Bounty for Encrypted Messaging Exploits: $500,000Zero-Day Exploit Vendor Zerodium Seeks Exploits for Signal, WhatsApp, Telegram
Governments continue to wring their hands over the bevy of encrypted messaging applications that make easy surveillance of suspects' electronic communications futile. But there is another option: finding software vulnerabilities that can undermine the security of applications such as Telegram, WhatsApp, Signal and more.
That's the market for Boston-based Zerodium, a broker of so-called zero-day software vulnerabilities, referring to flaws for which there is no patch. On Wednesday, Zerodium added a slew of encrypted messaging apps to the list of one-stop-pop exploits it wants to buy and resell to its shadowy clients.
Zerodium, in the theme of its tongue-in-cheek name, has a faux periodic table that describes what it will pay for certain kinds of software vulnerabilities. It says it will now pay up to $500,000 for either remote code execution or local privilege escalation vulnerabilities in such messaging applications as iMessage, Telegram, WhatsApp, Signal, Facebook, Viber and WeChat.
It has also bumped up the potential reward for the most sought and perhaps most rare category of vulnerabilities, which are ones for Apple's iOS mobile operating system.
Zerodium will pay up to $1.5 million for a remote iOS exploit that requires no interaction by a user and which is also "persistent" or remains accessible even after a device restart. A remote exploit without persistence, meanwhile, can garner up to $1 million, Zerodium says.
The increased focus flaws in mobile apps is no surprise, writes the security researcher who calls himself the Grugq.
"The move to targeting mobile apps for exploitation is predictable, it happened on desktop as well," he writes via Twitter. "It makes more sense on mobile too."
Mobile apps are well sandboxed (compared to desktop), but the targeted apps - primarily chat - have complete access to the relevant data.— the grugq (@thegrugq) August 23, 2017
Technology companies have increasingly sought to shift the burden of defending data to users. They've done that, technologically speaking, by engineering so-called end-to-end encryption systems, which leave the encryption and decryption keys on users' devices rather than on central servers.
Messaging providers can still see that conversations are occurring, but are unable to decode them. That means law enforcement and intelligence agencies must find another way to gain access to the plain text.
This problem was the crux of the last year's dispute between the FBI and Apple, although that involved gaining access to a device's encrypted storage (see The Crypto Debate: Apple vs. the FBI).
The FBI wanted Apple to create a special version of its iOS operating system that would disable security features on an iPhone 5 that belonged to one of the perpetrators of the San Bernardino terrorist attack in November 2015. The bureau was concerned that the device might have been configured to erase itself after too many incorrect passcode attempts.
Apple, which fought a government order in court, also criticized the case in public - a rare move by the company, which usually seeks to avoid conflict. The FBI ultimately dropped its court battle after purchasing a software exploit.
Governments continue to worry that terrorists will recruit and plot using encrypted messaging, and some have created or signaled their intention to create new laws that would bend technology companies to their will.
Last November, Great Britain passed a rewrite of its Investigatory Powers Act, which sets out rules for interception and retention of electronic data. Part of the act allows the government to issue service providers with "technical capability" notices.
In an oblique reference to encryption, such notices could include imposing "obligations relating to the removal by a relevant operator of electronic protection applied by or on behalf of that operator to any communications or data."
How that might work out in practice remains to be seen.
Meanwhile, Australia plans to introduce legislation to its parliament by the end of the year that would broadly compel technology companies to provide access to encrypted communications. The government denies that it wants backdoors in software products, but its plans for how it will force companies to provide access remain ambiguous (see Australia Plans to Force Tech Companies to Decrypt Content).
Despite the rise of zero-day software vulnerability brokers, problems remain with attempting to use an exploit-based approach to gain access to messages or encrypted disks. For starters, zero-day exploits remain rare and often difficult to find. Many software companies also actively continue to improve their security practices and code reviews, decreasing the potential supply of new zero-day flaws.
Buying exploits on the private market remains expensive, and there's no guarantee that the method will work for any length of time.
There can also be ethical concerns. Some observers contend that zero-day markets run by companies such as Zerodium are unethical, and argue that software vendors should be immediately informed of flaws in their code. One line of thinking goes that others could discover the flaws and attack users, putting everyone at risk.
Others, however, shrug off that contention, saying zero-days are a fact of life, the sale of such information isn't illegal, and that there will always be a market for buying and selling such exploits, due to demand. Zerodium, for example, says it sells its exploits to private companies and governments that are "in need of specific and tailored cybersecurity capabilities."