Cybersecurity firm offers millions for Apple's iOS 9 exploit

[[149953]]

Apple's iOS development platform was infected by the "XCodeGhost" Trojan, causing a large number of iOS applications to become "malware". This major incident completely shattered the "myth" that "Apple iOS is more secure than Android". Many Apple fans were surprised that Apple phones and tablets were so vulnerable!

The vulnerabilities in Apple's iOS system are far more than the one mentioned above. According to foreign media reports, a foreign security company recently announced that it will spend up to $3 million to purchase the "zero-day vulnerability" in Apple's iOS9 operating system.

The so-called "zero-day vulnerability" refers to a vulnerability that is quickly exploited by cyber hackers to launch attacks after being exposed, and the relevant manufacturers do not even have time to release patches to fix the vulnerability. For the gray industrial chain of hackers, the value of "zero-day vulnerabilities" far exceeds that of regular vulnerabilities.

According to the US technology news website "Wired", on Monday, a company called Zerodium announced that it would offer $1 million to collect "zero-day vulnerabilities" for the iOS9 operating system. In addition, if the value of the vulnerability is large enough, the company is willing to pay up to $3 million for a vulnerability.

This is the highest price ever offered by a security company or other intelligence agency seeking software vulnerabilities for a single vulnerability.

The iOS9 system vulnerabilities collected by the company can be used to remotely attack Apple phones or tablets, or to launch attacks on Apple devices through web applications, mobile software, or even traditional text messages.

The company said that through continuous enhancement of security performance, Apple iOS is currently the most secure mobile operating system, "but don't be fooled, security does not mean unbreakable." The company said that so-called security only means that the complexity and cost of hackers exploiting vulnerabilities in its software to launch attacks are the highest.

The company has not announced what it will do with the collected iOS vulnerabilities.

Zerodium's founder, Chaouki Bekrar, is reportedly a well-known figure in the so-called gray market for security vulnerabilities. In addition to this security company, he also started a company called Vupen in Paris, France.

The French company's controversial business involves developing exploits for well-known software and then transferring the vulnerabilities and attack methods to government intelligence agencies around the world.

The US media pointed out that by collecting iOS9 vulnerabilities at high prices, Bekera has actually become a kind of "hacker middleman".

In the more mainstream cybersecurity industry, if a security company discovers a vulnerability, it will report it to companies such as Microsoft, Apple, and Google to develop a patch for the vulnerability. After the patch is released, the security company will publish the vulnerability through industry conferences, etc., to improve the company's reputation in the industry. In addition, companies such as Apple and Google will also express their gratitude for actively reporting the vulnerability in the form of cash.

If the relevant manufacturers ignore the issue, some security companies and experts will take the initiative to report the incident to the technology media, reminding users of related products to pay attention to safety precautions.

Unlike conventional practices, Bekla and his company Vupen will not proactively report vulnerabilities, but seek profits through transfers. However, it is not known whether the company's transfer targets include bad guys and criminal organizations.

The existence of the gray market for security vulnerabilities is no secret. Companies such as Google and Microsoft spend a lot of money to solicit vulnerabilities in their own software from the security industry.

According to US media reports in July, the US Navy's intelligence department also "purchased" security vulnerabilities of well-known software from the security industry, including binary programs that can launch network attacks. These vulnerabilities are "zero-day vulnerabilities" or "N-day vulnerabilities."

Previously, Reuters reported that the U.S. government intelligence agencies are the world's largest buyers of "zero-day vulnerabilities", and the starting price of high-value "zero-day vulnerabilities" that have not yet been made public is as high as $50,000.