Jump to content

"iOS Secuirty is fucked" -Zerodium Stops Accepting iOS Exploits Because of too Many Submissions

LAwLz

Well, well, well, how the turntables... Turn...

 

Zerodium, an American information security company who pays security researchers to submit exploits in various programs have stopped accepting certain submitting for iOS.

To be more precise, they have stopped accepting exploits for iOS LPE (local privilege escalation), Safari RFC (remote code execution) and sandbox escapes due to "high number of submissions".

 

In other words, so many people are finding exploits in iOS which allows remote code execution, or privilege escalation that Zerodium no longer want to know about all the new ones being found.

Or as the CEO of the company a bit more bluntly said:

As Chaouki says, security in iOS is next to none (at least for code execution). The few things holding it together is PAC (Pointer Authentication Codes, an ARM feature) and the fact that a lot of the exploits don't survive a reboot.

 

This is in stark contrast to Android where the bounty has gone up over the years, and Android exploits are now more valued than iOS ones.

 

 

There seems to be two explanations for this.

1) iOS 13 has been far buggier than previous iOS releases. It has actually been so bad that Apple has overhauled the company's internal testing process to not make the same mistakes with the release of iOS 14.

 

2) It wasn't until December last year (so about half a year ago) than Apple had a public bug bounty program at all. That, coupled with the fact that Apple has been very hostile towards people who have tried to reverse engineer and pick apart their products has made it so that people haven't been interested in looking into iOS security. Or at the very least, the exploits found have not been reported publicly. It's now been a few years since companies like Zerodium started offering money for iOS exploits and that coupled with lots of people being at home in quarantine might have resulted in people looking into Apple products more.

 

 

Ryan Narraine from Intel has dismissed Zerodium's comments as "pure PR", which might be true because they are getting lots of PR right now.

Patrick Wardle from Jamf Security somewhat agrees with Ryan but also think there is some legitimacy to the claims.

 

 

Sources: Twitter as posted above, as well as The Register and cyberscoop.

 

 

Personal opinion since that's necessary: I agree with Patrick that it's probably a bit of a PR stunt, but also a real issue. I also think it's important to distinguish from the various different "categories" of security there is in a product. For example it seems like iOS still has better on-device encryption than Android. It also seems like from a privacy standpoint, iOS is also better. But for executing code from a browser, or gaining escalated privileges, Android (at least AOSP) is better. Which one is most relevant for the average Joe is up for debate.

Link to comment
Share on other sites

Link to post
Share on other sites

This is what happens when you behave hostile towards the people working into your system with good intentions. The ones with bad intentions will still find the exploits, Tim!

I WILL find your ITX build thread, and I WILL recommend the SIlverstone Sugo SG13B

 

Primary PC:

i7 8086k - EVGA Z370 Classified K - G.Skill Trident Z RGB - WD SN750 - Jedi Order Titan Xp - Hyper 212 Black (with RGB Riing flair) - EVGA G3 650W - dual booting Windows 10 and Linux - Black and green theme, Razer brainwashed me.

Draws 400 watts under max load, for reference.

 

How many watts do I needATX 3.0 & PCIe 5.0 spec, PSU misconceptions, protections explainedgroup reg is bad

Link to comment
Share on other sites

Link to post
Share on other sites

People keep screaming about iOS 13 bugs and I'm like, what bugs? Had basically no issues since day one.

 

Also, I wonder how many of reported exploits are actually valid...

Link to comment
Share on other sites

Link to post
Share on other sites

I shall only describe this with 2 statements:

Apple's Ego.

They want TOTAL control of their Ecosystem. (at what cost ?)

Please quote or tag me @Void Master,so i can see your reply.

 

Everyone was a noob at the beginning, don't be discouraged by toxic trolls even if u lose 15 times in a row. Keep training and pushing yourself further and further, so u can show those sorry lots how it's done !

Be a supportive player, and make sure to reflect a good image of the game community you are a part of. 

Don't kick a player unless they willingly want to ruin your experience.

We are the gamer community, we should take care of each other !

Link to comment
Share on other sites

Link to post
Share on other sites

2 hours ago, RejZoR said:

People keep screaming about iOS 13 bugs and I'm like, what bugs? Had basically no issues since day one.

 

Also, I wonder how many of reported exploits are actually valid...

Yeah I’ve not had an issue with iOS 13 yet.

Link to comment
Share on other sites

Link to post
Share on other sites

Have to shake my head at the people blindly lashing out at Apple even as outside experts say that Zerodium's claims are full of hype and not as dire as they're made out to be.

 

I'm not so naive as to think iOS is completely airtight, but remember that some security researchers thrive on exaggerating threats to draw publicity.  It's easy to get attention if you say iOS security is ruined and don't have to explain the flaws (not that they should, since they should still honour disclosure policies); don't be surprised if it turns out that the flaws disclosed post-patch aren't nearly as exciting as they sounded before.

