Skip to content
WANTED

Zeroday exploit prices are higher than ever, especially for iOS and messaging apps

As security improves, demand for hacks grows, creating a super-heated market.

Dan Goodin | 45
Close-up image of phones prominently displayed on a wooden table in a brightly lit, streetside store.
iPhones are seen at an Apple Store in Tianjin, China. Credit: Zhang Peng/LightRocket via Getty Images
iPhones are seen at an Apple Store in Tianjin, China. Credit: Zhang Peng/LightRocket via Getty Images
Story text

spacThe prices for James Bond-style hacks keep growing, especially for those that hijack iPhones and secure messaging apps. It's the latest sign that governments and police forces around the world are as eager as ever to exploit software that's becoming ever more difficult to compromise.

On Monday, market-leading exploit broker Zerodium said it would pay up to $2 million for zero-click jailbreaks of Apple's iOS, $1.5 million for one-click iOS jailbreaks, and $1 million for exploits that take over secure messaging apps WhatsApp and iMessage. Previously, Zerodium was offering $1.5 million, $1 million, and $500,000 for the same types of exploits respectively. The steeper prices indicate not only that the demand for these exploits continues to grow, but also that reliably compromising these targets is becoming increasingly hard.

"I think one conclusion is that targets are getting harder to exploit," Patrick Wardle, a former hacker for the National Security Agency and now a cofounder of Digital Security, told Ars. "But also another is that there is now a higher demand for exploits." He continued:

A lot of times, clients/buyers don't want to share exploits—so [it] might be exclusive access. If there are now more buyers, [it] means more demand, means the price will go up. I imagine it's a good time to be a bug hunter/exploit developer. And [it] should continue to be a wakeup call for companies to realize that having a comprehensive bug bounty program is a must.

Single-click and no-click exploits

The types of exploits sought by Zerodium are those that reliably compromise the targeted device or app without any indication to their users. Police and nation-sponsored spies around the world rely on these types of attacks to intercept messages from criminals, terrorists, and other targets and to monitor their whereabouts and online activities in real time.

Sometimes, activists and dissidents are also targeted by such exploits, as was the case in 2016. That's when a dissident in the United Arab Emirates was targeted by malware that required only that he click on a Web link to infect his iPhone. A one-click jailbreak fetching $1.5 million from Zerodium is comparable to the exploit that targeted the dissident. (The 2016 attack, which exploited what were then three separate unpatched vulnerabilities in iOS, was developed by Israel-based NSO Group and has no known link to Zerodium.) Once the link was clicked, the exploit would give attackers complete control over the infected iPhone.

The dissident, however, was never infected because he suspected the link included in a text message was a trap, and he asked security experts to intervene. The zero-click exploit for which Zerodium is offering $2 million presumably would have worked anyway. As implied, it would give attackers the same control but wouldn't require a target click on any link to become infected.

Monday's updated list also doubled the prices for attacks that exploit messaging apps WhatsApp and iMessage. Interestingly, exploits for Signal—an encrypted messaging app that's considered the gold standard by many technologists, journalists, and lawyers—remained at $500,000, the same price as before. The relatively larger user base for WhatsApp and iMessage are likely driving the price differences announced Monday.

Zerodium announced increases for a variety of other exploits, including:

  • $1 million for zero-click remote code-execution attacks in Windows (previously $500,000)
  • $500,000 for remote code-execution exploits in Chrome that escape the security sandbox (previously $250,000 or $200,000, depending on the OS)
  • $500,000 for Apache or Microsoft IIS RCEs, i.e., remote exploits via HTTP(S) requests (previously $250,000)
  • $500,000 for local privilege escalation attacks against Safari that include a sandbox escape (previously $200,000
  • $250,000 for Outlook RCEs, i.e., remote exploits via a malicious email (previously $150,000)
  • $250,000 for PHP or OpenSSL RCEs (previously $150,000)
  • $250,000 for Microsoft Exchange Server RCEs (previously $150,000)
  • $200,000 for VMWare ESXi virtual machine escapes, i.e., guest-to-host escape (previously $100,000
  • $200,000 for Local privilege escalation to either kernel or root for Android or iOS (previously $100,000)
  • $100,000 for Local pin/passcode or Touch ID bypass for Android or iOS (previously $15,000)
  • $80,000 for Windows local privilege escalation or sandbox escape (previously $50,000)

Zerodium has said it sells the exploits only to lawful governments, but it has never provided details to verify those claims. It has been one of the top brokers for exploits since it made its debut in 2015 with a pledge of $1 million for reliable iOS exploits and a large number of other platform and apps. Since then, Zerodium has steadily increased those amounts.

Wardle, the former NSA hacker, said he has no reason to doubt Zerodium is making a good living paying those sums.

"I know of lots of full remote iOS exploit chains... so they are definitely out there," he explained. "And I know of customers that will pay more than $1.5 for those. So I see no reason to doubt that Zerodium both buys and sells (for a profit) such bugs."

Listing image: Zhang Peng/LightRocket via Getty Images

Photo of Dan Goodin
Dan Goodin Senior Security Editor
Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at @dangoodin on Mastodon. Contact him on Signal at DanArs.82.
45 Comments
Prev story
Next story