Prices for Zero-Day Exploits Are Rising

Companies are willing to pay ever-increasing amounts for good zero-day exploits against hard-to-break computers and applications:

On Monday, market-leading exploit broker Zerodium said it would pay up to $2 million for zero-click jailbreaks of Apple's iOS, $1.5 million for one-click iOS jailbreaks, and $1 million for exploits that take over secure messaging apps WhatsApp and iMessage. Previously, Zerodium was offering $1.5 million, $1 million, and $500,000 for the same types of exploits respectively. The steeper prices indicate not only that the demand for these exploits continues to grow, but also that reliably compromising these targets is becoming increasingly hard.

Note that these prices are for offensive uses of the exploit. Zerodium -- and others -- sell exploits to companies who make surveillance tools and cyber-weapons for governments. Many companies have bug bounty programs for those who want the exploit used for defensive purposes -- i.e., fixed -- but they pay orders of magnitude less. This is a problem.

Back in 2014, Dan Geer said that that the US should corner the market on software vulnerabilities:

"There is no doubt that the U.S. Government could openly corner the world vulnerability market," said Geer, "that is, we buy them all and we make them all public. Simply announce 'Show us a competing bid, and we'll give you [10 times more].' Sure, there are some who will say 'I hate Americans; I sell only to Ukrainians,' but because vulnerability finding is increasingly automation-assisted, the seller who won't sell to the Americans knows that his vulns can be rediscovered in due course by someone who will sell to the Americans who will tell everybody, thus his need to sell his product before it outdates is irresistible."

I don't know about the 10x, but in theory he's right. There's no other way to solve this.

Posted on January 17, 2019 at 6:33 AM • 29 Comments

Comments

PaulJanuary 17, 2019 7:10 AM

And wouldn't it be wonderful for the world if China were the one to do that rather than the USA? Trump's reaction would be even more amusing than usual to behold!

Bong-Smoking Primitive Monkey-Brained SpookJanuary 17, 2019 8:47 AM

Companies are willing to pay ever-increasing amounts for good zero-day exploits against hard-to-break computers and applications:

goddamit! Now you tell me after I put all my investments in crypto-currency crap? Geeez, I could have bought a couple of zero-days and retired!

When will they list zero-days on the stock exchange so I keep track of it?

requiredJanuary 17, 2019 8:56 AM

Do not waste your time for decrypting WhatsApp messages. Just go inside of cell phones by Telegram app, Yahoo Mail app and etc. then go inside of WhatsApp to read all messages.

Petre Peter January 17, 2019 8:57 AM

Zero-days are overrated. Credentials stealing is the easiest way to get in. --Rob Joyce

AwwwwJanuary 17, 2019 9:04 AM

Why whould I trust Zerodium for anything else than make sure my exploit is used ?

E.g., why should they give me the promised amount and make sure there is no US-based trap (fine, jail, ...) ?

Once they cornered me, I am game over.

Bernie SandersJanuary 17, 2019 9:07 AM

What you're recommending Mr. Schneier is that the United States taxpayer pick up the tab when large multinational companies like Microsoft fail to invest the necessary resources to perform the due diligence to prevent buggy code. Just as in 2008 when the banks knowingly failed to check the integrity of the loans which they handed out like candy to anyone with a pulse. And guess who bailed them out while the execs walked away with their bonuses?

Companies should be held accountable for their screw-ups, just like the banks.

It's disappointing that you would position yourself as a corporate apologist, claiming their is no other way than showering tech executives with money on behalf of their screw-ups.

Humma hummaJanuary 17, 2019 9:47 AM

@bernie

Exactly. The problem with this solution there is no such thing as objectivly safe code. All software bugs are manmade and if the someone provides an incentive to make bugs someone will make bugs. So in the long run all code will be government funded, one way or the other.

twka90January 17, 2019 10:14 AM

May be in addition to being the highest bidder, the US should also turn around and bill the companies for the vulnerabilities? (So that security is not an externality anymore)

Impossibly StupidJanuary 17, 2019 10:39 AM

I agree that it shouldn't be the government who pays for trillion dollar companies to continue to do a poor job. Worse, the whole scheme seems to revolve around the idea that there is infinite money to pay for these exploits because a) creating an artificial market at 10x (or whatever) an arbitrary baseline will only serve to quickly and repeatedly jack up that price, and b) there is no limit on the number of exploits that will be discovered.

