[ad_1]
But Maor Shwartz, an independent security vulnerability researcher and founder of the now-defunct Q-Recon vulnerability brokerage firm, said the changes were consistent with his own observations. "In today 's reality, the majority of targets are Android and vulnerabilities are dwindling as many of them have been fixed," said Shwartz, who said talked about selling zero days to government customers at the Black Hat Security Conference last month. "For a year now, customers have been asking me: do you know anyone who works on Android and has vulnerabilities?" I started to understand that the market was changing. "
Shwartz says that a Web attack for a high-end Android phone can now sell for more than $ 2 million, not exclusively, which means the researcher can sell it at a price to several buyers. According to him, an iPhone attack on the Web represents about 1.5 million dollars not exclusively. This report is also more general, he says; an Android attack is often worth about 30% of its equivalent on the iPhone.
According to Shwartz, it has long been difficult to find a way to access a target device via the browser of an Android phone, compared to iOS, because of the relative safety of Chrome over Safari . But the real source of the changes that have made Android operations more expensive, he said, lies in the difficulty of finding a "local privilege escalation" exploit for Android, which allows an attacker to attack. To get more control over a phone. We have already set foot. Largely thanks to the enhanced security measures on Android phones, LPE's exploits are now as hard to find for Android as they are for iOS, says Shwartz. Combined with the difficulty of finding a hackable browser vulnerability to start the operating chain, this makes Android a tougher – and more expensive – target overall.
Shwartz partly attributes the increased security of Android to its open source strategy, which is finally bearing fruit. While Apple has kept its operating system so locked that even benevolent security researchers are struggling to solve its problems – a problem that it has tried to solve with a recent development and an opening of its program of rewards for bugs – the open approach of Android has opened his eyes on his code. Although this width initially resulted in more bugs, these vulnerabilities have been corrected over time, which has the effect of slowly hardening the operating system. "Many vulnerabilities have been fixed so that the attack surface is significantly reduced," Shwartz said.
Android has long suffered from security patch problems due to dependency on manufacturers and third-party carriers. These are not included in Zerodium's price list, as the company focuses on "zero-day" vulnerabilities of fully patched devices.
"If you want to make money, focus on Android.
Security Researcher Maor Shwartz
But Google has, to his credit, slowly rendered the bowels of an Android phone less conducive to hackers, including in the Android 10 release today: for example, it adds a new file-based encryption and reorganized "sandboxes" that remove application access from the rest of the operating system . In fact, Google has spent years adding "mitigation measures" that make it more difficult to hack devices even when new security bugs are discovered. In 2018, for example, he introduced Control Flow Integrity, designed to prevent malware from jumping into memory to bypass an older security measure that randomized code memory locations, and integer overflow disinfection, designed to prevent the type of bug was exploited in 2015 by a class of attacks called Stagefright.
But Shwartz notes that beyond these mitigation measures, the initially higher prices of zero days on iOS have also attracted the disproportionate attention of safety researchers, resulting in a relative overabundance iOS attacks. The volume of these attacks was highlighted last week, when Google revealed that a computer hacking campaign had used five separate iOS operating channels, incorporating these attacks into websites in order to prevent hacker attacks. infect the phones of thousands of victims. In another Google discovery released last month, Natalie Silvanovich, the company's security researcher, discovered six zero-click attacks for iOS.
[ad_2]
Source link