Zerodium announces it’s is no longer buying certain types of iOS exploits due to oversupply
The world’s top buyer of iOS exploits, Zerodium has announced that it will stop buying certain types of iPhone exploits for now. Zerodium became famous among iOS hackers after it had announced that it would buy iPhone cracks from hackers for a price some 4 years ago. Now it has announced on Twitter that it has stopped buying iOS exploits for new Apple iOS Local Privilege Escalation, Safari Remote Code Execution, and sandbox escapes. Zerodium said that it already had a high number of pending submissions for these exploits so it was deferring buying for two to three months.
We will NOT be acquiring any new Apple iOS LPE, Safari RCE, or sandbox escapes for the next 2 to 3 months due to a high number of submissions related to these vectors.
Prices for iOS one-click chains (e.g. via Safari) without persistence will likely drop in the near future.
— Zerodium (@Zerodium) May 13, 2020
Zerodium also said that expects the Apple iPhone exploit prices to drop for one-click (via Safari browser) exploit chains without persistence. What the Zerodium added would perplex many iPhone fanboys. It seems that iPhones are no longer unhackable as they were perceived to be. The Zerodium CEO says that iOS security sucks and only PAC and non-persistence were holding it together. He added that the new exploits were emerging bypassing even these two.
iOS Security is fucked. Only PAC and non-persistence are holding it from going to zero…but we're seeing many exploits bypassing PAC, and there are a few persistence exploits (0days) working with all iPhones/iPads. Let's hope iOS 14 will be better.https://t.co/39Kd3OQwy1
— Chaouki Bekrar (@cBekrar) May 13, 2020
With iOS exploit prices dropping so fast, many hackers are moving to find Android weaknesses.
Switch to Android. iOS prices have been dropping for a while now.
— Azeria (@Fox0x01) May 13, 2020
iPhone – Apple’s unhackable smartphone a myth?
Over the years we have been made to believe that Apple iPhones are very hard to crack. Even FBI had problems with hacking a felon’s smartphone that it had to move to High Court to order Apple to unlock the iPhone for them. But not anymore.
Zerodium had advertised that it was willing to pay up to $2 million for iOS exploit chains that achieve persistence and require no user interaction. Similar Android smartphone exploits sell for $2.5 million.
Over the years iOS security has deteriorated. A month back it was discovered that iOS 13 powering the iPhones can be hacked through emails. This is despite Apple having a very successful bug bounty program that has a payout of $1 million for exploits that achieve persistence, bypass PAC and require no user interaction.