Privacy Central

Booming Market for App Exploits Worrying for Privacy
Cybersecurity30 Oct 20176 mins read

Booming Market for App Exploits Worrying for Privacy

Our mobile devices, especially Apple products, have long felt somehow more secure than desktop machines. Yet as more and more of the world's web traffic goes mobile, so too has the focus of hackers and cybercriminals. We look at how the lucrative market for zero day exploits has implications for all our privacy.

Claire Broadley
By Claire BroadleyTech Blogger

Apps like WhatsApp and Telegram offer important privacy protection. But there’s a growing market for sophisticated hacks that could secretly circumvent their privacy features. And the stakes are high: rewards run up to $500,000 for the very best zero day exploits that could reveal your location, communications, or personal data.

We tend to assume that encryption is unbreakable. But behind the scenes, companies and individuals are actively searching for secret ways to hack devices outside the operating system. And there’s a notable increase in the rewards for hacks on mobile devices, meaning that apps like WhatsApp and Telegram are in the firing line.

What is a Zero Day Exploit?

An exploit is a piece of software that attacks a vulnerable part of the code in software. “Zero Day” simply means that the exploit has not been discovered by its publishers, and has been published for “zero days” so far.

Security researchers actively look for zero day exploits in the hope of preventing malicious actors from finding them first — and not just in their own software. Google has its own team, Project Zero; in 2015, it found three zero day vulnerabilities in Apple’s OS X. More recently, it discovered a backdoor exploit on Wi-Fi chips in iPhones.

Legitimate companies sometimes pay hackers considerable bounties if they find bugs and report them back to the developers, but this has given birth to a marketplace where brokers tempt hackers to sell them the exploits first.

There’s big money in discovering mobile exploits with up to $1.5M bounties on offer for iOS hacks

One such broker is Zerodium, which recently announced a $500,000 prize for a fully functional hack on apps like WhatsApp. Across the board, the highest bounties are reserved for exploits on mobile devices, particularly remote jailbreaks and exploits that allow code to be executed remotely and attract fees of over $1 million.

Zerodium is doing nothing wrong in appealing for exploits. After all, companies like Google routinely pay out tens of thousands of dollars for exactly the same thing.

But when exploits are sold to brokers, nobody knows where they end up; nobody except the broker knows who is on the other end of the transaction.

How to Crack a Smartphone

Zerodium, and other similar brokers, are interested in exploits that allow unknown parties to break into phones, steal our location, and intercept messages. One way to do this is to attack the baseband; the firmware that the mobile device uses to communicate with the carrier network.

The baseband exists outside the operating system on the device, and it offers hackers the chance to intercept the phone’s transmissions with cellphone towers.

Baseband attacks have been recorded already. In April 2017, researcher Ralf-Phillip Weinmann found a zero day exploit that affected millions of Huawei phones. Specifically, the exploit affected a chipset in the phone’s 4G modem.

In May 2017, a similar vulnerability was reported in the SS7 protocol used in mobile devices. This particular hack resulted in the interception of text messages containing online banking passcodes.

But these exploits are not just useful to hackers. They are of great interest to state surveillance agencies too. In 2014, the Washington Post reported that “dozens” of countries had purchased tracking tools that rely on SS7’s security flaws, and experts believe state intelligence services are quietly using them already.

Nothing to Hide?

In its FAQ, Zerodium states that its customers are “mainly government organizations” and major corporations. Vupen Security says that it only sells to NATO governments and their partners. Other security researchers are less careful in their wording, and believe that they should be free to sell their work to anyone with deep enough pockets.

We have no way of knowing exactly who’s buying the exploits from brokers. There is no scrutiny, no regulation, and nothing to stop a purchaser passing the details of the exploit on to someone else. But we do know that the NSA gets early sight of some of the most juicy and valuable “vulns”.

We have no idea who is buying these exploits nor how they will be used.

You may think that selling an exploit to a government (or the NSA) is unlikely to affect your own privacy. You’d be wrong.

Hacking Team has allegedly sold exploits to governments who have used them to target political activists. And the WannaCry ransomware attack that crippled health services, factories, and transport hubs in 150 countries was built on a leaked NSA exploit, EternalBlue.

Even if you trust your government and your security services today, you may not trust them after the next election, or in 15 years’ time. And the shady trading of zero day exploits reveals a system where hackers and governments exchange tools and hack each other. “Hacking the hackers” to obtain them is a lucrative business in its own right.

Securing Your Phone Against Attack

Most of us are used to installing anti-virus and anti-malware software on desktop computers. Now that the market for hacks is heating up, we need to prioritize our mobile devices’ security in exactly the same way.

Installing security software should be your first priority when you receive a new phone, as well as ensuring that your device is running the latest version of its OS.

Only ever use a mobile device with an up-to-date operating system – even if that means buying a new one.

If you have an old device that can’t be updated, bite the bullet and buy a newer one, it’s just not worth the risk of missing out on cumulative security improvements. Whatever you do, also install a VPN as a priority.

Installing apps that are new to market can increase the risk of malicious code being planted on your phone. (During the craze for the Meitu makeover app in January 2017, many never checked the overly generous permissions that they granted it. The next app to go viral may not be so benign in its intentions.) None of us really know which zero day exploits will affect us, but fewer, stronger apps is the best defense we have.