Become a MacRumors Supporter for $25/year with no ads, private forums, and more!

MacRumors

macrumors bot
Original poster
Apr 12, 2001
52,202
13,841


Zerodium this week announced that it will not be purchasing any iOS exploits for the next two to three months due to a high number of submissions. In other words, the company has so many security vulnerabilities at its disposal that it does not need any more.

ios-13-iphone-ipad-duo.jpg

Zerodium is an exploit acquisition platform that pays researchers for zero-day security vulnerabilities and then sells them to institutional customers like government organizations and law enforcement agencies. The company focuses on high-risk vulnerabilities, normally offering between $100,000 and $2 million per fully functional iOS exploit.


In an explicit tweet, Zerodium CEO Chaouki Bekrar said iOS security is in bad shape, noting that there are at least a few persistent zero-day security vulnerabilities affecting all iPhones and iPads. "Let's hope iOS 14 will be better," added Bekrar.

Apple has its own bug bounty program that offers between $5,000 and $1 million for security vulnerabilities in iOS, iPadOS, macOS, tvOS, or watchOS.

Article Link: Zerodium Temporarily Stops Purchasing iOS Exploits Due to High Number of Submissions
 

ElRojito

macrumors 6502
May 6, 2012
270
448
I think this is a big fail on Apple's part, but also on the part of the consumer. The customer is always right, right? You build out what the customers are demanding because that's what they'll pay for -- unfortunately, it's my belief that this has cause devs to push code through faster that may not be as tightly wound as it used to be because we as consumers demand so many changes to iOS every year. Working for a startup myself, it's a hard line to walk; I just gotta hope that QA gets better at Apple and that they slow down a bit and focus on security rather than new features all the time.
 
Comment

julesme

macrumors 6502
Oct 14, 2016
316
1,109
San Jose
The security could be better if they weren't operating a blackmarket of vulnerabilities and instead were reporting them to Apple. But hey, greed trumps the security of users I guess?

This may be an oversimplification. A marketplace should be a good thing, because it provides incentive to find (and fix) the vulnerabilities. Maybe the bigger issue here is Apple is not dedicating appropriate resources.
 
Comment

The Cappy

macrumors 6502
Nov 9, 2015
392
708
Dunwich Fish Market
I think this is a big fail on Apple's part, but also on the part of the consumer. The customer is always right, right? You build out what the customers are demanding because that's what they'll pay for -- unfortunately, it's my belief that this has cause devs to push code through faster that may not be as tightly wound as it used to be because we as consumers demand so many changes to iOS every year. Working for a startup myself, it's a hard line to walk; I just gotta hope that QA gets better at Apple and that they slow down a bit and focus on security rather than new features all the time.
Nonsense. iOS has been the more impervious of the two mobile OSs. Certainly that's the expectation of the buying public. So you're talking through your hat. Also, judging from the amount of malware in the wild, iOS is still the better of the two. But iOS has been a kludge on quite a number of levels, and it's this is just a new aspect of something we've all been complaining about.

"Given that Android is the biggest target for hackers, it should be no surprise that it has the most viruses, hacks, and malware attacking it. What may be a surprise is just how much more it has than other platforms.
"According to one study, 97 percent of all malware attacking smartphones targets Android.
"According to this study 0% of the malware they found targeted the iPhone (that's probably due to rounding. Some malware targets the iPhone, but it's likely less than 1%). The last 3% took aim at Nokia's old, but widely used, Symbian platform. That's just one study, of course, but the basic trend is that Android is overwhelmingly most targeted by virus writers."
 
Comment

Lazy

macrumors 6502
May 27, 2003
303
332
Silicon Valley
I think this is a big fail on Apple's part, but also on the part of the consumer. The customer is always right, right? You build out what the customers are demanding because that's what they'll pay for -- unfortunately, it's my belief that this has cause devs to push code through faster that may not be as tightly wound as it used to be because we as consumers demand so many changes to iOS every year. Working for a startup myself, it's a hard line to walk; I just gotta hope that QA gets better at Apple and that they slow down a bit and focus on security rather than new features all the time.

