Recently, an anonymous team of hackers claimed Zerodium’s $1,000,000 bounty for a particularly dangerous bug in Apple’s iOS mobile operating system. That’s right, by finding a software flaw that team just made more than the average American will in 20 years. Unknown security vulnerabilities are very valuable and there are plenty of reasons you should take notice.
First of all: what is a vulnerability? Basically it’s a bug in a program. While some bugs do little more than crash a program, others, like in the case of Heartbleed, might leak sensitive data, and others still like the above case allows an attacker, armed with knowledge of how the vulnerability functions, to take total control of the target device. For the parameters of that $1,000,000 payout, that means by simply opening a web page an attacker can install and run persistent, arbitrary software on up-to-date devices. Front facing camera? Check. Passwords? Stolen. Location? Tracked. In this case, you can imagine why that capability is so valuable.
That payout, although abnormally large, is nothing new. Like arms dealers, companies like Zerodium aren’t just in the business to improve software, they exist to make money and the software developers aren’t the ones buying. To be clear, Zerodium, and Grugq (the vender from the Forbes article) only sell to reputable sources (namely NATO governmental institutions) but the fact exists, the developers are being outbid by entities who are using these vulnerabilities. Microsoft, Google, and most other tech companies offer their own programs to buy these vulnerabilities so the can be patched. Unfortunately, they offer orders of magnitude less for these weapons.
So how does this apply to you – the consumer? Most people I’ve met still carry on the assumption that the business cyber attack and defense is limited to wiz-kid outcasts and disgruntled IT guys. The truth is, hundreds if not thousands of vulnerabilities are discovered each month and they are big business.