back to article 'iOS security is f**ked' says exploit broker Zerodium: Prices crash for taking a bite out of Apple's core tech

Five years ago, Zerodium offered a $1m reward for a browser-based, untethered jailbreak in iOS 9. On Wednesday, the software exploit broker said it won't pay anything for some iOS bugs due to an oversupply. "We will NOT be acquiring any new Apple iOS LPE [local privilege escalation], Safari RCE [remote code execution], or …

  1. BenDwire Silver badge
    Facepalm

    Here's an idea

    Add time and financial motivation, he said, and you get more bugs.

    How about paying people to find the bugs before release? I dunno, maybe put them together and call it a Test or QA department perhaps?

    < looks for airborne pork >

    1. Bob7300

      FTFY

      I dunno, maybe put them 2 metres apart and call it a Test or QA department perhaps?

      1. BenDwire Silver badge

        Re: FTFY

        But surely that assumes the employer cares about their people?

    2. Kristian Walsh Silver badge

      Re: Here's an idea

      They had one, but eventually there were so few bugs for them to find that Apple fired them all...

      1. Anonymous Coward
        Anonymous Coward

        Re: Here's an idea

        Have you been my boss in the past? I'm sure they were the kind of people who would sell the breaks to the car because "we've never had an accident so far, so we obviously don't need them!" ;)

    3. Charlie Clark Silver badge

      Re: Here's an idea

      How about paying people to find the bugs before release?

      It's worth noting that not all exploits stem from bugs, quite often they come from finding different ways to use "good" code. This is why pen-testing is a separate discipline from both testing and QA. That said, there's no doubt that Apple's software management could and should be improved: less secrecy and some degree of peer reviewing would be possible. Maybe even their own Project Zero team?

      1. Updraft102

        Re: Here's an idea

        Is it not a bug if it is possible to find such a different use for "good" code? If the code can be made to do something that wasn't intended, that's a bug, until you document it and call it a feature, of course.

        1. Anonymous Coward
          Anonymous Coward

          Re: Here's an idea

          Some features are broken by design. Bad design is not a bug.

          Take 99% of website and GUI design. Someone *chose* that button to be hidden under a box the same colour as the background and put the menu popup of the text field over the question box so you don't know what field is being populated (or the android keyboard covering the entire webpage so you cannot actually input text!) are examples.

          It's not a bug in the software, if the programmers/managers never actually added security. It's an omission!

        2. Charlie Clark Silver badge

          Re: Here's an idea

          Bugs traditionally refer to code not doing what it is supposed to do. For a simple example, consider a birthday calculator that does not take leap years into consideration: works well most of the time so not necessarily easy to spot.

          Hacks are also known as exploits because they often exploit the side-effects of well-tested code doing what it should. This is very often related to permissions but also underlying flaws (memory, timing, etc.) and is difficult or almost impossible to avoid in modern OS with internet connectivity and multimedia. We're learning all the time how to provide advanced features such as GPU acceleration for video chat without compromising the hardware.

          1. Milo Tsukroff
            FAIL

            Re: Here's an idea

            There's another type of bug that you haven't mentioned: Bugs by design. One for-instance: C++ is notorious for unchecked input. It's supposed to be lean and mean and that meant that input buffers were unchecked -- by design. 'Nuff said.

    4. veti Silver badge

      Re: Here's an idea

      Security is hard, m'kay? It takes more than a bit of QA. More even than a lot of QA.

      Apple does, mostly, a pretty good job of patching vulnerabilities when they hear about them. So does Microsoft, for that matter. And when that happens, both of them will do their best to push out the fix to as many users as possible (which puts them ahead of Linux or Android as far as regular users are concerned).

      But nobody, not even Linux, can keep them from ever being released in the first place.

      1. Pascal Monett Silver badge

        Re: Security is hard, m'kay?

        When you have a professional opinion stating that iOS security is fucked, with a list of breach types that are so common that bounty prices are in freefall, you're beyond the realm of security is hard.

        Yes, security is hard. especially if you don't give a shit about it.

        1. Packet

          Re: Security is hard, m'kay?

          No denying adhering to security practices is hard.

          However, some exploit broker saying a specific popular OS security has issues, especially when compared to said OS's track record - I just find hard to accept right away.

          Maybe it's a sign of the paranoid times we live in, but I have to ask the question: does the exploit broker gain any monetary advantage by making such a statement?

          1. P. Lee

            Re: Security is hard, m'kay?

            Security tends to cause increased code size and lower performance - Spectre is a prime example. Another example might be the locating of display systems inside the kernel.

            My beef with the vendors is that we could fix all this. We could have a "security boot" where we have proper security because we have a system where we prefer security over speed. We could also have a "games mode" were the security is traded for speed. With SSD's, rebooting is not the issue it used to be. Maybe we even run the high-security mode a virtualised, because

            These days, most business laptops have performance which exceeds requirements - we could have a boot flag which tunes the OS appropriately without impeding the user experience significantly. They won't do it though. It appears vendors have abandoned the desktop for the cloud.

            1. Stuart Castle Silver badge

              Re: Security is hard, m'kay?

              The problem is that as soon as you put in a mode that trades security for performance, you've potentially lost that security.

    5. SuperGeek

      Re: Here's an idea

      "< looks for airborne pork >"

      I dunno about flying pigs (not including the Corona Police and their drones, mind!) but LOOK! There's Lord Lucan on Shergar! I knew he'd show up!

  2. Anonymous Coward
    Anonymous Coward

    Fucked.

    Haha!

    1. Semtex451
      Windows

      Re: Fucked.

