Spy firm Zerodium, a company that sells zero-day exploits to customers that include government agencies, has become the first “zero-day broker” to publish a full list of the prices it pays hackers for their skills. iOS exploits are by far the most expensive, netting some hackers half a million dollars each, while those that attack OS X can cost as little as $30,000.
Zerodium’s price chart covers everything from application exploits for web browsers and things like Adobe PDF Reader, and platform exploits for Mac, Windows, Android, and iOS. Some, like exploits for WordPress and MyBB, cost as little as $5,000.
Companies like Zerodium don’t normally divulge prices like this. CEO Chaouki Bekrar told Wired that “The first rule of [the] 0days biz is to never discuss prices publicly,” but Zerodium is doing it anyway, and the company believes that’s a good thing for hackers.
One thing Zerodium won’t disclose is its clients, though it does confirm that they include government agencies “in need of specific and tailored cybersecurity capabilities,” and corporate customers who it claims use the exploits for defensive purposes.
Some of these customers pay subscription fees for access to its exploits, which can cost at least $500,00 a year. The exploits themselves can net a hacker between $5,000 and $500,000, depending on the device, platform, and need.
For instance, remote code execution in web browsers like Firefox, Microsoft Edge, and Safari pay up to $30,000, but adding a sandbox escape increases it to $50,000. The same exploits for Google’s more secure Chrome browser pays up to $80,000.
Exploits for Android and Windows Phone can pay up to $100,000, but hackers who can break into iOS can earn up to $500,000 per exploit. Zerodium has even offered a “limited-time deal,” in which it agrees to pay $1 million to a team that could successfully compromise an iOS device that visited a malicious webpage through the Chrome or Safari browsers.
Zerodium will only buy exploits that are “original, exclusive, and previously unreported zero-day exploits,” and it insists that sellers do not make their hacks available to other companies. It also insists they should not disclose them to the software’s vendor.
It’s not totally clear why Zerodium has decided to go public with its price chart; some say it is a marketing technique, while others argue it’s good for hackers. For consumers, it proves that no matter which platform you choose, it can be compromised for the right money.
No comments:
Post a Comment