Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Communications Operating Systems Software The Almighty Buck Technology

Companies Are Now Offering Seven Figures For Hacks That Allow Spies, Cops To Steal Chat App Messages (vice.com) 73

Zerodium, a startup that buys and sells hacking tools and exploits to governments around the world, announced on Monday price increases for almost everything they are looking for, such as iOS remote jailbreaks and Windows exploits. "It said it will now pay security researchers $1,000,000 for exploits in WhatsApp, iMessage, and SMS/MMS apps for all mobile operating systems," reports Motherboard. From the report: Compromising the whole iPhone, sometimes referred to as remote jailbreaking or rooting the phone, can cost $2 million or more, and usually involves a series of bugs and exploits. The price increase shows that mobile devices in general are getting more and more secure, and thus harder to hack. That means that it's becoming increasingly hard for hackers to break into iOS and Android devices. That makes the life of folks like spy agencies and police departments harder too. That's where Zerodium and other similar companies, such as Azimuth and Crowdfense, come in: they act as intermediaries between security researchers and government agencies looking for tools -- often called zero-days -- to break into targets. Before today, Zerodium was willing to pay $500,000 for WhatsApp and iMessage exploits, according to an archived version of the company's site. These new prices are in line with the market, according to Maor Shwartz, who used to run a company that acquired and sold exploits to government agencies.
This discussion has been archived. No new comments can be posted.

Companies Are Now Offering Seven Figures For Hacks That Allow Spies, Cops To Steal Chat App Messages

Comments Filter:
  • by nehumanuscrede ( 624750 ) on Monday January 07, 2019 @10:32PM (#57921984)

    I hope the aforementioned companies are paying their own engineers well.

    Once bounties get this high, the thought would cross the minds of many to build in a vulnerability for use later on.

    Then again, I suppose the various three letter agencies with their unlimited budgets probably have an engineer or
    several on the payroll already. . . .

    • Why wait for the engineers to build it in, why not just include it as a feature from the start?

      Or does that only work for privately held companies?

      • by MrKaos ( 858439 )

        Why wait for the engineers to build it in, why not just include it as a feature from the start?

        Or does that only work for privately held companies?

        This is the point of Australia's Assistance Access bill that the US can access via intelligence sharing arrangements.

        • by Anonymous Coward

          Hacks are NOT sold - they are strictly licensed. Will one intel agency tip off other agencies or share the details? You bet.
          Australian leaked Swedish propeller designs to USA the moment they got them, then lied about it - so Australia is not trustworthy. USA stole IP off the guy who had the patent on optic fiber taps without paying until caught.

          Anyway at 1-2 Million, it is now worthwhile to use a STM, shaving all chips, laser test point taps and lithium nicobate to take hidden code and work on it and nab th

          • by MrKaos ( 858439 )

            Hacks are NOT sold - they are strictly licensed. Will one intel agency tip off other agencies or share the details? You bet.

            You really missed the point about there now being a legal avenue to do this.

    • "I'm gonna write me a new mini-van this afternoon!" (https://dilbert.com/strip/1995-11-13)

    • I hope the aforementioned companies are paying their own engineers well.

      Yeah, because the fear of getting caught clearly doesn't factor in. It wouldn't take a genius to catch someone attempting to cash in on their own "exploit", and I'm sure these companies have some very expensive lawyers which could make your life really miserable.

      • Not even close. Someone can compromise an algorithm of "forget" an equals sign or any other compromises which are not obvious to prove as intentional. The person who cashes in is going to cash their reward in secret, the companies who buy the exploits do not broadcast them to the public.

        Also, I guarantee you that security researchers in the past have found vulnerabilities in the code written by people they know - a lot of security guys know each other already from conferences, academia, working for the same

    • I'm guessing that every company that has a worthwhile target in their product offering, has a mole or two in their employ.

      I'd go farther: a known set of moles and an unknown (to the company) set.

      this includes the build system and binary modules. hardware has its analogs, too.

      yes, we *are* post-snowden. and we damned well know it.

      • And how many of them monetize that properly?
        A counter-intel team that sells the exploits they find so the group is self funding, then waits juuuust long enough they'll be able to sell the next time before patching.
        Done right that could be an intentional extra revenue stream. It's not like these companies have any ethics to complicate matters.
    • That is a new business model for a startup. Pay for exploits to be inserted, then sell them.

  • If you're conducting your secret spy business on WhatsApp and SMS, you're doing it wrong. I may not know the right way, exactly, but I think it looks more like NCIS: Los Angeles than it does WhatsApp.
  • So they're only interested in ones for spies and cops, not just the average joe using an exploit?

  • You know, this thing?

    https://constitutioncenter.org... [constitutioncenter.org]

    I am fairly certain that personal correspondence, which would be the modern equivalent of "papers" mentioned explicitly in the amendment, is something that cannot be obtained without a warrant.

    That is, unless the constitution is NOT a "Living document" that gets reinterpreted to suit modern climates and courts... and only paper based correspondence is covered explicitly.

    Oh, who the fuck am I kidding; The clowns are running the circus, and there are no c

    • The US government can surveil me and the other 7.4 billion-odd people who aren't US citizens whenever it damn well pleases, no warrant required.
      • Oh, I understand that they can and do, and that yes, the vast majority of the world population does not live in the US.

        That does not give my government the right to do so. (Or, to "Trade favors" with other governments to circumvent this restrictions. >.> Looking at you GCHQ in the UK... )

        I am sure it makes you feel morally superior to point obvious facts like this, but you are missing the point; These people (companies) are paying monetary bounties to enable the local police forces (who are SUPPOSED

        • These people (companies) are paying monetary bounties to enable the local police forces (who are SUPPOSED to be upholding constitutional law) to perform unlawful searches

          That's your assumption, which you pretty much pulled out of your ass. As the other guy pointed out, TLAs can use these to conduct lawful surveillance outside of your country. Additionally local police and TLAs can make use of this tech to surveil citizens legally, by first obtaining a warrant.

          The fact that any given technology can be abused does not mean that it does not have legitimate uses. It's just that when you're paranoid you always tend to see only the potential for abuse.

  • Yep (Score:5, Insightful)

    by Dunbal ( 464142 ) * on Tuesday January 08, 2019 @01:21AM (#57922556)
    America, where only the government is allowed to break the law.
    • In Soviet America law breaks you!

    • They wouldn't be so easily able to do this if corporations and for-profit companies didn't work to throw the American citizen under the bus in the name of $$$$PROFITS$$$$. It seems to me the real issue is that these companies are allowed to exist at all.
  • and will the law enforcement dmca exempt cover this or is there to many subcontractors in the mix?

To err is human, to moo bovine.

Working...