      According to my slide rule the unit 'Fucked' is almost equivalent to 0.5 Omnishambles. Furthermore my pneumatic Android Security monitor is pointing to just over 2.1 Omnishambles.

      Make of that what you will, my standard measures have not been calibrated since before Brexit

      1. teknopaul

        Re: Fucked.

        UK is suffering serious omnishambles inflation. They will have to devalue the word. They might even have issue a new word. Or not. Or not now. Or in the future.

  3. RM Myers
    FAIL

    "Zerodium said for the first time that it would pay more for flaws in Android"

    Does it really matter whether there are any flaws in Android itself? The app store "security screening" is so poor surely it is easier just to put malware in a free app.

    1. tim 13

      Re: "Zerodium said for the first time that it would pay more for flaws in Android"

      Exactly https://www.theregister.co.uk/2020/05/14/bitdefender_mandrake_malware/

      1. Ken Hagan Gold badge

        Re: "Zerodium said for the first time that it would pay more for flaws in Android"

        Exactly, exactly. I'm reading these stories within minutes of each other and it confirms my belief that we need a proper operating system for phones. The current two big players are like Windows 3.x, a glitzy layer offering no protection between programs and everything running as the same "user". But then, I'm weird. I consider my phone to be fatally compromised at all times and consequently have never done internet banking on it and never will.

        At least, not until someone does a Debian release for it, so that I could run the admittedly fun crapware in one account and the valuable stuff in another, knowing that they were separated by 60 years of experience in designing a securable OS, rather than a set of "permissions to access..." which are ill-defined to the end user and mostly chosen by the app designer anyway and therefore utterly useless.

        1. cbars Bronze badge
          Trollface

          Re: "Zerodium said for the first time that it would pay more for flaws in Android"

          60 years of old fashioned shite! Thank god Pottering stepped up and is knocking all that stone age crap into the dust with the cool new way of doing stuff.

          1. Updraft102

            Re: "Zerodium said for the first time that it would pay more for flaws in Android"

            Downvoters missed the sarcasm there, methinks?

            1. Anonymous Coward
              Anonymous Coward

              Re: "Zerodium said for the first time that it would pay more for flaws in Android"

              @updraft102 maybe some people have multiple logins.

              1. AJ MacLeod

                Re: "Zerodium said for the first time that it would pay more for flaws in Android"

                It's Friday morning and I may be even more thick than usual, but could you explain that comment (about multiple logins?)

                1. cbars Bronze badge

                  Re: "Zerodium said for the first time that it would pay more for flaws in Android"

                  Think Anon was either saying they think updraft102 and I are the same person and I'm using that account to defend my delicate ego, or that some weirdo hated my comment so much they used multiple accounts to down vote it... for 1) it's easy to click on the usernames and convince yourself we are not, for 2) I doubt it, but good... note the troll face icon!

        2. katrinab Silver badge
          Meh

          Re: "Zerodium said for the first time that it would pay more for flaws in Android"

          I’d say they are more like Windows XP than 3.1. They are based on Linux and FreeBSD respectively, which are both decent operating systems when configured correctly.

          1. jrd

            Re: "Zerodium said for the first time that it would pay more for flaws in Android"

            > both decent operating systems when configured correctly.

            Which is a bit like saying nitroglycerin is perfectly safe when handled correctly. Both statements are true, but you only get to hear about it when "human error" enters the equation.

            1. P. Lee

              Re: "Zerodium said for the first time that it would pay more for flaws in Android"

              The "human error" in question being "I downloaded random software from the [app|play] store."

        3. Charlie Clark Silver badge

          Re: "Zerodium said for the first time that it would pay more for flaws in Android"

          At least, not until someone does a Debian release for it,

          You can get at least some form of Debian for Planet's offerings but it won't help you much in locking it down, because you'll make it more or less unusable as a "smartphone" if you do so. Dumb phones were easier to secure because they did less, but it's not as if they were immune to hacks.

          Things might improve with hardware that can support the kind of microkernel and containers that should improve security. Though, in a sense that just moves the goalposts because code does repeatedly breakout of containers.

        4. Packet

          Re: "Zerodium said for the first time that it would pay more for flaws in Android"

          I'm curious now - what phone/platform do you use?

          I actually consider the couple of banking apps (for the banks I use) as more secure on IOS as compared to the desktop Windows platform.

          To the point where I actually use them exclusively on IOS now.

  4. eldakka
    Coat

    Re-open the schools!

    "There are likely a lot of hackers stuck at home with extra time on their hands, ..."

    We need to get all those hackers kids back into school so they don't have the time to do all this hacking.

  5. Screwed

    "Let's hope iOS 14 will be better."

    I don't disagree. But in the short term, let us hope 13.5 will at least be somewhat better. It is at least on the cards for release this month.

  6. Dr Kerfuffle

    Bugs in Microsoft Basic

    I wrote to Bill Gates in 1982 about bugs we found in their 8K ROM BASIC, that was licenced for use in the Tangerine Microtan 65 single board computer (which later became the Oric 1 computer). It is now 2020 and I am STILL waiting for a reply from him. Jeez, are these bugs never going to get fixed?!

    Paul

  7. Scoured Frisbee

    > Add time and financial motivation, he said, and you get more bugs.

    No, if you have time and financial incentives you will get more issues. The bugs were already there.

  8. Deimos

    New expressions

    I’ve come up with a few

    Coronafuck replacing clusterfuck

    Pancession for pandemic caused recession

    And of course

    Boris bike current recipient of the PMs attentions.

    Knocking shop replacement for party conference i.e. a gathering of folks that are easily bought.

    Please blame all of the above on Pancession depression

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like