As Phones Get Harder to Hack, Zero Day Vendors Hunt for Router Exploits

Obtaining vulnerabilities for fully up-to-date mobile phones is getting harder. So companies that sell exploits to governments are increasingly looking for attacks that target internet routers instead, with one company paying up to $100,000.

|
Mar 7 2019, 4:00pm

Image: Seth Laupus/Motherboard

On Thursday, Crowdfense, a company that buys zero day exploits from researchers and then sells them to government agencies, announced it is now offering a total of $15 million to hackers who have particular exploits for sale. Zero days are attacks which take advantage of vulnerabilities that the impacted vendor—Apple, Google—is unaware of.

The highest tier of exploit chains for iPhones and certain Android devices can fetch $3 million each. But notably, Crowdfense’s roster of desired hacking tools goes beyond the usual suspects of fully up-to-date phones and desktop devices. Crowdfense is now also buying exploits that can break into internet routers.

The reason? Hacking users’ phones, and in particular Apple’s iPhone, is becoming so difficult, and the necessary chain of exploits needed to hack them so rare, that some vendors are starting to look for other devices they can still break into while gathering information on a target.

“The security of browsers and mobile platforms—both mobile platforms [iOS and Android]—is increasing substantially,” Andrea Zapparoli Manzoni, the CEO of Crowdfense, told Motherboard in a phone call, adding that the security improvements have increased especially in the past year.

Crowdfense is still hunting for those increasingly valuable iPhone exploits, but at the same time the company is expanding into different areas.

“We are trying to target a broader attack surface, and [...] the reason is that the attack surface of the typical products that we used to exploit is substantially reduced,” Zapparoli said. “It’s more difficult for us to find actionable, new vulnerabilities.”

Got a tip? You can contact this reporter securely on Signal on +44 20 8133 5190, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.

Hacking a phone directly can allow an attacker to install malware that could potentially read messages, steal emails, track the location of the device, and much more. By instead targeting a router, an attacker would potentially still be able to see some activity that is coming from the device that is connected to the router, although an attacker won’t have the same sort of visibility as compared to hacking the phone itself.

“When you cannot get to a target through his Android phone or iPhone, maybe you can still achieve some results by targeting the [...] router,” Zapparoli said. This might be a home router to monitor an individual target, or perhaps an enterprise level router more useful for monitoring an organization’s traffic.

Zerodium, another, longer-running exploit vendor, also buys attacks designed for routers.

“Since Zerodium has added routers to its bounty program, we have received at least one pre-auth RCE 0day exploit for every major router,” Zerodium CEO Chaouki Bekrar tweeted in May last year, referring to remote code execution, which can let a hacker run their own code on a target device. “We all know that the security of routers and IoT devices is completely fucked up but it's still scary to see how deeply fucked they are,” he added. According to Zerodium’s website, the company will pay up to $10,000 for remote code execution exploits in routers.

At the time of writing Crowdfense will pay up to $100,000 for similar sorts of router attacks, according to its website.

The owner of a third company that sources iPhone zero day exploits to then sell to governments told Motherboard in March 2018 that iPhone exploit chains were likely to become rarer, and in turn more expensive. That prediction has come true.

In 2015, Zerodium offered $1 million for an attack can could remotely take over an iPhone. The following year, that price creeped up to $1.5 million. Then in April 2018, Crowdfense started offering $3 million for the same sort of attack (at the time of writing, Zerodium will buy a remote attack on the iPhone that doesn’t require a user to click a malicious link for $2 million, according to the firm’s website.) Crowdfense offers similar prices for some Android attacks.

Crowdfense spoke about the new acquisition program during a party at Nullcon, a security conference in Goa, India, earlier this month. At the conference, Zapparoli told Motherboard some researchers have already responded to the call for more exploits, and provided material.

Subscribe to our new cybersecurity podcast, CYBER.