Zimperium Launches Exploit Acquisition Program for Android and iOS N-Days, But No Interest in 0-Days
Bug bounty programs exist to encourage researchers to find and report zero-day vulnerabilities. The theory is that the vulnerability is patched and the threat goes away. In reality, however, the zero-day vulnerability simply becomes an N-day exploit; where ‘n’ is the number of days between the patch and its deployment. During this period, an N-day exploit is as dangerous as a 0-day exploit.
This is a particular problem in the mobile world, where millions of users remain at risk for extended periods due to poor deployment processes that never reach the majority of mobile devices. Now Zimperium, which raised $12 million in Series B funding in February 2015, is attempting to upset the status quo with the announcement of a zLabs $1.5 million N-day exploit acquisition program.
“Unfortunately, the security patching process for mobile devices’ operating systems is extremely slow, which leaves companies and individuals highly vulnerable to dozens of security threats,” explains Zuk Avraham, CTO and founder at Zimperium. “Through zLab’s new Exploit Acquisition Program, our customers, partners, and the rest of the cybersecurity community will be notified of these vulnerabilities so that they will be able to provide the highest level of protection possible.”
There are several actual and hoped-for effects. The first is that once an N-day exploit is known, it will apply pressure to the mobile ecosystem to rethink and improve the security process update. The second is that it will encourage and reward those researchers that develop exploits that immediately become worthless, in bug bounty terms, as soon as the vulnerability is known to the vendor.
The third is that it will simply make for a more secure mobile market. With the researcher’s approval, the exploit will be released to members of the Zimperium Handset Alliance (ZHA). This includes Samsung, Softbank, Telstra, Blackberry and more than 30 members of well-known handset vendors and mobile carriers around the world. Zimperium will publicly release the exploit crediting the researcher after between one and three months.
The fourth is Zimperium’s own reward. It will use the exploits and the techniques used in the exploit to enhance its own machine learning z9 threat detection engine. This will give customers protection against the exploit even before the patch is released and deployed.
The reporting process is relatively simple for researchers who produce relevant N-day exploits. They should simply email ninja_exploits at nothuman.ninja, describe the exploit, quote the CVE number, explain how the exploit chain works, and state whether they wish to release the code publicly, and receive credit for it.
The exploit is then evaluated by a zLabs committee, and a researcher compensation offer raised. “As a rule,” Avraham told SecurityWeek, “critical flaws — such as a full, remote exploit chain — will receive more compensation than local exploits. Once we are able to trigger a vulnerability on an older device/OS, we will provide a quote.”
“It’s simple,” he wrote in a blog post today. “We’ll buy remote or local exploits targeting any version other than the latest version of iOS and Android.”
It could be argued that by encouraging the development of N-day exploits and incorporating their solution into the z9 detection engine, Zimperium is increasing the threat level for any user not using Zimperium. Avraham refutes this suggestion. “While individual device owners won’t see the benefits of this program immediately,” he told SecurityWeek, “we’re doing everything we can to enhance the way that users receive security updates.
“Sophisticated attackers,” he continued, “didn’t wait for this program to research the monthly security bulletins. These vulnerabilities already exist and are explored by sophisticated actors. Making these vulnerabilities available to the Zimperium Handset Alliance (ZHA) and then the security community, decreases the chances that they will be used in targeted attacks, increases the chances of the carriers to stop these attacks, increases the chances of the vendors allocating resources to provide an update, and helps the entire ecosystem.”
In reality, the scheme formalizes and increases what Zimperium has already done. In September 2015 it published an exploit for a critical Android Stagefright vulnerability. The vulnerability had already been patched by Google, but the existence of a published exploit applied pressure on Android suppliers to deliver the patch.
It is certainly true that anything done to decrease the duration of an N-day exploit must be beneficial. But what happens if the $1.5 million runs out? “That will be a great problem to have,” said Avraham. “Depending on the success of the program we may allocate more.”