Uh, I don’t think we’re demanding so many changes to iOS every year. Apple chooses to shovel a bunch of them out so they can have something to promote new iOS releases. It’s also the case that nothing requires Apple to do a major iOS update every year. I would much rather see them do what they used to do with macOS: release major new versions whenever they had something worth releasing, without the quality drop that comes from rushing it, which was usually longer than yearly.
 
Comment

dude-x

macrumors regular
Mar 2, 2007
180
218
New York City
Now that’s a bold claim if only for the severe fragmentation and outdated OS’s on that side.
Stock Android may be full of holes, but according to the security researchers I follow, the later Android OSes have better APIs and capabilities to lock down your phone depending on your threat model.

iOS isn't bad by default, but it's not the most secure there is anymore.
 
Comment

69Mustang

macrumors 604
Jan 7, 2014
7,764
14,747
In between a rock and a hard place
The security could be better if they weren't operating a blackmarket of vulnerabilities and instead were reporting them to Apple. But hey, greed trumps the security of users I guess?
I think you're missing the /s sarcasm tag. It's not Zerodium's job to protect the security of iOS users. That's Apple's job. The security could be better if Apple did their job better by ensuring the OS is as exploit-free as possible. If Zerodium has to stop buying vulnerabilities because there are so many, Apple isn't ensuring the OS is as exploit-free as possible.

The vulnerabilities are the sole responsibility of Apple. Security is hard. Very hard and always has to be ever evolving to stay ahead of those who'd violate it. So I don't envy their job in that aspect. But make no mistake, it is Apple's job to do. Not Zerodium's.
 
Comment

Art Mark

macrumors 6502
Jan 6, 2010
345
594
Oregon
Stock Android may be full of holes, but according to the security researchers I follow, the later Android OSes have better APIs and capabilities to lock down your phone depending on your threat model.

iOS isn't bad by default, but it's not the most secure there is anymore.
I kind of find (kind of...stick with me...) what you say hard to believe. If only because there are a million fragmented versions of Android that have a ****-ton of manufacture holes punched in it. Knowing what the vulnerabilities of any one device - that's rather tough to judge. Not to mention the issue of installing apps from numerous stores all with various levels of security concern. There will always be security issues. But, and I'm open to being wrong, with the tens of thousands of different Android versions and install variations and add-ons, how could Android offer anything near what iOS does? Plus so much of Google tech is about following you online and offline and reporting that back. Doesn't that inherently mean there's a lot more that could go wrong? How locked down can the system be when it's built around data mining?
 
Comment

69Mustang

macrumors 604
Jan 7, 2014
7,764
14,747
In between a rock and a hard place
Hate to play devils advocate - but how do we know that the claim from the company is fact or fiction? If you wanted to be a company seeking the limelight what would you do? Would you pull a stunt like this? Or would you do something else?
Why would Zerodium announce that the product they sell for a hefty premium to governments and corporations is now so pervasive in the market that Zerodium has to back off buying it for a while? They also announce they're going to pay less for it when they start buying again. Subsequently, aren't their customers going to expect to pay less for what they do buy? Ya know, since the market is apparently flooded.

Why would a company like Zerodium be seeking the limelight? They have been quietly and openly doing their thing for a long time. They don't benefit from the spotlight. Their customers and customers of companies like them, know exactly who they are.
 
Comment

4jasontv

Suspended
Jul 31, 2011
4,072
4,437
:O

I have seen security professionals say that Android has surpassed iOS in terms of security and hardening. So Apple needs to develop better tooling to shake out these bugs.

Who is making these claims?
iOS: Your device can be easily accessed and your data compromised.
android: all your data is compromised as detailed in the TOS.
 
Comment
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.