Monday, September 21, 2015

Zerodium's million dollar iOS9 bounty

Zerodium is offering a $1 million bounty for a browser-based jailbreak. I have a few comments about this. The two keywords to pick up on are "browser-based" and "untethered". The word "jailbreak" is a red-herring.

It's not about jailbreaks. Sure, the jailbreak market is huge. It's really popular in China, and there are reports of $1 million being spent on jailbreaks. But still, actually getting a return on such an investment is hard. Once you have such a jailbreak, others will start reverse engineering it, so it's an extremely high risk. You may get your money back, but there's a good chance you'll be reverse-engineered before you can.

The bigger money is in the intelligence market or 0days. A "browser-based" jailbreak is the same as a "browser-based" 0day. Intelligence organizations around the world, from China, to Europe, and most especially the NSA, have honed their tactics, techniques, and procedures around iPhone 0days. Terrorist leaders are like everyone else, blinging themselves out with status displays like iPhones. Also, iPhone is a lot more secure than Android, so it's actually a good decision (intelligence organizations have hacked Android even more).

Every time Apple comes out with a new version (like iOS9), they fix old vulns, requiring intelligence organizations to scramble to come up with new ones. Since 50% of iPhone users have updated to iOS9 in the past three days, intelligence organizations are "going dark" quickly -- unless they can get a new 0day.

One of the keywords in Zerodium's statement is "exclusive". What that means is Zerodium plans on reselling the same bug to multiple governments. I would expect such bugs to actually sell for only around $300,000. Thus, I expect that Zerodium intends to make a profit by reselling the bug, non-exclusively, to multiple governments. If they can sell it to four different countries for $300,000, they'll make a profit. On the other hand, some countries will pay more for exclusive access to a bug -- paying for the privilege of cyber-superiority.

Another keyword is "untethered", meaning the implant will be "persistent" even after the phone is turned off and on again. From what I've heard, this is the most difficult part, where in some cases they just don't have persistence. Instead, they'll rely upon the fact that people rarely let their phones run out of batteries, and the fact that if they've adequately tapped the network, it's trivial to re-exploit the phone.

Note that there other elements to an iPhone browser kill-chain. You have to not only get an 0day in the browser, but you need a separate 0day to escape the sandbox. It'll then take further privilege escalation 0days in order to get the implant successfully installed on the phone, and to access things like the microphone in order to eavesdrop on conversations, such as the all-important Facetime.

The price for important 0days has been going up every year. It's actually quite plausible that a single intelligence organization (China or the NSA) may be willing to pay $1 million for exclusive access to such a bug. If not now, the that may happen in the next few years.

At this point, Zerodium is late to the game. The beta for iOS9 has been available to developers for a while. Chances are good that whoever is selling 0days already had them available on, well, day zero of the iOS9 launch. If not on day zero, then the day after as they tweeked their exploits for the release version.

In summary, my point is this: Zerodium phrases their bounty in terms of "jailbreaks", but I'm pretty sure the market for "intelligence 0days" is much greater. Actually using it for jailbreaks would mean it would quickly get reverse engineered, and even fixed by Apple, so I doubt they'd use it for that purpose.


Unknown said...
This comment has been removed by the author.
Unknown said...

imo the reason they used "jailbreak" in the release was to dissuade jailbreak exploit devs from releasing their exploits in jailbreak form (because of the higher dollar opportunity from Zerodium).

i.e. The moment a jailbreak containing a Zerodium purchased exploit drops, Zerodium's resale value for that exploit tanks... It's in their interest to delay occurence that for as long as possible.

This also partly explains why the $3M budget is called out, despite a $1M maximum bounty. They could have just as easily said "let's do the first one, then we'll go again" but are leaving it open to continue to attract duplication submitters, and keeping the vuln away from Apple for longer.

While I'm sure it'll attract sellers, it makes their business model incredibly fragile... Rumors of imminent release of a jailbreak would be enough to influence the resale price.

(Original comment deleted because my typos exceeded my embarrassment threshold)

shadown said...

A chain of exploits that go from Browser->to->root+persistency is worth more than $1M, being the from app->root chain already worth that money, that plus the remote vector (UIWebView, allows to attack any app that parses web content, which is used almost everywhere) exploit chain.
The assumption of $300K is way too low for a such high profile exploit chain.
If they sell to multiple customers they require to have a pre-agreement with buyers to at least double the acquisition price, probably more.