logo

24 August 2017

Hackers offered $500,000 for WhatsApp and Signal exploits

Some serious cash.
Some serious cash.

Image: BRITTANY HERBERT/MASHABLE

How much is your privacy worth? Does $499,999 sound about right? Because it might soon be sold out for only a dollar more. 

A company that specializes in acquiring and reselling zero-day exploits has set its sights on Signal and WhatsApp, two popular secure mobile messaging platforms, and is offering serious cash to hackers willing to play ball. 

On August 23, Washington DC-based Zerodium promised up to $500,000 for tools that permit remote code execution and local privilege escalation on the apps. Basically, the company wants the ability to get at your device without you ever being the wiser.

“ZERODIUM pays premium bounties and rewards to security researchers to acquire their original and previously unreported zero-day research affecting major operating systems, software, and devices,” the company explains on its website. “While the majority of existing bug bounty programs accept almost any kind of vulnerabilities and [proof of concepts] but pay very low rewards, at ZERODIUM we focus on high-risk vulnerabilities with fully functional exploits, and we pay the highest rewards on the market.”

Essentially, if you can give the company an already functioning tool, it’s more than happy to fork over big bucks. 

Importantly, the company wants the power to crack more than just Signal and WhatsApp — tools for remotely jailbreaking an iPhone will earn you up to $1.5 million — but the fact that it’s willing to drop so much money on the apps speaks to their importance when it comes to Zerodium’s mysterious client base. 

A list of all the desired exploits.

A list of all the desired exploits.

And just who, exactly, are Zerodium’s customers? The company won’t name names, but its website does provide some clues. 

“ZERODIUM customers are major corporations in defense, technology, and finance, in need of advanced zero-day protection, as well as government organizations in need of specific and tailored cybersecurity capabilities.”

Making this all even sketchier, other zero-day brokers have been accused of using zero days to target dissidents and journalists. Notably, in 2016 the NSO Group reportedly used its iPhone exploits to track a human rights activist in the United Arab Emirates. Mashable reached out to Zerodium in an attempt to determine more about its customers, however, has not received a response as of press time. 

So what, if anything, does this mean for you? Counterintuitively, it could be read as good news. The fact that Signal and WhatsApp zero days are toward the top of Zerodium’s price list suggests that the exploits are highly sought after — i.e. not currently in the company’s arsenal. 

That’s just speculation, of course. But even if Zerodium does end up scoring these zero days quickly, unless you’re a high-value target, no one is likely to spend all that cash to read your messages only to risk the vulnerability getting discovered or patched

Regardless, make sure to keep all your apps updated. Although by definition updates won’t protect you from zero days, they’re still one of the best ways to protect your device from attackers. 

Oh, and value what privacy you do have. It’s obviously an expensive luxury.  

Https%3a%2f%2fvdist.aws.mashable.com%2fcms%2f2017%2f8%2f59ca5236 5fc2 fe34%2fthumb%2f00001

Please follow and like us:

Share
#

Write a comment

5+6 = ?