Tools that allow government hackers trying to break into iPhones and Android phones, popular software like Chrome and Safari browsers, and chat apps like WhatsApp and iMessage are now worth millions of dollars – and their price tag has gone up. multiplied in recent years as these products become more and more difficult to obtain. To hack.
On Monday, startup Crowdfense released its updated price list for these hacking tools, commonly known as “zero days” because they rely on unpatched vulnerabilities in software unknown to the software’s makers. Companies like Crowdfense and one of its competitors Zerodium claim to acquire these zero-days with the aim of reselling them to other organizations, usually government agencies or government contractors, who claim to need hacking tools to track or spy on criminals.
Crowdfense is now offering between $5 million and $7 million for Zero Days to break into iPhones, up to $5 million for Zero Days to break into Android phones, up to $3 million dollars and $3.5 million for Chrome and Safari Zero Days respectively, and $3. at $5 million for WhatsApp and iMessage Zero Days.
In its previous price list, published in 2019, the highest payouts Crowdfense offered were $3 million for Zero Days on Android and iOS.
The price increase comes as companies like Apple, Google and Microsoft are making it harder for their devices and apps to be hacked, meaning their users are better protected.
“The software and devices we use are expected to get more difficult to exploit every year,” said Dustin Childs, threat awareness manager at Trend Micro ZDI. Unlike CrowdFense and Zerodium, ZDI pays researchers to acquire zero-day vulnerabilities and then reports them to affected companies with the goal of patching the vulnerabilities.
“As more zero-day vulnerabilities are discovered by threat intelligence teams like those at Google and platform protections continue to improve, the time and effort required from attackers increases , which drives up the cost of their discoveries,” said Shane Huntley, head of Google’s threat analysis group, which tracks hackers and the use of zero-days.
In a report last month, Google said it saw hackers using 97 zero-day vulnerabilities in 2023. Spyware vendors, who often work with zero-day brokers, were responsible for 75% of zero-day vulnerabilities targeting Google and Android products. according to the company.
Those in the zero-day industry agree that the task of exploiting vulnerabilities is becoming increasingly difficult.
David Manouchehri, a security analyst with knowledge of the zero-day market, said that “hard targets like Google’s Pixel and the iPhone are getting harder to hack every year.” I expect the cost to continue to increase significantly over time.
“The mitigation measures implemented by suppliers are working, and it makes the whole trade much more complicated, much longer, and so this is clearly reflected in the price,” said Paolo Stagno, research director at Crowdfense. TechCrunch.
Contact us
Do you know of any other zero-day brokers? Or spyware providers? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or by email. You can also contact TechCrunch via SecureDrop.
Stagno explained that in 2015 or 2016, it was possible for a single researcher to find one or more zero days and develop them into a full-fledged exploit targeting iPhones or Androids. Today, he says, “this thing is almost impossible” because it requires a team of several researchers, which also drives up prices.
Crowdfense currently offers the highest publicly known prices to date outside of Russia, where a company called Operation Zero announced last year that it was willing to pay up to $20 million for tools that enable to hack iPhones and Android devices. Prices in Russia, however, could be inflated due to the war in Ukraine and resulting sanctions, which could discourage or outright prevent people from dealing with a Russian company.
Out of public view, governments and businesses may pay even higher prices.
“The prices Crowdfense is offering researchers for individual Chrome exploits (Remote Code Execution) and (Sandbox Escape) are below market price compared to what I’ve seen in the zero-day industry,” said Manouchehri, who previously worked at Linchpin Labs, a startup. which focused on developing and selling Zero Day products. Linchpin Labs was acquired by US defense contractor L3 Technologies (now known as L3Harris) in 2018.
Alfonso de Gregorio, the founder of Zeronomicon, an Italy-based startup that acquires Zero Day products, agreed, telling TechCrunch that prices could “definitely” be higher.
Zero days have been used in court-approved law enforcement operations. In 2016, the FBI used zero-day software provided by a startup called Azimuth to break into the iPhone of one of the shooters who killed 14 people in San Bernardino, according to the Washington Post. In 2020, Motherboard revealed that the FBI – with the help of Facebook and an unnamed third-party company – used a zero day to track down a man who was later convicted of harassing and extorting young girls in line.
There have also been several cases where zero-day software and spyware were allegedly used to target human rights dissidents and journalists in Ethiopia, Morocco, Saudi Arabia and the United Arab Emirates, among other countries with poor human rights record. Similar cases of alleged abuse have also taken place in democratic countries such as Greece, Mexico, Poland and Spain. (Neither Crowdfense, Zerodium or Zeronomicon have ever been accused of being involved in similar matters.)
Zero day brokers, along with spyware companies like NSO Group and Hacking Team, have often been criticized for selling their products to unsavory governments. In response, some of them are now committing to complying with export controls to limit potential abuse by their customers.
Stagno said Crowdfense follows embargoes and sanctions imposed by the United States, even though the company is based in the United Arab Emirates. For example, Stagno said the company would not sell to Afghanistan, Belarus, Cuba, Iran, Iraq, North Korea, Russia, South Sudan, to Sudan and Syria – all on US sanctions lists.
“Everything the U.S. does, we’re on alert,” Stagno said, adding that if an existing customer was on the U.S. sanctions list, Crowdfense would drop it. “All companies and governments directly sanctioned by the United States are excluded.”
At least one company, spyware consortium Intellexa, is on Crowdfense’s particular blocklist.
“I can’t tell you if he was a client of ours and if he stopped being one,” Stagno said. “However, as far as I am concerned, Intellexa cannot be a customer of ours at this time.”
In March, the US government announced sanctions against Intellexa founder Tal Dilian and one of his associates. This was the first time the government imposed sanctions on individuals involved in the spyware industry. Intellexa and its partner company Cytrox were also sanctioned by the United States, making it more difficult for the companies and their executives to continue operating.
These sanctions have raised concerns in the spyware industry, as TechCrunch reported.
Intellexa’s spyware was allegedly used against, among others, US Congressman Michael McCaul, US Senator John Hoeven and European Parliament President Roberta Metsola.
De Gregorio, the founder of Zeronomicon, declined to say to whom the company sells its products. On its website, the company published a code of business ethics, which includes screening customers to avoid doing business “with entities known to violate human rights” and to respect the export controls.
techcrunch
