Zerodium, a cyber espionage specialist on behalf of governments and institutions, believes that there are now so many security vulnerabilities on the iPhone that it is no longer necessary to constantly buy new vulnerabilities from researchers. And to conclude that the security of iOS is “screwed up”.
–
Chyaoukri Bekar, boss of Zerodium, a firm that sells cyber espionage solutions to governments and police, attacked himself in one of his tweets at iPhone operating system security. He explains on Twitter: “IOS security is fucked up. Only the devices of certificates of attributes of privileges (PAC) and of non-persistence hold and prevent it from reaching zero… we nevertheless see a lot of exploits which manage to circumvent the PAC, and there are some exploits around persistence (0-days) that work on all iPhone / iPads. Hopefully iOS 14 will do better. ”
As part of its activity, Zerodium normally purchases 0-Day faults from researchers, for amounts between 100,000 and 2 million dollars, depending on the severity of the fault. 0-day vulnerabilities are those that have not yet been officially discovered and for which there is no fix. So at the same time as Chyaoukri Bekar’s tweet, Zerodium also made an announcement: ” We will not be buying more flaws around iOS LPE, Safari RCE or Sandbox Escape for the next two or three months. “
Zerodium says the decision has been made ” at because of the large number of submissions related to these vectors “. And that therefore ” the prices [des exploits] without persistence will likely drop in the near future “. The explosion in the number of vulnerabilities is a fairly new fact – and worrying – for iOS. The operating system, much more closed than Android, is normally considered to be more secure than the latter. Apple nevertheless has an advantage: if a flaw is officially discovered, the firm can very easily and quickly update its entire fleet of devices.
Also read: Security breach – iOS 13 would share your credit card info with strangers
What do you think of these statements? Should Apple change something in its methods? Share your opinion in the comments.
iOS Security is fucked. Only PAC and non-persistence are holding it from going to zero… but we’re seeing many exploits bypassing PAC, and there are a few persistence exploits (0days) working with all iPhones / iPads. Let’s hope iOS 14 will be better.https://t.co/39Kd3OQwy1
– Chaouki Bekrar (@cBekrar) May 13, 2020
—
