Where do bad iOS exploits go to die? The answer, at least some of the time, is to U.S. government agencies and contractors, as well as other foreign governments, who are apparently paying up to a quarter of a million dollars (US) to get exclusive access to zero-day exploits for iOS. According a report based on sources inside the industry, iOS exploits command more money than those developed for Android, or even Windows.
The story was based, in part, on a broker for these exploits who goes by the name of Grugq. Reporting for Forbes, Andy Greenberg spoke to Grugq, a new broker, and other brokers who have been peddling software exploits to the U.S., Europe, and, to a lesser extend Russia and China, for years.
Chart by The Mac Observer from Forbes Data
Those sources said that government agencies and contractors to those agencies will pay tens of thousands of dollars, or more, for exploits of all sorts. In exchange for this money, the hackers and security researchers who find these exploits are expected to not publicize them or otherwise reveal them to Apple, Google, Microsoft, Adobe, and other software companies that they effect. They are also expected to not sell them again to another party.
“You’re basically selling commercial software, like anything else. It needs to be polished and come with documentation,” Grugq said. “The only difference is that you only sell one license, ever, and everyone calls you evil.”
That means that unless or until a security researcher who does report them to the software companies, or release the details to the public, finds that exploit, it will remain unpatched and available for use by those who do know the secret.
In theory, these exploits are being bought for use in international spy games. For instance, there are thousands of attacks launched against U.S. corporations and government agencies coming out of China on a daily basis.
China isn’t buying exploits from Grugq’s clients, however; he said that China doesn’t pay well outside of China because there are already many hackers within the country who already deal exclusively with their own government.
The broker isn’t selling to the Russian government, either, though it’s largely because he has no contacts there. He has had dealings with the Russian mafia.
“Selling a bug to the Russian mafia guarantees it will be dead in no time, and they pay very little money,” he said. ”Russia is flooded with criminals. They monetize exploits in the most brutal and mediocre way possible, and they cheat each other heavily.”
So there’s that.
In the meanwhile, there are more established brokers in the business, too, including Vupen, Endgame, and Netragard (whose motto is “We protect you from people like us”). Netragard founder Adriel Desautels told Forbes that while his company has been selling exploits for some time, the market has exploded in the last year.
So where does this leave us as users? The reality is that tax payer money from the world’s largest and/or richest countries is being used to keep us, the tax payers, less secure on an individual basis in the name of national security.
The problem is that where one exploit exists in the hands of a government, it can also be used by the bad guys to target our systems, too. Worse, those government agencies and contractors buying these exploits have no vested interest in seeing them patched.
Think about that the next time you get frustrated with someone like Charlie Miller for releasing the details of an exploit to the public before Apple (or some other company) has patched it. Mr. Miller is one of the good guys, and he could probably make a lot more money selling his talents through these brokers than he can as a consultant releasing his findings to the public.
To wit, Grugq told Forbes that he could have gotten $250,000 for the Jailbreakme 3 iOS exploit developed by Comex in 2011 and released to the jailbreaking community for free. (Note that Comex was then given an internship by Apple.)
As the money continues to flow from governments, and most likely criminal organizations, pressure will increase on the white hats to shop at a habberdashery offering other color options.
That is, unless Apple, Google, Microsoft, and the other software companies want to start ponying up to the table with their own cash. Google will pay $3,133.70 for some hacks, and Mozilla and Facebook reportedly pay a few thousand dollars, too.
That obviously doesn’t compare to a six figure paycheck, though. Not in the least, as noted by Grugq, who said, ”If they want their bugs fixed, they can buy them at market rates like everyone else. From each according to their ability, to each according to their needs? That’s communism. If they want the output, they can pay for it like anyone else. They have my email.”