People still maintain that iOS is “more secure” than Android. Really? ‘iOS security is f**ked’ says exploit broker Zerodium: Prices crash for taking a bite out of Apple’s core tech.
Apparently the COVID-19 lockdown gave the hackers a LOT of time to ply their craft, and maybe a bit of financial incentive.
Five years ago, Zerodium offered a $1m reward for a browser-based, untethered jailbreak in iOS 9. On Wednesday, the software exploit broker said it won’t pay anything for some iOS bugs due to an oversupply.
“We will NOT be acquiring any new Apple iOS LPE [local privilege escalation], Safari RCE [remote code execution], or sandbox escapes for the next two to three months due to a high number of submissions related to these vectors,” the company said via Twitter.
If you’re a hacker you can sell vulnerabilities to the SW/HW provider, or you can sell to Zerodium, and “feed the beast.” Zerodium pays more. Or at least they did.
They have SO MANY remote code execution bugs for iOS/Safari – the hackers dream vulnerability – that they won’t be accepting anything new. And yet people still try to convince me that iOS is more Secure than Android, because it is SECRET. Once again, obscurity does not equal security. Is it even necessary to state that anymore? The Enigma Machine the Germans used in WWII was obscure. It turned out it was not secure. Things haven’t changed that much since then. All the hard-coded back-doors into servers and routers that were put there in the early 2000s, because “How would anyone find this?” have been a problem since forever. But I’m sure the iOS issues are more of the software bug variety.
“There are likely a lot of hackers stuck at home with extra time on their hands, or perhaps who have lost their jobs or are in a financial squeeze, as is a large portion of the population,” said Wardle.
Add time and financial motivation, he said, and you get more bugs.
COVID-19. The gift that keeps on giving.