Android Exploits Are Now Worth More Than iOS Exploits for the First Time (zdnet.com) 26
Zerodium, a company which claims it buys and then resells software exploits to government and law enforcement agencies, has updated its price list today, and Android exploits are worth more than iOS exploits for the first time ever. From a report: According to the company, starting today, a zero-click (no user interaction) exploit chain for Android can get hackers and security researchers up to $2.5 million in rewards. A similar exploit chain impacting iOS is worth only $2 million. Zerodium's new price for Android exploits is almost twelve times more when compared to the maximum of $200,000 the company was willing to offer a year ago, and even 100 times more than Zerodium was paying for some of the lower-impact Android exploits. Zerodium has timed its announcement with Google's official release for Android 10, scheduled for later today. Further reading: Exploit Sellers Say There are More iPhone Hacks on the Market Than They've Ever Seen.
Re: (Score:3)
Guess this guy created enough sock puppet accounts to mod himself up.
wow -- No longer Dime a Dozen ?!? (Score:2)
Congratulations Android. geez - I thought it was "easy" to hack Android. Guess not any longer.
Re: (Score:2)
Doesn't President Trump use an Android phone for his personal phone - the one he tweets from in the middle of the night? It's possible the increased payout might be related to a perceived higher value now.
Re: (Score:2)
Re: wow -- No longer Dime a Dozen ?!? (Score:2)
And this is why hacks will always be with us (Score:1)
2. No consequence if you get hacked as a company
3. Big time incentives for security bounties
Blow it up and start over? (Score:1)
With the advances in proof-of-correctness and the like in this century, I expect the next "built from the ground up" mass-market computer operating system to be a lot harder to penetrate than anything that still has significant chucks of code from Android 1.0 or iOS 1.0, or for that matter, 15+ year old versions of MS Windows, macOS, Linux, or the popular BSDs.
On the other hand, the pessimist in me says it will be another decade or two before the only teams that can win "p0wn to 0wn" contests against popula
Re: Blow it up and start over? (Score:2)
Well played Re:THIS NEEDS TO END!!! (Score:1)
Jonathan Swift [gutenberg.org], is that you?
Duh, no shit! (Score:3)
How do we read this? (Score:2)
1. Android User Base is larger than iOS. So a flaw can impact more people.
2. The higher historical price in iOS, meant security researchers would put more focus on iOS and less on Android.
3. They are less security flaws in Android than iOS. So supply and demand gives it a higher price
4. They are more flows in Android than iOS, and we want them to be found and fixed.
5. Their money pot for paying for these problems hasn't been fully used, so they raised the price in Android to meet budgetary needs, so they
Re: (Score:2)
My guess: Chinese government wants to spy on Hong Kong protesters and is bidding up prices.
I'm going with #5 Re:How do we read this? (Score:1)
In any case, it would make a good /. poll.
5. Their money pot for paying for these problems hasn't been fully used, so they raised the price in Android to meet budgetary needs, so they get more money next year.
What is an "Android" exploit? (Score:5, Informative)
I'm curious what they mean by "Android" in this context. If they're referring to exploits chains that can compromise approximately all Android devices, then no one should be surprised that Android exploits are more expensive. The Android ecosystem is quite diverse, and finding an exploit chain that isn't restricted to a single vendor's devices -- or even a single model -- is often pretty difficult.
The problem (for exploit creators) arises from two factors. The first is that Google's Android security team (of which I'm a member) has deliberately adopted a layered, "defense in depth" strategy, specifically because many device vendors and carriers are so bad at delivering updates. Since we can't rely on patching of vulnerabilities, the Android system has been decomposed into many different elements separated by lots of internal firewalls, some enforced by Linux' native permissions system, some enforced by SELinux Mandatory Access Controls, and some enforced by Android's own mechanisms. This means that a single vulnerability almost never enables a useful exploit, because the exploit only gives control of the component that contains it, and the attacker then needs another vuln to get into something else. Most useful exploit chains in the Android world today actually require five or more vulnerabilities strung in a chain.
The second factor is the aforementioned diversity. Long exploit chains are inherently fragile -- change one part of the internal structure in a way that hides or breaks one of the vulns used in it, and the chain no longer works. Since nearly all manufacturers modify the OS in some ways, this means that finding chains that work across a broad selection of devices is very hard. There is a subset of the ecosystem that sticks closer to "vanilla" Android and does not have this "diversity" defense... but that subset of the ecosystem also tends to patch pretty quickly because their lack of customization means that the Google-supplied patches apply cleanly and safely.
Taking as academic and disinterested a perspective as I can, I find it very interested to compare the Android and iOS strategies. iOS's design and architecture is inherently less secure than Android's, because Apple doesn't need the same sort of defense in depth strategy. They can focus on simply fixing the problems when they appear and pushing out those patches. The difference is quite apparent when you look at the monthly patch announcements from Apple and Google -- in fact if you were to judge by those announcements alone, you'd conclude that Android is dramatically more secure than iOS, because the Apple announcements contain a lot more "critical" and "high" severity vulnerabilities. Google's announcements have just as many vulns, but a very high percentage of them are "medium" and "low" severity, because other elements of the system block exploitation.
Of course, looking at those announcements alone does not give you good visibility into the security of the devices in the field, because although iOS has as many critical vulnerabilities in an average month as Android does in an average year, those iOS vulns are actually fixed in the majority of iOS devices by the time the vulns are published. For Android, in contrast, there are a handful of device models that are fixed by the time the announcement goes out, but there are a lot that won't get the fixes for months... and a lot that won't get them, ever.
The bottom line, for anyone interested in practical security, not academic analysis, is that if you buy a flagship phone from one of the major Android vendors, and if you replace that device as soon as it stops receiving security updates, your device is generally more secure than if you bought an iPhone. If you buy a mid-tier or low-tier Android device, then your security will probably not be as good as if you bought a used iPhone (used to keep the cost roughly equal).
Oh, and the clear leader in smartphone security is the Google Pixel, at least for the three years it receives upd
Re: (Score:2)
Interesting post - thanks for taking the time to put it together.
Re: (Score:2)
The first is that Google's Android security team (of which I'm a member) has deliberately adopted a layered, "defense in depth" strategy, specifically because many device vendors and carriers are so bad at delivering updates. Since we can't rely on patching of vulnerabilities, the Android system has been decomposed into many different elements separated by lots of internal firewalls...
I should be clear that we don't simply shrug off the poor updating/patching characteristics of the Android ecosystem. It's a real problem which we care a great deal about fixing. But we long ago recognized that fixes would be slow and difficult, because the patching problem is mostly an economic and social problem. Technical solutions are not impossible, and some headway has been made, but if there were quick/easy answers they'd long ago have been implemented. So, recognizing reality for what it is, mos
Re: What is an "Android" exploit? (Score:2)
Re: (Score:2)
Re: (Score:2)
Most Android phones, except Samsung (?) are made in China. Do they burn the microcode into the chips as well? If so, can they plant back doors into the microcode, below the OS level, much like Intel did, that allows access regardless of any security apps?
Supply chain attacks are devilishly hard to protect against. I don't have any really good answers here.
Google's Titan and Titan M security processors were created precisely to defend against them, with an initial focus only on replacing the USB security key chips used by Google employees, then expanded to the security processors in Chromebooks and then Pixels. Google's (partial) solution to the supply chain problem was to design chips from scratch and carefully validate the output of the (Chinese) fabs.
Does that mean that...... (Score:2)
..... The security of the Android operating system is improving? Or is the security of iOS declining?