U.S. Pays Up To $250,000 for iPhone Hacks

| Analysis

Where do bad iOS exploits go to die? The answer, at least some of the time, is to U.S. government agencies and contractors, as well as other foreign governments, who are apparently paying up to a quarter of a million dollars (US) to get exclusive access to zero-day exploits for iOS. According a report based on sources inside the industry, iOS exploits command more money than those developed for Android, or even Windows.

The story was based, in part, on a broker for these exploits who goes by the name of Grugq. Reporting for Forbes, Andy Greenberg spoke to Grugq, a new broker, and other brokers who have been peddling software exploits to the U.S., Europe, and, to a lesser extend Russia and China, for years.

Hacker Prices by OS/Software

Chart by The Mac Observer from Forbes Data

Those sources said that government agencies and contractors to those agencies will pay tens of thousands of dollars, or more, for exploits of all sorts. In exchange for this money, the hackers and security researchers who find these exploits are expected to not publicize them or otherwise reveal them to Apple, Google, Microsoft, Adobe, and other software companies that they effect. They are also expected to not sell them again to another party.

“You’re basically selling commercial software, like anything else. It needs to be polished and come with documentation,” Grugq said. “The only difference is that you only sell one license, ever, and everyone calls you evil.”

That means that unless or until a security researcher who does report them to the software companies, or release the details to the public, finds that exploit, it will remain unpatched and available for use by those who do know the secret.

In theory, these exploits are being bought for use in international spy games. For instance, there are thousands of attacks launched against U.S. corporations and government agencies coming out of China on a daily basis.

China isn’t buying exploits from Grugq’s clients, however; he said that China doesn’t pay well outside of China because there are already many hackers within the country who already deal exclusively with their own government.

The broker isn’t selling to the Russian government, either, though it’s largely because he has no contacts there. He has had dealings with the Russian mafia.

“Selling a bug to the Russian mafia guarantees it will be dead in no time, and they pay very little money,” he said. ”Russia is flooded with criminals. They monetize exploits in the most brutal and mediocre way possible, and they cheat each other heavily.”

So there’s that.

In the meanwhile, there are more established brokers in the business, too, including Vupen, Endgame, and Netragard (whose motto is “We protect you from people like us”). Netragard founder Adriel Desautels told Forbes that while his company has been selling exploits for some time, the market has exploded in the last year.

So where does this leave us as users? The reality is that tax payer money from the world’s largest and/or richest countries is being used to keep us, the tax payers, less secure on an individual basis in the name of national security.

The problem is that where one exploit exists in the hands of a government, it can also be used by the bad guys to target our systems, too. Worse, those government agencies and contractors buying these exploits have no vested interest in seeing them patched.

Think about that the next time you get frustrated with someone like Charlie Miller for releasing the details of an exploit to the public before Apple (or some other company) has patched it. Mr. Miller is one of the good guys, and he could probably make a lot more money selling his talents through these brokers than he can as a consultant releasing his findings to the public.

To wit, Grugq told Forbes that he could have gotten $250,000 for the Jailbreakme 3 iOS exploit developed by Comex in 2011 and released to the jailbreaking community for free. (Note that Comex was then given an internship by Apple.)

As the money continues to flow from governments, and most likely criminal organizations, pressure will increase on the white hats to shop at a habberdashery offering other color options.

That is, unless Apple, Google, Microsoft, and the other software companies want to start ponying up to the table with their own cash. Google will pay $3,133.70 for some hacks, and Mozilla and Facebook reportedly pay a few thousand dollars, too.

That obviously doesn’t compare to a six figure paycheck, though. Not in the least, as noted by Grugq, who said, ”If they want their bugs fixed, they can buy them at market rates like everyone else. From each according to their ability, to each according to their needs? That’s communism. If they want the output, they can pay for it like anyone else. They have my email.”

Sign Up for the Newsletter

Join the TMO Express Daily Newsletter to get the latest Mac headlines in your e-mail every weekday.

Comments

Lee Dronick

Think about that the next time you get frustrated with someone like Charlie Miller for releasing the details of an exploit to the public before Apple (or some other company) has patched it. Mr. Miller is one of the good guys, and he could probably make a lot more money selling his talents through these brokers than he can as a consultant releasing his findings to the public.

My issue is that it could encourage someone with less scruples to look where Charlie looked.

d'monder

?Selling a bug to the Russian mafia guarantees it will be dead in no time”

Um… doesn’t dealing with the Russian mafia guarantee YOU being dead in no time?

Some groups just aren’t worth getting involved with.

Lancashire-Witch

” Um? doesn?t dealing with the Russian mafia guarantee YOU being dead in no time?  “

Only if they make you an offer you can’t understand.

Bosco (Brad Hutchings)

As I read the story in Forbes, I could not help but think of Stephen Glass. The story is kind of incredible with such an appealing narrative. Not calling bullshit on it, but I’m a little skeptical.

zewazir

Has anyone considered the idea that our government may not be limiting the use of these hacks for espionage/counter-espionage?  With Patriot Act II and FISA laws behind them, they are pretty much claiming the right to do anything they want with our private communications.

Lee Dronick

Zewazir, I think that Charlie Miller used to work for the NSA. So it is possible that the Government is buying, and/or developing their own, hacks.

zewazir

According to the article, the U.S. government is definitely buying hacks - and under the agreement that the purchased hack remains secret, so others can’t use it AND the vulnerability the hack exploits remains unpatched. Also, according to the article, “In theory, these exploits are being bought for use in international spy games.”

I question that theory. Though no way to prove it, I’d bet some of those hacks are currently being used domestically by a government that, with the passage of Patriot Act, FISA, National Defense Authorization Act, and now trying to pass the Enemy Expatriation Act, is telling us they can do what they want, when they want, and we need to toe the line or be carted of to Guitmo.

Log-in to comment