Tell us how to infect an iPhone remotely, and we’ll give you $1,000,000 USD by Graham Cluley.
From the post:
If there’s something which is in high demand from both the common internet criminals and intelligence agencies around the world, it’s a way of easily infecting the iPhones and iPads of individuals.
The proof that there is high demand for a way to remotely and reliably exploit iOS devices, in order to install malware that can spy upon communications and snoop upon a user’s whereabouts, is proven by a staggering $1 million reward being offered by one firm for exclusive details of such a flaw.
In an announcement on its website, newly-founded vulnerability broker Zerodium, offers the million dollar bounty to “each individual or team who creates and submits an exclusive, browser-based, and untethered jailbreak for the latest Apple iOS 9 operating system and devices.”
There’s no denying – that’s a lot of cash. And Zerodium says it won’t stop there. In fact, it says that it will offer a grand total of $3 million in rewards for iOS 9 exploits and jailbreaks.
…
Graham says the most likely buyers from Zerodium are governments more likely to pay large sums than Microsoft or Apple.
There a reason for that. Microsoft, Apple, Cisco, etc., face no economic down side from zero-day exploits.
Zero-day exploits tarnish reputations or so it is claimed. For most vendors it would be hard to find another black mark in addition to all the existing ones.
If zero-day exploits had an impact on sales, the current vendor landscape would be far different than it is today.
With no economic impact on sales or reputations, it is easy to understand the complacency of vendors in the face of zero-day exploits and contests to create the same.
I keep using the phrase “economic impact on” to distinguish economic consequences from all the hand wringing and tough talk you hear from vendors about cybersecurity. Unless and until something impacts the bottom line on a balance sheet, all the talk is just cant.
If some legislative body, Congress (in the U.S.) comes to mind, were to pass legislation that:
- Imposes strict liability for all code level vulnerabilities
- Establishes a minimum level of presumed damages plus court costs and attorneys fees
- A expedited process for resolving claims within six months
- Establish tax credits for zero-day exploits purchased by vendors
the economics of cybersecurity would change significantly.
Vendors would have economic incentives to both write cleaner code and to purchase zero-day exploits on the open market.
Hackers would have economic incentives to find hacks because there is automatic liability on the part of software vendors for their exploits.
The time has come to end the free ride for software vendors on the issue of liability for software exploits.
The result will be a safer world for everyone.