A private exploit seller has tripled the reward for Apple iOS exploits and is now offering $1.5 million for valid attacks against fully patched iPhones and iPads.
Zerodium is a premium exploit platform which purchases zero-day vulnerabilities and exploits and pays heavy rewards to researchers that discover previously unknown security flaws in popular software.
The exploit peddler says it “focuses on high-risk vulnerabilities with fully functional exploits” and “we pay the highest rewards on the market.”
For new, novel attacks against Apple’s iOS and Google’s Android mobile operating systems, the company appears to be correct, with rewards for iOS 10 jailbreaking now reaching up to $1.5 million.
In an updated rewards list, Zerodium revealed that researchers able to produce a new attack against up-to-date iOS 10 iPhones and iPads which successfully compromises the devices remotely can expect up to $1,500,000. This is three times the amount of previous rewards, which were brought down to $500,000 after the company paid out $1 million to three research teams last year which were able to find remote zero-day exploits for iOS 9.
In addition, researchers who can provide the private exploit seller with remote exploits for Android 7 mobile devices can enjoy double the payout, with Zerodium now willing to pay up to $200,000 an exploit.
If researchers are willing to sell their work privately rather than report them to vendors, exploits are then sold to private clients including government entities, which may use them for surveillance purposes, tracking and spying on criminals, terrorists and any other targets of interest.
The company is interested in working exploits against up-to-date software from Apple, Google, and Adobe, among others.
When asked about the extensive difference in reward rates for jailbreaking iOS devices in comparison to exploits for the Android operating system, speaking to Ars Technica, Zerodium founder Chaouki Bekrar said:
“Prices are directly linked to the difficulty of making a full chain of exploits, and we know that iOS 10 and Android 7 are both much harder to exploit than their previous versions.
That means that iOS 10 chain exploits are either 7.5 x harder than Android or the demand for iOS exploits is 7.5 x higher. The reality is a mix of both.”
Earlier this year, the FBI paid $1 million to a security company to provide an exploit used to access an iPhone belonging to one of the San Bernardino shooters.