Zero-day Exploits Get Costlier

Surveillance has been a preferred tool against organized crime for governments across the world, though in recent times privacy concerns have politicized the issue. Whatever be the merits or demerits of governments seeking access to personal devices and web applications, the tools that allow hackers to break through have seen their prices skyrocket. 

As against a few hundred or a few thousand dollars, these tools that allow governments to break into smartphones, web browsers and even messenger apps such as iMessage and Whatsapp now cost millions of dollars. Over the past few years, the prices have multiplied with some even making a business model out of it. 

Before you start getting ideas of governments getting snoopier around the world (which it may or may not be), the real reason why these tools are costing a bomb compared to the past is that product companies have tightened the security around their offerings and made them tougher to hack. 

Companies are offering millions of dollars now

Crowdfense, a startup that manages an acquisition platform for zero-day exploits and vulnerability research, announced an updated price list for such tools. They now offer between $5 and $7 million for zero-days to break into iPhones and up to $5 million for Android devices. The price for browsers and chat apps range between $3 to $5 million. 

Now, the previous price list that came out in 2019 had the highest offer of $3 million for Android and iOS zero-days. Which means those at Crowdfense have recognized that it was now tougher to hack the devices made by Apple, Google, and Microsoft. In other words, users can breathe easy over their devices or applications getting hacked into. 

How do these companies operate?

Just to give readers a better idea of the model, companies such as Crowdfense and Zerodium price their hacking tools known as “zero-days” to discover unpatched vulnerabilities in software that are unknown to its makers. Having acquired them, these companies resell it to other companies (usually government agencies) for tracking criminals or others with dubious repute before the law. 

Market experts believe that the current trend of costlier zero-days may continue as software being used now and in the future would become harder to exploit. Companies like Trend Micro ZDI pay researchers to acquire zero-days and report them back to the companies that are affected so that the vulnerabilities get fixed. 

Big tech is spending more on security

In fact, Google had gone public with a report last month claiming that it saw hackers use 87 zero-day vulnerabilities during 2023 while spyware vendors that work with zero-day brokers were responsible for 75% of zero-days targeting Google products and Android. They note that improved platform protection requires more time and effort from hackers and this causes the increase in zero-day opportunities. 

In fact, there is general consensus that exploiting zero-day vulnerabilities is getting harder with each passing month and year. Companies such as Google and Apple are spending more on plugging possible vulnerabilities on their smartphones and allied computing devices as well as browser applications. 

The time and cost of zero-day analysis and its implementation is getting complicated requiring more resources working in tandem for a longer period of time. For example, a decade ago, a single researcher could find several zero-days and develop them into a proper exploit targeting these devices. Now it requires a team of several researchers and hence companies are seeking more money for the effort. 

Non-state actors could pay much more

Of course, in the overall mix of for-profit companies, good samaritans, non-state actors and the underbelly of the internet, there are several who offer way beyond what companies like Crowdfense does. For example, costs in Russia are four-fold the prices quoted earlier in this article, largely because of the Ukraine war and subsequent sanctions. 

The possibility of governments and even large companies paying way beyond these prices depending upon their specific requirements for hacking devices or specific applications on those devices. Readers would recall that US Defense contractor L3 Technologies (now L3Harris) had acquired Linchpin Labs back in 2018. 

This came barely two years after the FBI used a zero-day provided by startup Azimuth to break into the iPhone of a person who allegedly shot and killed 15 people in San Bernardino. It was revealed in 2020 that the FBI and Facebook had joined hands with a third-party to use a zero-day that tracked down a person later convicted of harassing young girls online. 

Of course, there have also been instances where zero-days and spyware were used to track and target dissidents and journalists in some countries. Even in India, there was a furore over opposition lawmakers’ phones being tracked by an Israeli company’s software. However, now zero-day brokers, at least some of them, are committing themselves to export controls in order to limit potential abuse by their customers. 

While conversations around the ethics of using such tools would continue, there is no doubt that zero-day exploits would remain a tool of choice for governments and other interested parties when it comes to their own survival and the need for surveillance. And so long as this trend continues, the costs for zero-day tools will only go one way – up, up and away!