Zerodium disse, un po’ di tempo fa, che avrebbe dato un milione di dollari a chi fosse riuscito a trovare un bug in iOS e, sfruttandolo, prendere possesso, remotamente, dell’iPhone di una terza persona. Stando a un loro tweet di un paio di giorni fa pare ci sia stato un gruppo di hacker che è riuscito a bypassare la sicurezza di iOS, con un exploit partito da Safari, Chrome o un messaggio di testo.
Come spiega TidBITS, lo scopo di Zerodium non è ovviamente quello di comunicare ad Apple la falla, quanto piuttosto rivenderla a terzi — agenzie governative, o chi altri si mostri interessato:
If Zerodium sounds like an arms dealer, you are exactly correct. This kind of activity isn’t illegal, but it isn’t exactly ethical, especially since these companies withhold exploit details from software vendors, to ensure they remain unpatched for as long as possible. This is quite different than “bug bounty” firms who intermediate between security researchers and software firms and outsource communications, negotiations, and validation of vulnerabilities and exploits. A bug bounty is cash paid by a company to researchers who find security issues in their products. It provides an incentive for researchers (and others) to report the bugs to the vendor for patching instead of making them public or selling them to bad guys.
Zerodium is a dangerous entrant into the market since they alter the economics of online security: now researchers can make more money by selling their bugs to Zerodium than notifying the vendor. Governments and other groups have long paid for exploits, but a broker increases the value of certain exploits, and will sell to multiple buyers, spreading the risks to users. This could pressure buyers to use their exploits more often and more quickly since they don’t know or trust other buyers, which may create a “race to exploit” before the value of their investments are lost.