Will anyone come up with a zero-day remote exploitation of iOS 12.x without user interaction?

Vulnerability broker Zerodium is offering a stonking two million dollars to anybody who could come up with a zero-day remote exploit for iOS 12.x.

Why is Zerodium offering such a huge amount of money? Simple. Because they believe that they can make a profit by selling it onto others.

Vulnerability brokers like Zerodium offer huge sums of cash to vulnerability researchers if they can uncover ways to crack into operating systems, which are ultimately sold on to their customers. And what do their customers do with them?

Well, it would be nice to think that vendors like Apple, Google, and Microsoft snaffle up the bugs and use the information to patch their systems. But the truth is I suspect that the majority of Zerodium’s customers are governments and intelligence agencies who use use the zero-day exploits to spy on suspected criminals, terrorists, persons of interest, and foreign nations.

And those types of customers don’t want vendors like Apple, Microsoft, and Google to patch the bugs. As soon as a zero-day is patched its value drops enormously – especially on a platform like iOS where a high percentage of devices are updated with the latest security fixes in a timely fashion.

Many software and hardware manufacturers do offer bug bounties to researchers who uncover and disclose vulnerabilities in a responsible fashion, ensuring that a patch is produced for the increased safety of all internet users. But you’ll be hard pressed to find a tech company prepared to pay as much as an intelligence agency which wants to use a vulnerability to remotely spy on a smartphone without its owner suspecting a thing.

Thankfully, not all vulnerability researchers are purely driven by maximising the amount of money they can make from their discovery. Many feel passionately about the importance of privacy, and would be revolted by the thought that an oppressive government could use it to spy upon its citizens.

We shouldn’t be naive though. There’s something else going on here.

The huge amounts of money offered by the likes of Zerodium for remote iOS exploits do indicate that there is a demand from intelligence agencies for such zero-day vulnerabilities, and also that they’re not easy to pull off on the platform. This in itself might make some potential targets feel more comfortable using iPhones than an Android smartphone.

But further than that it keeps Zerodium’s name in the headlines and raises their profile. I guess, from that point of view, this very article has played into their hands. :(

We only have Zerodium’s word for it that they would ever give such a large amount of money to someone who came up with a way of remotely jailbreaking an iPhone without the user having to do a single click (if the jailbreak you submit to Zerodium requires some user interaction, Zerodium will lower the prize to a paltry US $1.5 million).

The governments and intelligence agencies buying the vulnerability are hardly going to announce that they’ve eagerly bought the goods, and I find it hard to imagine researchers going public with their massive pay-out.

The end result is this: if a way of remotely jailbreaking an iPhone running iOS 12.x without user interaction is discovered and reported to Zerodium rather than Apple, all users are put at risk.

For more discussion on this issue, why not listen to this episode of the “Smashing Security” podcast:

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.