[Veserv]

Does it matter? A full-chain zero-click remote complete compromise for either system is only $2-3 million. That is absolute chump change. 4-6% of households in the US [1], 5-8 million households, have sufficient assets to fully compromise every iPhone or Android in the world. If we consider businesses, I bet that is within the reach of no less than 50% of the businesses (including small businesses) in the US. That is an absurd number of entities where that price point is totally doable.

If a bad actor can derive just $10 on average per phone they attack, then all they need to do is find a way to deploy their $2-3 million exploit to 1 million phones for less than $5 million to make a tidy profit. Given that we are talking about zero-click remote compromises, which means the victim only needs to receive the payload, this means that it is profitable as long as the cost per victim impression is less than $5, a CPM of $5000. With that sort of budget you can embed your attack into an ad and then outbid everybody else by a factor of 10 for placements. You can buy a mailing list and embed your attack as a "payload pixel". If it is a zero-click text message attack then you can buy access to the spam-callers and mass deploy it that way.

These systems are between a factor of 10-100x off of adequate. To care about their relative differences is like debating whether paper mache or tissue paper is better at stopping bullets. One is probably better than the other, but neither provides meaningful protection, so it hardly matters. You need fundamental, qualitative improvements before differences between the solutions provide meaningful effects on outcomes.

[1] https://dqydj.com/average-median-top-net-worth-percentiles/

[tptacek]

If bad actors could derive $10 on average from 1MM phones, vulnerabilities would cost substantially more than $2-3MM.

[Veserv]

Not really. That is only looking at the demand-side of a supply-demand relationship. Buyers will obviously prefer a cheaper vulnerability with a comparable effect to a more expensive one, so if vulnerabilities are easy to find at a price point where it is profitable to sell them at $2-3MM, then any finder who charges a lower price than others will be more attractive to buyers. This selling competition can easily drive the price down until it is much lower than the potential upside to a buyer of $10MM with a lower bound of the actual cost of discovery (which I already postulated is low enough that $2-3MM is profitable given that Zerodium is able to acquire vulnerabilities for that price) since anything less than the actual cost of discovery is unprofitable. This is the same reason why water is cheap even though it is absolutely essential to human life, it is plentiful and easy to acquire so suppliers compete on price driving it down to a a value much closer to the cost of acquisition rather than the maximal upside to the buyer assuming no other alternatives are present.

[tptacek]

Zerodium is not generally paying out $2MM for vulnerabilities and the people who acquire vulnerabilities from Zerodium aren't monetizing them directly off the installed base of phones.

An important thing to know about the market for these things is that the "clearing price" of an exploit chain is usually a cap, not an actual price; you're paid in tranches, until the vulnerability is burned. You're hoping it isn't burned before all your tranches are paid.

That has implications for the hypothetical business model you've proposed.

[duxup]

>Does it matter?

Yes?

Considering it was the measuring stick that person seemed to feel was important.