To help identify and plug out security holes in their products, big software companies are sponsoring a number of hacking events, handing out cash prizes that motivate many white-hat hackers to reveal their hacking arsenal. One would say that the $60,000-each that Google offered in one such recent competition to those who managed to hack the Google Chrome web browser is actually a lot of money, right? Wrong, as it turns out some governments (especially the US and a few EU members) are willing to pay up to four times that sum for exclusive ownership of so called “zero-day hacks”.
This bit of info comes via a couple of Forbes articles interviewing agencies that intermediate software exploit sales. Obviously enough, the articles created quite a bit of a controversy around the ethics of such an industry, up to the point where many called for exploit sales to be made illegal. And don’t you think this is limited to web browsers, as according to the Forbes articles, there is a way and a price to hijack almost any platform out there.
This is the approximate price-list for zero-day hacks by platform, as posted by Forbes:
- Adobe Reader – $5,000 – $30,000
- Mac OS X – $20,000 – $50,000
- Android – $30,000 – $60,000
- Flash/Java Plug-Ins – $40,000 – $100,000
- Microsoft Word – $50,000 – $100,000
- Windows – $60,000 – $120,000
- Firefox / Safari $60,000 – $150,000
- Chrome / Internet Explorer $80,000 – $200,000
- iOS – $100,000 – $250,000
As expected, exploit prices are determined by two main factors: 1. The platform’s popularity – hence the higher price for Chrome and IE exploits compared to those for Firefox and Safari; 2. How challenging it is to crack the respective platform – which is why iOS hacks are the most expensive out there, while Adobe Reader exploits are the cheapest around.
Unfortunately for us Android fans, according to one software exploit dealer quoted by Forbes, the reason why Android attacks are both popular and cheap is because they are easy to produce, while “ones that can penetrate the iPhone are rare and pricey”. I’m not sure how the situation changes for Android smartphones with security solutions installed, but unfortunately, there are more and more reasons to get one.