I remember an old Dilbert where the boss was going to start paying a bug bounty, and a software engineer said something to the effect of "I'm going to write me a new minivan". Throwing around gobs of money is only going to make things less secure. It's really disappointing when people like Bruce don't see the obvious consequences of extraordinarily bad ideas like that.

meJanuary 17, 2019 10:58 AM

given how much they are paid i'm sure that insiders will start to add bugs to sell them later...

if you find a bug you should report it, you might get less money but at least you can sleep well.
they don't pay you that much because you are pro hacker but because they want you to ignore your moral compass

twka90January 17, 2019 12:58 PM

The problem is that gobs of money are already thrown around by bad people. If we want to improve security, we do need to buy out the vulnerabilities and fix them. But we also need to align the incentives -- make the companies pay the market rate (or more) for the bugs. I am sure Apples and Googles of the world can figure out internal processes to distinguish genuine bugs from "I am writing me a new minivan" plants.

TonyJanuary 17, 2019 5:02 PM

@twka90: "I am sure Apples and Googles of the world can figure out internal processes to distinguish genuine bugs from "I am writing me a new minivan" plants."

Really. Go look at the "goto fail" SSL bug from around five years ago. Was that deliberate? Or just an unfortunate result of some cut & paste programming?

Clive RobinsonJanuary 17, 2019 5:34 PM

I look at this,

    The steeper prices indicate not only that the demand for these exploits continues to grow, but also that reliably compromising these targets is becoming increasingly hard.

The first part "demamd" alone could be indicatove of a growing number of purchasers thus the old "Supply and demand" argument says the price goes up.

But the second part, of "reliably compromising" I think may be a little suspect as an argument without further amplification.

A compromise requires some form of vulnerability be it "Man or Machine". These days on the PC side of things the current attacks appear to be mainly "Man" as the vulneradility (phishing et al). However mobile phones it appears to be not just "machine" but "covert machine" vulnerabilities, preferably those that work "remotely" that are most valued.

This, platform split has all the apperance of becoming a fixture, presumably because of different purchasing groups and their requirments, so much so they can effectively be regarded as seperate markets.

If we just look at "machine" vulnerabilities for attacking phones, we may find that the real problem is not a lack of vulnerabilities, but that the vulnerabilities or classes of vulnerabilitirs are effectively "siloed by the testing", thus individual silos effectively get "mined out" of the "low hanging fruit". Simply because everybody using a similar test methodology or automoted tool chain are going to be chasing the same class of vulnerabilities and in effect avoiding others.

As I've indicated before we can at best only hunt for "known " instances" in "known classes" of vulnarability using the tools we currently have available.

Perhaps it is time we should revise our testing mentality, to encompass wider classes or entirely new instances of attack.

My point is that I don't feel like we have mined out even a small fraction of the "low hanging fruit" vulnerabilities just yet, just those in one or three silos our existing tools cover.

Sancho_PJanuary 17, 2019 6:23 PM

”… the U.S. Government could openly corner the world vulnerability market …” (Dan Geer)

Aren’t they doing that, only keeping them (the vuls) secret?

But:
”… he's right. There's no other way to solve this. (@Bruce, my emph)

To be clear, this is a very bad idea, completely against capitalism.

Sancho_PJanuary 17, 2019 6:24 PM

@Clive Robinson re silos

As we know the driving force behind some of the silos is “nazzional security”, the NOBUS access.

JamesJanuary 17, 2019 8:51 PM

Why is it any better for exploits to be sold to the US government than for those same exploits to be sold to other parties?

PhaeteJanuary 18, 2019 12:24 AM

Ideally you would want to setup an international organisation who buys the zero days and then by law bills the company who's product it is.
Too bad the current world politics evolved as they did, no chance of the above.

Clive RobinsonJanuary 18, 2019 3:36 AM

@ Phaete,

Ideally you would want to setup an international organisation who buys the zero days and then by law bills the company who's product it is.

Uh no that's known in some parts as the "sewerage solution".

Due to history from early Roman times the sewerage solution has been to ship the crap etc as far out of mind as you can and in the process everything gets mixed together. As environmental engineers will tell you this is realy a bad idea, not only does it make filtration and clean up way way harder than it should be, you are creating a health risk all along the system, be it biological, chemical or occasionally kinetic where some idiot has dumped flammable liquids etc that gas up get to the right combination and "man hole covers" become airborne.

