[rotrot]

As someone who has worked Vulnerability Research/Exploit Dev for US based companies I'd consider this a bit misguided and is likely coming from someone not in the Vulnerability Research/Exploit Dev industry. I'm guessing you're getting these numbers from just reading Zerodium:

""" The zero days are likely occasionally being discovered and fixed, but buying a zero-click zero day for Android/iPhone on the black market only costs on the order of $1-2M at retail """

In reality the final packaged product is worth exponentially more.

Also, Israel produces some of the best security research talent on the planet due to their national focus on cybersecurity, and funneling some of the most talented students in the country directly to 8200 starting in high school, and some of them end up going to NSO group after. None of the vulnerabilities/exploits in the Vault 7 leaks come close to the sophistication of the FORCEDENTRY exploit. I'm not saying the US doesn't have better capabilities and the NSA most certainly does because they have suppliers like Azimuth, but a lot of what you've stated is based in fantasy.

[drzaiusapelord]

These are great points.

I dont see why the FBI wouldn't buy Pegasus. Does the above poster think the FBI can just call the NSA and tell it to decrypt a bunch of stuff? The NSA has its own mission and its based on national security interests, not solving the everyday crime the FBI works on. The government isn't just one big club. I'm guessing its likely the NSA isn't going to offer up its best tools to catch someone providing abortion access in Texas or "stealing" academic papers from JSTOR or "pirating" comic book movies. Not only is it a waste of their resources but every time a tool like this is used, the detection of that tool is possible, and with that detection Apple or whomever would figure out what the exploit is doing and patch against it. Now that tool is wasted because some FBI boss wanted a promotion thinking if he impersonated an Associated Press journalist to hack a teenager again like they did in 2007 it would impress some authoritarian higher up.

They can't waste these precious exploits on some culture war, IP enforcement thuggery, leftist organizers, unions, and mid-range drug dealers the FBI regularly beats up, murders (think Filiberto Ojeda Rios), harasses, and spies on. Even the NSA is low-key ACAB. So they just say no and tell the FBI to just let NSO potentially burn their exploits. The NSA and military intelligence has better things to spend it on (think Stuxnet-like scenarios).

tldr; the FBI operates on a level far below these other organizations and are far less important than any of them in the grand scheme of things. They're just well funded cops with all the problems cops bring. They're not getting NSA tools because they don't need them the same way your county sheriff doesn't need MRAPs to drive around in.

[Veserv]

The sophistication of individual exploits is largely uninteresting, a bullet and a cruise missile both go through a piece of cardboard. Even quantity per target is largely uninteresting past the first couple in much the same way that having 23 snipers trained on a person is not so different than 8. It is the breadth of attacks in the Vault 7 leak that make the NSO group look like nothing. Maybe the NSO group could redirect their ~$250M/yr revenue and equalize in breadth with the CIA, but currently, from a strategic perspective, the CIA's programs are far more terrifying from a "what can they do" perspective. And, with high probability, there are at least a half dozen equivalent programs running in parallel just in the US government. That is how absurdly easy this all is, they do not even need to band together, each and every one can individually exploit a significant fraction of devices.

You are correct, I do not work in exploit development. My numbers are based on quotes vulnerability brokers have given for their inventory of zero-click iOS vulnerabilities (and other OS and application vulnerabilities) to some of my coworkers over the years. I have heard they have increased in price recently, though due to increased demand rather than increased difficulty of discovery, but I doubt the price of a raw exploit has breached the $10M mark yet. I have no knowledge as to the pricing on a final packaged consumer-friendly UI product.

[rotrot]

.

[Veserv]

Okay. Since you say I am underestimating according to your experience can you supply a, in your opinion, 68% confidence interval estimate for the cost or effort required to purchase or develop a zero click iOS exploit (i.e. give a general range for the median case).

Reasonable forms for a sufficiently quantified answer include, but are not limited to:

1. A numerical value to purchase from a broker.

2. A numerical value for the budget a competent organization (such as NSO) might allocate to a team to restock their hoard at a profitable return.

3. The number, skill, likely salary, and time/person-months a competent organization might allocate to restock their hoard at a profitable return.

4. The estimated return on a vulnerability. Giving an estimate of the expenditure bound to maintain profitability.

5. The estimated number of vulnerabilities NSO is finding per year given their budget.

6. The estimated number of vulnerabilities NSO has currently hoarded given their budget. Giving an estimate of the embodied expenditures to date.

7. The estimated amount of time for a NSO vulnerability to be burned allowing the estimation of required replenishment rate.

This is not an exhaustive list of reasonable quantifications, but I think at least something along these lines should provide an adequate quantification to demonstrate the degree to which I am underestimating the state of affairs.

[rotrot]

.

[Veserv]

Thank you for the reply. I was actually only expecting an answer to 1 or 2 of them rather than all of them. 2 and 3 were more questions on the business side of (expenditure on staff finding exploits / expected number to find per year) rather than raw expenses and 4 was more a monetary return rather than a ROI, but thank you for all the answers nonetheless.

Just for clarification, am I correctly understanding your answer to 1b as the price of a zero-click iOS exploit being ~$4M in contrast to my stated $1-2M? If so, I will not openly contest that claim here and thank you for your time. Anybody reading to this point can substitute my earlier claims for $4M if so.

[jancsika]

I think it's funny that you were able to exploit someone working in the industry into giving up information they shouldn't have merely by stating your speculation as fact.

Who needs 0-days when you have Cunningham's Law[1]?

I'm just trolling, but it apparently did happen here. :)

1: https://meta.wikimedia.org/wiki/Cunningham%27s_Law

[lossolo]

Anyone has copy of the answers? Seems that it was interesting but was edited.

[Veserv]

From memory it was approximately:

1a. $2M for something. Maybe a messenger/important app?

1b. $3.5-4M for zero click in default install (sandbox escape + local privilege escalation)

2. $20M for high level individual talent for a firm like NSO with a $250M revenue/$150M expenses.

3. $400k for a senior engineer. $250k-500k spot bonus for a person in the team who finds a zero-click. Some other words.

4. 500% to 1000%. Some other words.

5. 0-2 zero-click on-hand or maybe per year. 1-3 lesser ones in messaging/browsers/etc I think? Some other words.

6. The answer to 5 is sparse enough that statistics do not really apply.

7. 7-15 months.

[petre]

Israel did not need bullets or cruise missiles to shut down Iran's centrifiges twice. But I generally agree that the US 3 letter agencies are better funded and have more sophisticated cyberwarfare tooklits.