What you need to know
- Zerodium is a bug broker of sorts.
- But it doesn't want any more iOS exploits.
- There's so many in the pipeline they don't need more.
A company that buys security exploits found by hackers and researchers has said that it no longer wants to have anything to do with new iOS discoveries. But not for the reasons you might expect. Instead, Zerodium says that there are just so many being worked on already that more simply aren't needed.
In a tweet yesterday, Zerodium said that it won't be buying new exploits relating to iOS, Safari, or the sandbox for at least the next couple of months. Maybe more.
We will NOT be acquiring any new Apple iOS LPE, Safari RCE, or sandbox escapes for the next 2 to 3 months due to a high number of submissions related to these vectors.
Prices for iOS one-click chains (e.g. via Safari) without persistence will likely drop in the near future.We will NOT be acquiring any new Apple iOS LPE, Safari RCE, or sandbox escapes for the next 2 to 3 months due to a high number of submissions related to these vectors.
Prices for iOS one-click chains (e.g. via Safari) without persistence will likely drop in the near future.— Zerodium (@Zerodium) May 13, 2020May 13, 2020
AppleInsider also notes that the company's founder believes that iOS security is "f--cked" but that it's possible iOS 14 will improve matters.
Only PAC and non-persistence are holding it from going to zero...but we're seeing many exploits bypassing PAC, and there are a few persistence exploits (0days) working with all iPhones/iPads. Let's hope iOS 14 will be better.
While a company like Zerodium not buying exploits sounds like a good thing, the reason is not. Apple's iOS is often thought to be more secure than the competiting Android and while that's true, it isn't impregnable. Apple continues to work to ensure iPhones and iPads are as secure as possible but people also work just as hard to make sure they find ways in.
It sounds like they are the ones that are winning.