Thus the solution is cut out the long slow dangerous path and deal with the crap before it's left the souces premises.

How to do this is the challenge that Governments have refused to address. It's not as though most western nations don't have "Fit for purpose/market/sale" legislation, they have alowed the software companies to "side step" them via "phoney/faux leases". Worse they have implemented "drawbridge" legislation such as the DMCA thst at the core have been drafted by "industry" that are quite deliberatky designed in a convoluted way to ensure these same software companies not only do not face any repcutions for their very deficient products, but also attempt to lock out anyone producing better or fixes.

The question should be not if this idea should be run by a Government or by an International organisation, but why both have repeatedly failed the legislation and treaties they already have to resolve the issue...

CassandraJanuary 18, 2019 3:38 AM

@Clive Robinson
...I don't feel like we have mined out even a small fraction of the "low hanging fruit" vulnerabilities just yet, just those in one or three silos our existing tools cover.

I can see it's being so cheerful as keeps you going, Clive.

Needless to say, I share your sunny optimism. Even when flaws are publicly known, the problem still arises of assuring that all the Information Processing systems for which someone is responsible both have fixes, and have been updated. Exploits have a long half-life, and the problem of finding an unknown Raspberry Pi (which itself could be vulnerable to old exploits) in a cupboard, attached to your network will only get worse as more and more IoT devices get deployed. Network Access Control Authentication ought to make this kind of thing impossible, but has its own problems. E.g. getting it built in to IoT things is a hurdle, and getting non-expert people to implement it is another. Implementation by non-experts is not easy. There is an awful lot of unpatched and unpatchable legacy kit out there.

On another note, the latest imbecility I have found is a large financial organisation encouraging people to send, for identification purposes, non-encrypted scans of their passports by ordinary email.

Cassandra


**

CassandraJanuary 18, 2019 8:04 AM

À propos my previous comment, anyone curious about the technique of placing a small but capable device on a vulnerable network could do worse than read the blog posting "Notes about hacking with drop tools " by Robert Graham on the Errata Security website/blog. It gives a reasonably detailed view of what such devices can do in the absence of effective controls to detect them before they become a problem.

The section on 'Defense' identifies preparations and actions companies should do to make attacker's lives more difficult. Unfortunately many companies and other organisations don't, making them 'low-hanging fruit'.

Cassandra

PhaeteJanuary 18, 2019 9:48 AM

@Clive Robinson.

Due to history from early Roman times the sewerage solution has been to ship the crap etc as far out of mind as you can and in the process everything gets mixed together. As environmental engineers will tell you this is realy a bad idea ...

It's what we currently do and works all around the globe.
The sewers mix everything together and all is processed at 1 point.
I guess we can mitigate risk and value different point of the process.

You just have one example where it works differently.

Try "The Polluter Pays" principle.
How about current penalties by lawbreaking, this is also centralised.
We used to have mobs and hanging, but centralised in a sheriff office (or equiv) it works better.
How about garbage collection, etc...
So i'm not taking your example as useful information.

Thus the solution is cut out the long slow dangerous path and deal with the crap before it's left the souces premises.
Oops, we are human, the crap has left the premises in percentages equal to human error chance.
Now what, just stand there and say it no errors allowed?
Nope, to err is human, get a process for inside and one on the outside.

The question should be not if this idea should be run by a Government or by an International organisation, but why both have repeatedly failed the legislation and treaties they already have to resolve the issue...

Let me explain my quote "Too bad the current world politics evolved as they did, no chance of the above."

Our politics have a tit for tat negotiation tendency, and on world level you need to spend several hundred tits to get that one tat done.
Just look at the international whale fishing regulation and how that came about.
Landlocked countries voting one way because they got their tit for their tat from a country whose government want to hunt wales.

So no, our current politic system cannot handle this many participants (countries), it is broken.
Take the Kyoto accord, or the new one in Paris?
Heck, even the Geneva conventions are too hard for some countries.

So in summary, yes we need to filter the crap on premises and off because man will err and you don't want crap around, either on or off premises.

Clive RobinsonJanuary 18, 2019 2:49 PM

@ Phaete,

It's what we currently do and works all around the globe.

No it does not work at all well, which is why it's used as an example of what can happen without strong legislation, that is properly enforced (which might account for why the EPA keeps getting starved of resources due to lobying etc).