 

I'm not under the illusion iOS is rock-solid security wise, but it is odd to hear people lashing into it as they cheer on Android, a platform known for poor security update policies, poor oversight of app submissions and more real-world malware attacks.  I still find it wild that Google lets OEMs release security updates as far apart as 90 days from each other.  Imagine if Dell or HP was allowed to skip some vital Windows patch because they didn't 'feel' like delivering it... there'd be riots!

Link to comment
Share on other sites

Link to post
Share on other sites

9 minutes ago, Commodus said:

I still find it wild that Google lets OEMs release security updates as far apart as 90 days from each other.  Imagine if Dell or HP was allowed to skip some vital Windows patch because they didn't 'feel' like delivering it... there'd be riots!

Dell and HP don't customise Windows to suit their hardware at the source code level.

Link to comment
Share on other sites

Link to post
Share on other sites

4 hours ago, Ashley xD said:

at least there aren't apps that contain malware on the front page of the app store. 

 

like there were on the play store. 

 

numerous times. 

Who needs malware there when you can deliver it through a browser. Not the first time this has happened, remember when you could jailbreak an iOS device through Safari?

Link to comment
Share on other sites

Link to post
Share on other sites

1 hour ago, Curious Pineapple said:

Dell and HP don't customise Windows to suit their hardware at the source code level.

I know, it's a theoretical exercise.  If Windows PC update delivery worked the way it does on Android people would be fuming, but somehow the "we don't feel like delivering that security update right now" mindset is acceptable with Google's platform.

Link to comment
Share on other sites

Link to post
Share on other sites

1 hour ago, Commodus said:

I know, it's a theoretical exercise.  If Windows PC update delivery worked the way it does on Android people would be fuming, but somehow the "we don't feel like delivering that security update right now" mindset is acceptable with Google's platform.

You're right.  Android's actually pretty new to the game when you think about when Windows released, Microsoft had it's years of crippling security holes and learned a lot from it. HP and Dell don't modify the Windows source or have any control over when updates reach the devices (thank God), but I'm sure if they did we would see a similar thing as we do on Android. Dell and HP neglecting their non-flagship, non-enterprise devices and not pushing out patches as frequently on them despite them having the same vulnerabilities.

 

I think Google has learnt a lot about security, and there's been a lot of improvements to the Android architecture that improve security.  There are at least some patches, which is better than it was before.  My work phone gets monthly security updates.  But I think in the end what Google is going to have to do is force every manufacturer who chooses to install the Google apps on their device (like Play store, Gmail, Youtube, etc) is going to have to register for Android One and push out regular security updates. 

 

In the end, Android is an open operating system and so Google can only control their offering of the product and downstreams, Sort of like RedHat and Linux.

 

6 hours ago, StDragon said:

"Never trust anyone but yourself; and even that should heed caution"

 

#paranoia 

I don't think anyone is paranoid about this, You'd have to go to some pretty gnarly sites to get smacked in the face with a zero-day undisclosed iOS exploit.  Most of this stuff would be used for targeted purposes, and even then there would have to be some attack surface.

 

As long as you stay to clean websites, open reputable emails, and connect to secure wifi networks with your iPhone you'll be fine.  Can't say how many iOS users will actually do that, but in the end it's Apple's problem to fix. Fingers crossed they act good about this and push out a huge security update and push it to all devices that run iOS 13 and not just the next supported devices.

 

7 hours ago, Void Master said:

I shall only describe this with 2 statements:

Apple's Ego.

They want TOTAL control of their Ecosystem. (at what cost ?)

Closed source does have security benefits (arguably), but even if they are closed source they should get multiple very in-depth security audits by independent security firms to make sure their software is patched as much as it can before it goes live. 

 

Having bug bounties doesn't really take away your control from the ecosystem, if anything it puts you back in control, because instead of having hackers release exploits for your software, you are giving them a reason to disclose it to you so you can better secure your systems.

 

Apple just likes to keep everything as internal as possible, but with the way the world is headed, that's going to become borderline impossible while maintaining good security.

It's also very important they get their code reviewed by many independent security firms so they get a wide base of vulnerabilities.

7 hours ago, Ashley xD said:

at least there aren't apps that contain malware on the front page of the app store. 

 

like there were on the play store. 

 

numerous times. 

That's true, Apple's always been very good with regulating Apps.  And I would have to say I think malware on stock iOS is practically non-existent.  Exploits are definitely there though, as they are on Android as well.

 

You bring up a good point though, what's more likely to impact a general end user?  Some undisclosed remote code execution vulnerability or malicious apps in an app store you trust?  I would say the latter.

