You Can Now Get $1 Million for Hacking WhatsApp and iMessage

If a government spy or law enforcement agency needs help intercepting the communications of some terrorist or criminal using apps like WhatsApp or iMessage, they'll need to shell out more money than ever.

On Monday, Zerodium, a startup that buys and sells hacking tools and exploits to governments around the world, announced price increases for almost everything they are looking for, such as iOS remote jailbreaks and Windows exploits. It said it will now pay security researchers $1,000,000 for exploits in WhatsApp, iMessage, and SMS/MMS apps for all mobile operating systems.

“Messaging apps in general and WhatsApp in particular are sometimes the only communication channel used by targets and end-to-end encryption makes it difficult for our government customers to intercept such communications,” Zerodium’s founder Chaouki Bekrar told Motherboard in an online chat. “So having the ability to remotely compromise these apps directly without compromising the whole phone is much more strategic and effective.”

Compromising the whole iPhone, sometimes referred to as remote jailbreaking or rooting the phone, can cost $2 million or more, and usually involves a series of bugs and exploits.

The price increase shows that mobile devices in general are getting more and more secure, and thus harder to hack. That means that it’s becoming increasingly hard for hackers to break into iOS and Android devices. That makes the life of folks like spy agencies and police departments harder too. That’s where Zerodium and other similar companies, such as Azimuth and Crowdfense, come in: they act as intermediaries between security researchers and government agencies looking for tools—often called zero-days—to break into targets.

Before today, Zerodium was willing to pay $500,000 for WhatsApp and iMessage exploits, according to an archived version of the company’s site. These new prices are in line with the market, according to Maor Shwartz, who used to run a company that acquired and sold exploits to government agencies.

In an interview in December of last year, Shwartz told Motherboard that exploits for messaging apps such as WhatsApp and Signal, which are end-to-end encrypted and thus make it hard for hackers or spies to intercept messages, can go for $1 million or even up to $4 million depending on the circumstances and how urgently the government needs to hack their target.

“There are some unicorns that companies are willing to buy for a lot of money, more than $1 million dollars for a vulnerability. It’s the [remote code execution] for iMessage, WhatsApp, Signal, Telegram, etc,” Shwartz said. “Once you have this kind of vulnerability it’s worth a lot of money.”

Bekrar warned that despite the increasing difficulty of exploiting and hacking some of the operating systems and apps, they’re seeing more bugs than ever.

“Exploitation is harder, it takes longer, but more researchers are looking into these targets and our goal by increasing our prices is to continue this momentum and encourage researchers to keep hunting for exploits,” Bekrar told me.

“I'm in the zero-day industry since more than 15 years and I've never seen as many exploits as in 2018,” he added. “You can't imagine what's being developed and sold.”

Listen to CYBER, Motherboard’s new weekly podcast about hacking and cybersecurity.