iPhone Security Flaws Selling for $500,000

A report suggests governments are paying up to $500,000 for vulnerabilities affecting Apple's iOS operating system.

Apple has been lauded for its ability to keep malware out of the App Store, with one leading expert calling it the security innovation of the past decade.

However Apple's eco-system may not be as secure as it believes with a report in the New York Times claiming that a security vulnerability in its iOS operating system (which runs on iPhone and iPad) was sold for $500,000 (£332,000) to an unnamed buyer.

The claim comes from two anonymous sources speaking to the New York Times who said the security flaw was a so-called "zero-day" vulnerability.

Zero-day vulnerabilities are previously undiscovered flaws in systems which when exploited give users unfettered access to an individual PC or a computer network.

Thanks to the pervasive nature of the iPhone and its high levels of security, vulnerabilities in it are much more highly prized than those found in other software such as Android or Windows.

Attractive proposition

A flaw in iOS would potentially allow those exploiting it to monitor the activity of any iPhone user, which would be a hugely attractive proposition for those engaged in state-sponsored cyber-espionage.

The revelation comes at a time when governments around the world are being scrutinised for the level of spying they are carrying out on their own citizens in the wake of the National Security Agency (NSA) revelations by whistleblower Edward Snowden.

While it wasn't revealed who purchased the iOS flaw, the price tag suggests that it could only have been a government or law enforcement agency.

Companies like Google and Microsoft do pay security researchers who find vulnerabilities in their (and competitor's) code but none of them have ever paid anywhere near the $500,000 asking price for this iOS vulnerability.

Big business

The trade in software vulnerabilities has become big business in recent years. While it was once the case where researchers would hand over any flaws they discovered to the relevant company for free, they are now traded for hundreds of thousands of pounds with groups like the NSA in the US to the Revolutionary Guard of Iran.

While companies like the UK-based Gamma International remain tight-lipped about what they do, some companies trading in these zero-day vulnerabilities are beginning to speak more open about what they do.

Speaking to IBTimes UK last year, Eric Rabe from Hacking Team spoke openly about Da Vinci, the powerful spying tool his company sells to governments and law enforcement agencies around the world, which lets them spy on people in and outside of their own borders.

Vocal criticism

While Rabe says Hacking Team only deals with countries which are NATO-approved, there has been vocal criticism about the tools Hacking Team sells, with some claiming they have been used against activists leading to torture and in at least one case death.

While none of the companies involved in trading security vulnerabilities are breaking the law, there are questions regarding regulation which need to be addressed.

With more and more companies becoming involved in this industry, regulating it could become a big problem. Security researcher Graham Cluley said:

"Against this backdrop, it seems hard to believe that the exploit trading industry will be able to adequately police itself to the satisfaction of countries being spied upon. Inevitably, the-powers-that-be will seek to regulate businesses who sell vulnerabilities to other nations, which may only drive the unregulated sale of exploits, to perhaps unfriendly nations or the criminally-minded, deeper underground."