Link to comment
Share on other sites

Link to post
Share on other sites

8 hours ago, Ashley xD said:

at least there aren't apps that contain malware on the front page of the app store. 

 

like there were on the play store. 

 

numerous times. 

Doesn't necessarily say a ton about either Google's or Apple's app review team or whatever. Android is just by FAR the more used platform. This is similar to the whole "Windows has tons more viruses than Linux" thing. I mean, yeah, it's true, but I bet that if the majority of computer users were on Linux, Windows would be seen as the "more secure" with less viruses.

 

EDIT: I just watched your username change while I was writing this reply, wtf

Quote me to see my reply!

SPECS:

CPU: Ryzen 7 3700X Motherboard: MSI B450-A Pro Max RAM: 32GB I forget GPU: MSI Vega 56 Storage: 256GB NVMe boot, 512GB Samsung 850 Pro, 1TB WD Blue SSD, 1TB WD Blue HDD PSU: Inwin P85 850w Case: Fractal Design Define C Cooling: Stock for CPU, be quiet! case fans, Morpheus Vega w/ be quiet! Pure Wings 2 for GPU Monitor: 3x Thinkvision P24Q on a Steelcase Eyesite triple monitor stand Mouse: Logitech MX Master 3 Keyboard: Focus FK-9000 (heavily modded) Mousepad: Aliexpress cat special Headphones:  Sennheiser HD598SE and Sony Linkbuds

 

🏳️‍🌈

Link to comment
Share on other sites

Link to post
Share on other sites

32 minutes ago, Akolyte said:

As long as you stay to clean websites, open reputable emails, and connect to secure wifi networks with your iPhone you'll be fine.

I hate this excuse for poor security.  You know it's really hard to avoid dirty websites when the average user is trying to navigate the internet with only google for directions and a very basic knowledge of how malware works. Hell, even us experienced users who understand what sites to visit and when to close the browser and start again still get caught out occasionally, the last thing you need is a zero click exploit because it's too late once you're on the site to realize it wasn't the site you thought it was. 

 

Some phishing emails are actually very convincing, especially to the average user who is tired/not with it for what ever reason.  Kids sometimes click things for all sorts of different reasons.   And what defines a reputable wifi network,  if malware can be injected into mainstream software that many tech enthusiasts (self proclaimed experts) are downloading then they can find ways to manipulate and use public facing wifi to do the same thing.  

 

There may have been a window in the late win 7 early win 10 days when defender and common sense was enough to avoid malware/viruses ( I never saw it really),  but that is not the case anymore.  Now that all services are online all the non tech oriented consumers are using the net for everything from shopping to banking and even health care/government form lodging and tax.  It is more important than ever to ensure ios/android/windows/macos are all on top of security.

 

 

Grammar and spelling is not indicative of intelligence/knowledge.  Not having the same opinion does not always mean lack of understanding.  

Link to comment
Share on other sites

Link to post
Share on other sites

I got a tech support scam popup ad on eBay last year, eBay of all places. That plus a browser expoit is going to be a bad day.

Link to comment
Share on other sites

Link to post
Share on other sites

2 hours ago, Curious Pineapple said:

I got a tech support scam popup ad on eBay last year, eBay of all places. That plus a browser expoit is going to be a bad day.

Online advertisement is high volume but low margin. Many of these 3rd party hosted advertisement providers run on a shoestring budget because it's so competitive. There are large swaths of un-patched servers out there tasked to hosting the banner ads. All it takes is one of them to get hacked and soon they serve drive-by malware as those infected ad servers rotate into view.

Link to comment
Share on other sites

Link to post
Share on other sites

Probably every exploit starts with some absurd prerequisite like having root access or MDM.

Workstation:  13700k @ 5.5Ghz || Gigabyte Z790 Ultra || MSI Gaming Trio 4090 Shunt || TeamGroup DDR5-7800 @ 7000 || Corsair AX1500i@240V || whole-house loop.

LANRig/GuestGamingBox: 9900nonK || Gigabyte Z390 Master || ASUS TUF 3090 650W shunt || Corsair SF600 || CPU+GPU watercooled 280 rad pull only || whole-house loop.

Server Router (Untangle): 13600k @ Stock || ASRock Z690 ITX || All 10Gbe || 2x8GB 3200 || PicoPSU 150W 24pin + AX1200i on CPU|| whole-house loop

Server Compute/Storage: 10850K @ 5.1Ghz || Gigabyte Z490 Ultra || EVGA FTW3 3090 1000W || LSI 9280i-24 port || 4TB Samsung 860 Evo, 5x10TB Seagate Enterprise Raid 6, 4x8TB Seagate Archive Backup ||  whole-house loop.

