In an exceptional move on 18th of Nov (Wednesday), the Zerodium (Zero-day broker) published a price list for various classes of software targets and digital intrusion methods that is purchased from cyber criminals and resells to consumers like intelligence agencies and governments.
The chart, which describes the sums it pays for the techniques that effect a lot of operating systems and applications, symbolizes one of the most comprehensive views yet into the provocative and dark market for secret hacker activities.
“The first rule of [the] 0days biz is to never discuss prices publicly. So guess what: We’re going to publish our acquisition price list.” said Chaouki Bekrar, CEO of Zerodium.
According to the Zerodium, if an attack on a computer or remotely take control the user’s PC via her/his Internet Explorer or Safari, for example, fetches a cost of maximum $50,000. If the target is quite harder, like Google Chrome, the price will be $80,000. The price will increase further to $100,000 if the target is Windows phone device or Android. The price increment is not stopped here, iOS attack can earn an attacker $150,000, so far the top price on the chart.
Check out the Zerodium Chart below:
The firm explicitly advises brokers that any zero-day vulnerability we purchases must be for Zerodium’s eyes just; enterprising attackers cannot resell it to other customers or reveal it to the software’s seller, who might issue a patch that shields victims and renders the hack impractical. Zerodium specifies that it’ll pay the listed costs just for “exclusive, original, and previously unreported vulnerabilities.”
We can say, in other words, Zerodium is keeping its methods under wraps for its users. As per Zerodium FAQ page their customers include, “government organizations in need of specific and tailored cybersecurity capabilities.” On the other hand, Bekrar says, our customers pay subscription fee’s of minimum $500,000 annually for access to its vulnerabilities.
“Apple iOS, like all operating system, is often affected by critical security vulnerabilities, however due to the increasing number of security improvements and the effectiveness of exploit mitigations in place, Apple’s iOS is currently the most secure mobile OS. But don’t be fooled, secure does not mean unbreakable, it just means that iOS has currently the highest cost and complexity of vulnerability exploitation and here’s where the Million Dollar iOS 9 Bug Bounty comes into play.” said Zerodium in September.
In 2013, Muckrock requested to A Freedom of Information showed that NSA is one of the clients of Vupen. Openly trading in private intrusion methods has also made Zerodium’s CEO an easy object for criticism. Justin Schul from Google called Bekrar an “ethically challenged opportunist.” While on the other hand, Chris Soghoian a technologist called him Bekrar’s Vupen a “modern-day merchant of death,” selling “the bullets for cyber war.”
As per the Zerodium’s list, an iOS vulnerability is still top of the chart. Apple consumers may be discouraged to hear that the ability to attack their private device is as much a product as any other attacking method. However, nonetheless it is an exclusive one.
Ali Qamar is an Internet security research enthusiast who enjoys “deep” research to dig out modern discoveries in the security industry. He is the founder and chief editor at Security Gladiators, an ultimate source for cyber security. To be frank and honest, Ali started working online as a freelancer and still shares the knowledge for a living. He is passionate about sharing the knowledge with people, and always try to give only the best. Follow Ali on Twitter @AliQammar57
(Security Affairs – Zerodium, Zero-Day)