Zerodium, a new firm started by the founder of notorious French arms dealers Vupen, have put out the $1M bounty for unpublished vulnerabilities in the Iphone; they plan on keeping these vulns a secret so that they can be turned into cyberweapons and sold to repressive governments who want to use them to spy on their citizens using their own phone cameras, mics, and keyboards.
Every time one of these cyber-arms dealers has a breach, we learn more about the abusive, authoritarian regimes who are the ultimate customers for these high-ticket items. Thanks to these firms’ willingness to put profits ahead of ethics, we’ve turned backwards, totalitarian governments into turnkey surveillance states.
Worse: the fact that these people can discover and weaponize vulns means that others can, too. When our governments become customers of these firms, they become complicit in keeping vulnerabilities secret and intact — and those vulns can be and are used to attack their own populations. The Iphone hack that Zerodium decides to keep secret and weaponize will also be discovered by spies from other countries, who may use them to steal your employer’s secrets and put them out of business; they may be used by voyeurs who use them to sexually extort your children, they may be used against you.
Bekrar has made no apologies for the fact that his business thrives on digital insecurity. Rather than report vulnerabilities in software to the companies that make it to help fix hackable bugs, Vupen develops hacking techniques based on those bugs and typically sells them to multiple government customers. His iOS bounty is no different: The terms of the offer include the demand that the bug not be reported to Apple or publicly disclosed, the better to allow Zerodium’s customers to use the technique in secret. Apple didn’t immediately respond to a request for comment.
Bekrar’s past customers for such undisclosed hacking techniques have included the NSA as well as other NATO countries and “NATO partners” that Bekrar declines to name. Bekrar declined to identify any of Zerodium’s potential customers, but the company’s website describes them as “major corporations in defense, technology, and finance, in need of advanced zero-day protection, as well as government organizations in need of specific and tailored cybersecurity capabilities.”1
But even Bekrar has admitted that he doesn’t always know where Vupen’s hacking tools have ended up, or how a customer agency uses or shares them. “We do the best we can to ensure it won’t go outside that agency,” Bekrar told me in 2012. “But if you sell weapons to someone, there’s no way to ensure that they won’t sell to another agency.”
Spy Agency Contractor Puts Out a $1M Bounty for an iPhone Hack [Andy Greenberg/Wired]