iPhone Zero-Day Used by UAE Government
Last week, Apple issued a critical security patch for the iPhone: iOS 9.3.5. The incredible story is that this patch is the result of investigative work by Citizen Lab, which uncovered a zero-day exploit being used by the UAE government against a human rights defender. The UAE spyware was provided by the Israeli cyberweapons arms manufacturer NSO Group.
This is a big deal. iOS vulnerabilities are expensive, and can sell for over $1M. That we can find one used in the wild and patch it, rendering it valueless, is a major win and puts a huge dent in the vulnerabilities market. The more we can do this, the less valuable these zero-days will be to both criminals and governments—and to criminal governments.
Citizen Lab blog post and report. New York Times article. More news articles.
Lee • August 29, 2016 2:12 PM
That we can find one used in the wild and patch it, rendering it valueless, is a major win and puts a huge dent in the vulnerabilities market. The more we can do this, the less valuable these zero-days will be to both criminals and governments — and to criminal governments.
I disagree. Surely the more vulnerabilities we detect the greater the value of the non-discovered vulnerabilities?
If anything it makes the market more aggressive and companies like NSO will offer a higher reward than the manufacturer. Some hackers, actuated by economic motivation or otherwise, will sell to the highest bidder instead of making the disclosure directly to the manufacturer.
In turn, whilst there will be fewer vulnerabilities (which is a good thing), companies will go to great lengths to keep their newly purchased spoils secret. This particular triad of vulnerabilities existed since iOS 7 – nearly 3 years ago!