Laptop: HP Elitebook 840 G8 (Intel 1185G7) + 3080Ti Thunderbolt Dock, Razer Blade Stealth 13" 2017 (Intel 8550U)

Link to comment
Share on other sites

Link to post
Share on other sites

7 hours ago, Akolyte said:

That's true, Apple's always been very good with regulating Apps.  And I would have to say I think malware on stock iOS is practically non-existent.  Exploits are definitely there though, as they are on Android as well.

 

You bring up a good point though, what's more likely to impact a general end user?  Some undisclosed remote code execution vulnerability or malicious apps in an app store you trust?  I would say the latter.

yeah, i'm not denying that iOS has exploits, of course it does. but using common sense works a lot better on iOS because even installing apps from a bundled store on android can infect your device. 

 

 

7 hours ago, kelvinhall05 said:

Doesn't necessarily say a ton about either Google's or Apple's app review team or whatever.

oh yes it does. a lot. 

 

 

7 hours ago, kelvinhall05 said:

Android is just by FAR the more used platform. This is similar to the whole "Windows has tons more viruses than Linux" thing. I mean, yeah, it's true, but I bet that if the majority of computer users were on Linux, Windows would be seen as the "more secure" with less viruses.

malicious apps on the play store have nothing to do with marketshare, it's just plain careless on google's part. 

 

now yes, i will agree that the amount of malware for android could partly be explained by the marketshare but not entirely. there is just so much more of it on android, and i suppose that's helped by companies like Epic Games telling users to enable the setting to install apk files that aren't from the play store. when you enable that setting it's asking for trouble, especially if you don't understand what it does. 

She/Her

Link to comment
Share on other sites

Link to post
Share on other sites

11 hours ago, Curious Pineapple said:

Who needs malware there when you can deliver it through a browser. Not the first time this has happened, remember when you could jailbreak an iOS device through Safari?

it only gets delivered through a browser if you visit a malicious site, and this is true for all platforms, not just iOS or android. it's sad that people liked that post, but whatever. you need to use common sense browsing the web on all platforms. 

She/Her

Link to comment
Share on other sites

Link to post
Share on other sites

5 minutes ago, Ashley xD said:

malicious apps on the play store have nothing to do with marketshare, it's just plain careless on google's part. 

Apple's process is a lot more rigorous when compared to Google.

Google was/is very lenient as to what they allow on their store, so that made it come back to bite them in the butt a number of times.

 

I hear that it's better right now (on Google), but it's still easier for people to post their apps on Google play when compared to Apple's App store.

Link to comment
Share on other sites

Link to post
Share on other sites

2 minutes ago, lewdicrous said:

but it's still easier for people to post their apps on Google play when compared to Apple's App store.

that's a bad thing. you make it sound liek apple is evil for making sure that it's app store is secure. 

She/Her

Link to comment
Share on other sites

Link to post
Share on other sites

Just now, Ashley xD said:

that's a bad thing. you make it sound liek apple is evil for making sure that it's app store is secure. 

What? I didn't mention good or evil and I wasn't insinuating anything of the sort.

Link to comment
Share on other sites

Link to post
Share on other sites

8 hours ago, kelvinhall05 said:

Doesn't necessarily say a ton about either Google's or Apple's app review team or whatever. Android is just by FAR the more used platform. This is similar to the whole "Windows has tons more viruses than Linux" thing. I mean, yeah, it's true, but I bet that if the majority of computer users were on Linux, Windows would be seen as the "more secure" with less viruses.

To publish on the Apple store, you actually are paying $99/year...so it is more restrictive in getting Apps on the store itself...so to publish malware it costs at least $99, with Android it is only $25.

3735928559 - Beware of the dead beef

Link to comment
Share on other sites

Link to post
Share on other sites

55 minutes ago, Ashley xD said:

that's a bad thing. you make it sound liek apple is evil for making sure that it's app store is secure. 

Okay, we get it. You are Apple user and obviously hate Android, either way Apple is fucked. 🤷‍♂️

 

1 hour ago, Ashley xD said:

now yes, i will agree that the amount of malware for android could partly be explained by the marketshare but not entirely.

Well, you're about to see a change in "amount of malware".

CPU: i9-9900K R0 3,6 GHz (Coffee Lake) | AIO: ROG RYUJIN 360 | GPU: RTX 2080 Ti ROG MATRIX | MOBO: ROG Maximus XI Extreme | RAM: Trident Z Neo Series, DDR4-3600, CL16 64 GB | Case: O11Dynamic XL (ROG Certified) | PSU: Corsair HX1000i 80+ Platinum | SSD: 2x Samsung 970 PRO 1TB + Samsung 970 EVO Plus 2TB
Link to comment
Share on other sites

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×