Meet Zerodium, the company that pays $1 million for Apple hacks

78
Source:   —  April 07, 2016, at 3:41 PM

There'south a vibrant underground market for tools to hack you, but one company is making offers out in the open.

Meet Zerodium, the company that pays $1 million for Apple hacks

There'south a vibrant underground market for tools to hack you, but one company is making offers out in the open.

Latest year, Zerodium publicly offered $one million for a powerful, new hack that'd remotely sneak into an iPhone running Apple'south latest software. In November, the firm announced the winner -- an unidentified team of hackers.

Zerodium publicly offers up to $100.000 for Android and Windows Phone hacks. It'll pay $80.000 for hacks that involve the Adobe PDF reader or Flash Player.

In a sense, Zerodium is a cyber arms dealer. It pays hackers to memorise about their tactics, then packages that and sells it to elite subscribers.

For $500.000 or more a year, governments could purchase a road map for hacking Android phones to spy on people. Companies could memorise about a special hacking tactic before it'south used on their own Windows computers -- or quietly utilize it themselves for corporate espionage.

Governments can even pay Zerodium a premium to obtain exclusive rights to a hacking method, though the company says those are rare.

Zerodium'south business is extremely controversial, because it's selling "zero-days," the golden gun of the cyber world. These are rare, powerful hacks that exploit never-before-seen vulnerabilities. They obtain their title from the notion that tech companies have had "zero days" to fix them.

"This is a weapon," said Zuk Avraham, founder of cybersecurity firm Zimperium. "It takes one man to write an exploit these days -- one man willing to sell his soul to the devil."

Selling zero-days on the open market can create the Internet and gadgets less secure to use, experts tell CNNMoney.

"This isn't excellent for the security of the public at large," said Patrick Wardle, the research director at cybersecurity firm Synack and one of the top Apple hackers around.

But Zerodium has a different point of view. CEO Chaouki Bekrar explained via email that he'south on a mission to assistance law enforcement inquire into with better tools at its disposal.

"The recent legend between the FBI and Apple shows the most fascinating aspect of the zero-day business, which is the necessity for government agencies to obtain access to unpatched flaws to properly conduct investigations and rescue lives," he wrote.

Bekrar said the alternative is much worse: governments demanding companies give them full, valid access to devices everywhere through a back door. That'south something the FBI was requesting until it ultimately managed to discover a way to hack the iPhone of the San Bernardino shooter.

Zerodium'south CEO says the company is picky about whom it does business with, accepting money only from "major corporations and government organizations from western countries."

An aggressive business model

There'south a very different -- and more benevolent -- way to deal with these kinds of risky computer flaws. Bright tech companies proposal "bug bounties," typically cash prizes given to researchers who spot nasty feeble spots.

Google uses a bug bounty program to create its Android phones safer, and Facebook has paid $40.000 to spot bugs. Others get creative approaches. Uber has a new loyalty reward program for hackers, while United Airlines gave two hackers 1 million frequent flyer miles.

Those bug bounties create everyone'south devices safer. Zerodium'south business model only protects its customers.

"Hackers might be more apartment to create weapons that can actively keep users at risk -- rather than disclosing it to us," said Denelle Dixon-Thayer. She'south the chief valid officer of Mozilla, maker of the web browser Firefox.

Nonprofit Mozilla says it's rewarded researchers for spotting two hundred sixty bugs in the past two years, paying around $3.000 on average. But compare that to Zerodium, which openly advertises it'll pay up to $30.000 for a Firefox hack.

Dixon-Thayer said there'south presently direct pressure on tech companies everywhere to lift their bug bounty prices -- making computer security even more expensive.

That mightn't be a problem for deep-pocketed Huge Tech companies love Apple or Google, but it'south a enormous problem for the Internet'south most favorite open source projects, which are funded by donors and running by volunteers. (Bekrar said neither Apple (AAPL, Tech30) nor Google (GOOGL, Tech30) are customers.)

For example, Open SSL secures an incredible quantity of online communication love banking, email and social media, but its budget is puny. The latest sign of federal government support came in the form of a single $20.000 renewal contract from the Dept of Defense in two thousand-fourteenth.

Yet Zerodium will pay up to $40.000 for a flaw in OpenSSL -- one love Heartbleed, the terrible Internet bug that threatened businesses and governments worldwide.

"It'south an unbalanced playing field," said Casey Ellis, CEO of Bugcrowd, a company that runs one of the largest bug bounty programs. "There'south more incentive for people to drop cash on an exploit for offense than for raising defenses."

It'south imbalanced by design.

"Offense market prices are very high to purchase silence and are designed to prolong the utilize of the exploit for as long as possible," said Katie Moussouris. She's a bug bounty expert who just founded her own consulting firm, Luta Security, to assistance companies and governments work with hackers to make better their defenses.

And Zerodium isn't the only company selling zero-days to the highest bidder. Experts who closely look the zero-day market declare this business is also conducted by government contractors, love weapons maker Lockheed Martin (LMT), consultants at the RAND Corp and the Florida-based Harris Corporation, which makes a police phone-tracking tool called the Stingray.

Austin-based Exodus Intelligence, for example, publicly acknowledges that it's kept hacks secret so that customers "could utilize the 0-day for as long as required before it was patched."

And some be engaged in in questionable behavior. Just latest year, the Italian firm Hacking Team was caught selling spy tools to evil governments.

It'south an arms race out there.

READ ALSO
NJ biker arrested months after high-speed chase

NJ biker arrested months after high-speed chase

Authorities on Wednesday charged 20-year-old Anthony Darrigo, of Wanaque, with eluding police with risk of severe bodily injuring and resisting arrest.

57
ATV drivers, motorcycles stop ambulance transporting baby

ATV drivers, motorcycles stop ambulance transporting baby

The District'south Dept of Health sent out an alert Monday after the report of the attack on the ambulance on March twenty-three, warning ambulance drivers to be alert of their surroundings.

84
The Latest: Putin lauds Russian achievements in Syria

The Latest: Putin lauds Russian achievements in Syria

m. President Vladimir Putin says Russia'south military action in Syria has achieved a key goal of securing the country'south state structures. Putin told a media forum in St.

54
Venezuela orders long weekends to stave off power crisis

Venezuela orders long weekends to stave off power crisis

President Nicolas Maduro says late Wednesday he's signing a decree giving state workers a Friday furlough for the following two months. Together with other measures, he hopes to reduce electricity consumption by at least twenty percent.

50