The tools that allow government hackers to break into iPhones and Android phones, popular software like Chrome and Safari browsers, and chat apps like WhatsApp and iMessage are now worth millions of dollars, and the prices of these products has doubled in the last few years. It will be harder to hack.
On Monday, startup Cloudfence published an updated price list for these hacking tools. These hacking tools are commonly known as “zero-days” because they exploit unpatched vulnerabilities that are unknown to the software's manufacturer. Companies such as Cloudfence and one of its competitors, Zerodium, claim that they acquire these zero-days for the purpose of reselling them to other organizations, typically government agencies or government contractors. They say they need hacking tools to track and spy on criminals.
Cloudfence currently charges between $5 million and $7 million for zero-day intrusions on iPhones, up to $5 million for zero-day intrusions on Android phones, and up to $3 million and $3.5 million for zero-day intrusions in Chrome and Safari, respectively. , and is offering $3. Zero-day fees for WhatsApp and iMessage reach $5 million.
In a previous price list published in 2019, the highest price Cloudfence was offering was $3 million for Android and iOS zero-days.
The price increases come as companies like Apple, Google, and Microsoft make their devices and apps harder to hack, providing more protection for users.
“It's getting harder and harder to exploit the software and devices we use,” said Dustin Childs, Head of Threat Awareness at Trend Micro ZDI. Unlike CrowdFense and Zerodium, ZDI pays researchers to obtain zero-days and report vulnerabilities to affected companies with the goal of fixing them.
“As more zero-day vulnerabilities are discovered by threat intelligence teams like Google and platform protections continue to improve, the time and effort required of attackers increases, which in turn increases the cost of discovery. ” said Director Shane Huntley. Google's threat analysis group tracks hacker and zero-day usage.
Google announced in a report last month that hackers have exploited 97 zero-day vulnerabilities in 2023. Spyware vendors, who often work with zero-day brokers, were responsible for 75% of zero-day vulnerabilities targeting Google products and Android. According to the company.
Those in and around the zero-day industry agree that the job of exploiting vulnerabilities is becoming increasingly difficult.
“Hard targets like the Google Pixel and the iPhone are becoming harder to hack every year,” said David Manucelli, a security analyst familiar with the zero-day market. Costs are expected to continue to increase significantly over time. ”
“It's clear that the mitigation measures that vendors have put in place are having an effect, making the overall transaction more complex and time-consuming, and this is reflected in the price.” said Paolo Stagno, Research Director at Cloudfence. Tech Crunch.
Contact Us Do you know more about zero-day brokers or spyware providers? You can contact Lorenzo Franceschi-Bicchierai securely from any non-work device on Signal (+1 917 257 1382) or on Telegram, Keybase and Wire @lorenzofb, or email. You can also contact TechCrunch via SecureDrop.
Stagno explained that in 2015 or 2016, a single researcher could have discovered one or more zero-days and developed them into full-fledged exploits targeting iPhones and Android. did. “This is almost impossible today,” he said, because it requires a team of several researchers and the prices are soaring.
Cloudfence currently offers the highest publicly known price outside Russia, but a company called Operation Zero last year was willing to pay up to $20 million for tools to hack iPhones and Android devices. announced. But the Ukraine war and ensuing sanctions could push prices higher in Russia and deter people from doing business with Russian companies, or prevent them altogether.
Outside the public arena, governments and businesses may be paying an even higher price.
“The price Cloudfence is offering researchers for individual Chrome [Remote Code Execution] and [Sandbox Escape] From what I've seen in the zero-day industry, exploits are below market rates,” said Manucelli, who previously worked at Lynchpin Labs, a startup focused on zero-day development and sales. Lynchpin Labs was acquired by US defense contractor L3 Technologies (now known as L3Harris) in 2018.
Alfonso De Gregorio, founder of Zeronomicon, the Italy-based startup that is acquiring Zeroday, agreed, telling TechCrunch that the price “certainly” could be higher.
Zero-days are used in court-authorized law enforcement operations. In 2016, the FBI used a zero-day provided by a startup called Azimuth to hack into the iPhone of one of the shooters who killed 14 people in San Bernardino, according to the Washington Post. In 2020, Motherboard revealed that the FBI, with help from Facebook and an unnamed third-party company, used a zero-day to track down a man who was later convicted of harassing and blackmailing young girls online. I made it.
There have also been instances in which zero-days and spyware have been allegedly used to target human rights activists and journalists in countries with poor human rights records, including Ethiopia, Morocco, Saudi Arabia, and the United Arab Emirates. Similar incidents of alleged abuse have occurred in democracies such as Greece, Mexico, Poland and Spain. (Crowdfense, Zerodium, and Zeronomicon have never been accused of involvement in similar incidents.)
Zero-day brokers and spyware companies such as NSO Group and Hacking Team have often been criticized for selling their products to malicious governments. In response, some companies are now pledging to respect export controls to limit potential abuse by customers.
Stagno said that even though the company is based in the United Arab Emirates, Cloudfence is subject to embargoes and sanctions imposed by the United States. For example, Stagno said the company does not sell to Afghanistan, Belarus, Cuba, Iran, Iraq, North Korea, Russia, South Sudan, Sudan or Syria, which are on the U.S. sanctions list.
“Everything the U.S. does, we take the lead,” Stagno said, adding that Cloudfence would waive the U.S. sanctions list if any of its existing customers were placed on the U.S. sanctions list. He added: “All companies and governments that are directly sanctioned by the United States are excluded.”
At least one company, the spyware consortium Intellexa, is on Cloudfence's specific blocklist.
“We don't know if it was our customer or if it's no longer our customer,” Stagno said. “But as far as I'm concerned, Intellexa can't be our customer at this point.”
In March, the U.S. government announced sanctions against Intellexa founder Tal Dilian and his business associates, marking the first time a government has sanctioned individuals involved in the spyware industry. Intellexa and its partner company Cytrox have also been subject to sanctions from the United States, making it difficult not only for the companies but also for their managers to continue operating.
As TechCrunch reported, these sanctions are causing concern in the spyware industry.
Intellexa's spyware was reportedly used against US Representative Michael McCaul, US Senator John Hoven, European Parliament President Roberta Mezzola, and others.
Zeronomicon founder De Gregorio declined to say who the company sells to. The company publishes a code of business ethics on its website that includes avoiding doing business with “organizations known for human rights abuses” and vetting customers to comply with export regulations.