How is it expensive? It is if it eqates to the zero day becoming of public domain, and this is not the case here. They can say they guessed the password while in fact they exploited some unknown vulnerability…
Zero days are extremely expensive costing in the millions of dollars even if you’re not publishing exploit details. Just using it is extremely costly because each attempt exposes your bug to the world, which is an opportunity that it could get caught and patched. Android and iPhone both have mechanisms to detect and report crashes which could easily cost you your bug. Plus, on the exploit markets, a bug that hasn’t been used is worth more because there have been literally zero days of opportunity to defend against it.
There is definitely a cost to using something that expensive and that requires a necessary level of risk. You’ve got to be worth it, and the supply of such bugs is extremely low and sometimes zero depending on your exact software version.
to be fair to the incompetent people in law enforcement, I do believe “trying to kill a presidential candidate slated to win and being a millimeter away from getting it done” would justify relying on a 0-day.
Yes except we are talking about the government of the USA? Markets law are warped in this context. Do you think they sell those? To who? To what purpose, finance healthcare spending?
The phone may call home and have things patched? You think they are unable to prevent a phone to call home?
It is not as simple as you imagine. Sometimes a specific bug requires the device to think it’s online and providing this illusion is not perfect. You don’t just plug it in and push a button and you’re good unless perhaps you’ve got a really good bug. Often times, hitting the precise code area required to exploit a bug involves weird scenarios. For example, you might have to talk to the base station for the cell phone tower that can properly authenticate first before you can attack a bug. Sometimes, the bug involves an interaction between multiple phones. It’s not just some magic signals you sent down the cable necessarily. You have to hit the weird behavior. Most trivial stuff exposed over USB has been examined thoroughly. You need to get creative to find more attack surface. There are bugs like that, but you are mistaken if you think categorically there is not risk in exploiting some bugs that can break into a phone. Sometimes it’s trivial to ensure information about your bug is contained. Sometimes it’s not.
The money isn’t a concern about greed or actually making cash. The money reflects the value and scarcity of these bugs. With that said, yes they sell the exploits. Usually, the people who find the bugs are the ones doing the selling. There’s actually an entire market that exchanges this information if you know the right people. As an obvious example, mercenary malware contains exploits for these bugs. These are organizations like NSO group that buy and sell the information that you would use to do this.
This is true, but becoming an increasingly less important factor because devices now ship with automatic updates enabled by default.
Personally, if I had to guess as someone who studies exploits for a living, I’d wager the device isn’t the most recent model and is probably a few years old, so there are likely known unpatchable bootrom or firmware bugs that can be used from their private arsenal without having to risk an actual zero day exploit.
Easier is a very relative term. It’ll be really expensive to use a genuine zero-day to do it. Such exploits are few and far between.
How is it expensive? It is if it eqates to the zero day becoming of public domain, and this is not the case here. They can say they guessed the password while in fact they exploited some unknown vulnerability…
Zero days are extremely expensive costing in the millions of dollars even if you’re not publishing exploit details. Just using it is extremely costly because each attempt exposes your bug to the world, which is an opportunity that it could get caught and patched. Android and iPhone both have mechanisms to detect and report crashes which could easily cost you your bug. Plus, on the exploit markets, a bug that hasn’t been used is worth more because there have been literally zero days of opportunity to defend against it.
There is definitely a cost to using something that expensive and that requires a necessary level of risk. You’ve got to be worth it, and the supply of such bugs is extremely low and sometimes zero depending on your exact software version.
to be fair to the incompetent people in law enforcement, I do believe “trying to kill a presidential candidate slated to win and being a millimeter away from getting it done” would justify relying on a 0-day.
Indeed. That’s a pretty motivating reason.
Yes except we are talking about the government of the USA? Markets law are warped in this context. Do you think they sell those? To who? To what purpose, finance healthcare spending? The phone may call home and have things patched? You think they are unable to prevent a phone to call home?
What?
It is not as simple as you imagine. Sometimes a specific bug requires the device to think it’s online and providing this illusion is not perfect. You don’t just plug it in and push a button and you’re good unless perhaps you’ve got a really good bug. Often times, hitting the precise code area required to exploit a bug involves weird scenarios. For example, you might have to talk to the base station for the cell phone tower that can properly authenticate first before you can attack a bug. Sometimes, the bug involves an interaction between multiple phones. It’s not just some magic signals you sent down the cable necessarily. You have to hit the weird behavior. Most trivial stuff exposed over USB has been examined thoroughly. You need to get creative to find more attack surface. There are bugs like that, but you are mistaken if you think categorically there is not risk in exploiting some bugs that can break into a phone. Sometimes it’s trivial to ensure information about your bug is contained. Sometimes it’s not.
The money isn’t a concern about greed or actually making cash. The money reflects the value and scarcity of these bugs. With that said, yes they sell the exploits. Usually, the people who find the bugs are the ones doing the selling. There’s actually an entire market that exchanges this information if you know the right people. As an obvious example, mercenary malware contains exploits for these bugs. These are organizations like NSO group that buy and sell the information that you would use to do this.
But known exploits that have been patched, but not applied because they didn’t update their phone, are plentiful enough.
Update your phones. Reboot them regularly, too.
This is true, but becoming an increasingly less important factor because devices now ship with automatic updates enabled by default.
Personally, if I had to guess as someone who studies exploits for a living, I’d wager the device isn’t the most recent model and is probably a few years old, so there are likely known unpatchable bootrom or firmware bugs that can be used from their private arsenal without having to risk an actual zero day exploit.