iPhone Security Flaws Selling for $500,000

By David Gilbert on July 15, 2013 7:57 AM EDT 0

A report suggests governments are paying up to $500,000 for vulnerabilities affecting Apple's iOS operating system.

An illustration picture shows the logo of the U.S. National Security Agency on the display of an iPhone in Berlin, June 7, 2013. (Credit: Reuters)
An illustration picture shows the logo of the U.S. National Security Agency on the display of an iPhone in Berlin, June 7, 2013. (Credit: Reuters)

Apple has been lauded for its ability to keep malware out of the App Store, with one leading expert calling it the security innovation of the past decade.

Like Us on Facebook

However Apple's eco-system may not be as secure as it believes with a report in the New York Times claiming that a security vulnerability in its iOS operating system (which runs on iPhone and iPad) was sold for $500,000 (£332,000) to an unnamed buyer.

The claim comes from two anonymous sources speaking to the New York Times who said the security flaw was a so-called "zero-day" vulnerability.

Zero-day vulnerabilities are previously undiscovered flaws in systems which when exploited give users unfettered access to an individual PC or a computer network.

Thanks to the pervasive nature of the iPhone and its high levels of security, vulnerabilities in it are much more highly prized than those found in other software such as Android or Windows. 

Attractive proposition

A flaw in iOS would potentially allow those exploiting it to monitor the activity of any iPhone user, which would be a hugely attractive proposition for those engaged in state-sponsored cyber-espionage.

The revelation comes at a time when governments around the world are being scrutinised for the level of spying they are carrying out on their own citizens in the wake of the National Security Agency (NSA) revelations by whistleblower Edward Snowden.

While it wasn't revealed who purchased the iOS flaw, the price tag suggests that it could only have been a government or law enforcement agency.

Companies like Google and Microsoft do pay security researchers who find vulnerabilities in their (and competitor's) code but none of them have ever paid anywhere near the $500,000 asking price for this iOS vulnerability.

Big business

The trade in software vulnerabilities has become big business in recent years. While it was once the case where researchers would hand over any flaws they discovered to the relevant company for free, they are now traded for hundreds of thousands of pounds with groups like the NSA in the US to the Revolutionary Guard of Iran.

While companies like the UK-based Gamma International remain tight-lipped about what they do, some companies trading in these zero-day vulnerabilities are beginning to speak more open about what they do.

Speaking to IBTimes UK last year, Eric Rabe from Hacking Team spoke openly about Da Vinci, the powerful spying tool his company sells to governments and law enforcement agencies around the world, which lets them spy on people in and outside of their own borders.

While Rabe says Hacking Team only deals with countries which are NATO-approved, there has been vocal criticism about the tools Hacking Team sells, with some claiming they have been used against activists leading to torture and in at least one case death.

Join our conversation

  • Print
  • 0
Most Popular
Most Discussed
Facebook Activity