another operating system, meaning it will have exploitable bugs. And yes, they may be harder to (remotely) exploit, but we've seen it fall time and time again (as both Google Project Zero and groups such as NSO have shown)."
But he suggested the claimed oversupply of vulnerabilities may also be a consequence of the current global health crisis. "There are likely a lot of hackers stuck at home with extra time on their hands, or perhaps who have lost their jobs or are in a financial squeeze, as is a large portion of the population," said Wardle.
Add time and financial motivation, he said, and you get more bugs. ®