Where Do Baby Exploits Come From?
As concerns about the privacy and security of mobile devices and communications has increased in the post-Snowden era, the adoption of secure messaging apps backed by strong encryption has spiked. That has made life more difficult for both law enforcement agencies and attackers trying to get access to those messages, to the point that a private company now is offering $500,000 for zero-day exploits for most of the high-profile mobile messaging apps on iOS and Android.
The huge potential payday comes courtesy of Zerodium, a small firm founded by security researchers that buys vulnerability information and exploits. The company then sells that information to private customers, mainly government and law enforcement agencies, which use the exploits to target suspects in criminal and terror investigations. Zerodium is one of a small number of companies engaged in that business, nearly all of which operate in the shadows and are highly secretive about their business and customers.
Zerodium is unusual in that it publishes its price list for exploits against various platforms and applications. The payouts can range from $10,000 on the low end for exploits against antivirus or content-management systems to $1.5 million for a no-click remote jailbreak on iOS. The prices are a reflection of both the difficulty of finding an exploit on a given app or platform and the value of it to various customers.
And that combination of difficulty of exploitation and value to customers is what puts exploits against apps such as Signal, iMessage, WhatsApp, and others very close to the top of the food chain. These encrypted messaging apps have emerged as key communications tools for many groups of people. Privacy conscious users favor them for the ability to keep their messages secure and private from many kinds of adversaries, including attackers and government agencies. Those features also make these apps popular among social activists and dissidents in countries with repressive regimes.
But the security and privacy capabilities of apps such as Signal and WhatsApp also make them attractive to criminals and terrorists looking to hide their communications from law enforcement and intelligence agencies. These apps are simple to use and readily available to users around the world and offer end-to-end encryption, and in many cases, the providers have no ability to decrypt users’ messages. These attributes can make life quite difficult for law enforcement investigators targeting criminal and terror organizations.
So the market for zero-day vulnerabilities and the exploits for them on these apps is clearly there, and the money for those who can produce them is as good as it gets on the legitimate market. Right now, the supply isn’t anywhere near equal to the demand, and that scarcity is leading to the high prices offered by Zerodium. And those high prices should comes as a relief to the vast majority of users.
An organization that is able and willing to pony up the $500,000 for an exploit against Signal or iMessage isn’t doing so in order to perform mass surveillance on large groups of people. Those exploits are used in highly targeted operations, typically against a small group of people. Intelligence agencies and law enforcement don’t spend that kind of money to use the exploits in noisy attacks that are likely to be noticed, burning the technique. That’s a poor use of resources, and these organizations buy the exploits to use for extended periods of time.