As for,

Try "The Polluter Pays" principle.

That realy works not, just look at all the toxic sites around the world that were owned by long bankrupted companies, so it's joe public picks up the tab. Even where there is legal traceability back to transnational companies they generally don't pay anything or at best a very tiny fraction of the cost of their mess.

Back in Roman times they only had "biologicals" to deal with, and they cared not a jot how much water was used or who they gave diseases to, as long as it was sufficient to take the problem away from them. Hence the point that they were making the problem somebody elses down stream.

The potable water consumption alone with current cisterns is an environmental disaster as 200ml of pee needs 6-9000ml of potable water to take it away...

But "Booger Booger" and Co think out of sight out of mind and any old environmental contaminat can be flushed... It's why we get "Fat bergs" weighing in at over 17,000kg, oil slicks, exploding drains, cyanides and other heavy metal contaminates and such joys as laundry phosphoresents etc ending up not just causing problems in drains, but as many in the US know the hard way in the rivers, and thence back not only into potable water but also to fish etc to poison their children and grandchildren by epigenetics.

I'm surprised you are not aware of this...

With regards,

Nope, to err is human, get a process for inside and one on the outside.

Yes accidents do happen, not just at customer premises but more so at treatment plants. With the latter often because of the mixed nature of the waste. The point to treat water is at the point of contamination as the French have insisted on in the past. Not just because the customer has to clear up their own crap, it's generally easier to clean it out of water at the point it becomes effluent.

But I'm not ruling out multistage processing, I'm saying as have many other engineers befor me the sooner you deal with a problem the less of a risk it is. It's why the sewage system is used as an example of how not to do something.

Multistage cleaning has the advantage that normallt things do not mix and do not cross contaminate. So you are just clearing heavy metal out of a limited volume of water, not in vast quantities of water and when mixed with muds, biologicals and other relatively benign materials that could otherwise be recycled or reused in some way.

For instance if it was only paper towels and biologicals mixed in with a fatberg, it could be burnt directly in a CHP plant. But when also contaminated with heaven alone knows what it can not be, and thus requires a lot of very expensive processing.

Yes humans do make errors so do machines or any other process, things wear out and break and many other issues. However they are very minor compared to running known poisons at high concentrations through miles of drains and pipe that have leaking joints etc into the environment and thus water table.

Buying zero days is at the end of the day a faux market that can easily be gamed and as you note,

Landlocked countries voting one way because they got their tit for their tat from a country whose government want to hunt wales.

We need a system that is not just hard to game but fairly easily resolved at the expense of the offending organisations not the citizen at large and relatively quickly and efficiently.

JimJanuary 19, 2019 3:03 AM

@Clive Robinson,

You can only go so far as long as the "tools" are used by government entities.

Gen TurnerJanuary 24, 2019 9:40 PM

Bernie Sanders wrote:

"What you're recommending Mr. Schneier is that the United States taxpayer pick up the tab when large multinational companies like Microsoft fail to invest the necessary resources to perform the due diligence to prevent buggy code."

Hello Mr Sanders,

Mr. Schneier's suggestion is commonplace where market failure exists. The government provides the required service to address the externality, and then recoups its costs using taxation. If the incidence of taxation is done correctly -- the tax falling on those responsible for the government's corrective actions -- then the net effect in Mr Schneier's example is that "multinational companies like Microsoft" do pay the bill.

These taxes often go by names like "licenses" or "permits".

Regards, Gen Turner

ChrisFebruary 15, 2019 4:04 PM

In my relatively long experience, Bug-Bounty programs typically NEVER PAY OUT. There's always another excuse why your exploit is "out of scope", against their rules, already-known, or whatever other bogus crud they spin to get your intelligence for free.

If you're finding bug - sell them - because you WON'T get thanks or income from reporting them!

ChrisFebruary 17, 2019 11:56 AM

The T&C for proprietary hardware and software *should* say that bugs must be reported to the vendor before telling anyone else about them. That gives some chance of brokers like Zerodium being sued for damage done by bugs they sold instead of reporting them. It won't solve the problem but might help a little.

Chris

Chris2February 17, 2019 12:04 PM

Sorry, I should have noticed the post before mine (made 15 Feb) was made by someone else called Chris. He didn't make the one on 17 Feb.

Chris 2

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.