[Veserv]

The sophistication of individual exploits is largely uninteresting, a bullet and a cruise missile both go through a piece of cardboard. Even quantity per target is largely uninteresting past the first couple in much the same way that having 23 snipers trained on a person is not so different than 8. It is the breadth of attacks in the Vault 7 leak that make the NSO group look like nothing. Maybe the NSO group could redirect their ~$250M/yr revenue and equalize in breadth with the CIA, but currently, from a strategic perspective, the CIA's programs are far more terrifying from a "what can they do" perspective. And, with high probability, there are at least a half dozen equivalent programs running in parallel just in the US government. That is how absurdly easy this all is, they do not even need to band together, each and every one can individually exploit a significant fraction of devices.

You are correct, I do not work in exploit development. My numbers are based on quotes vulnerability brokers have given for their inventory of zero-click iOS vulnerabilities (and other OS and application vulnerabilities) to some of my coworkers over the years. I have heard they have increased in price recently, though due to increased demand rather than increased difficulty of discovery, but I doubt the price of a raw exploit has breached the $10M mark yet. I have no knowledge as to the pricing on a final packaged consumer-friendly UI product.

[rotrot]

.

[Veserv]

Okay. Since you say I am underestimating according to your experience can you supply a, in your opinion, 68% confidence interval estimate for the cost or effort required to purchase or develop a zero click iOS exploit (i.e. give a general range for the median case).

Reasonable forms for a sufficiently quantified answer include, but are not limited to:

1. A numerical value to purchase from a broker.

2. A numerical value for the budget a competent organization (such as NSO) might allocate to a team to restock their hoard at a profitable return.

3. The number, skill, likely salary, and time/person-months a competent organization might allocate to restock their hoard at a profitable return.

4. The estimated return on a vulnerability. Giving an estimate of the expenditure bound to maintain profitability.

5. The estimated number of vulnerabilities NSO is finding per year given their budget.

6. The estimated number of vulnerabilities NSO has currently hoarded given their budget. Giving an estimate of the embodied expenditures to date.

7. The estimated amount of time for a NSO vulnerability to be burned allowing the estimation of required replenishment rate.

This is not an exhaustive list of reasonable quantifications, but I think at least something along these lines should provide an adequate quantification to demonstrate the degree to which I am underestimating the state of affairs.

[rotrot]

.

[Veserv]

Thank you for the reply. I was actually only expecting an answer to 1 or 2 of them rather than all of them. 2 and 3 were more questions on the business side of (expenditure on staff finding exploits / expected number to find per year) rather than raw expenses and 4 was more a monetary return rather than a ROI, but thank you for all the answers nonetheless.

Just for clarification, am I correctly understanding your answer to 1b as the price of a zero-click iOS exploit being ~$4M in contrast to my stated $1-2M? If so, I will not openly contest that claim here and thank you for your time. Anybody reading to this point can substitute my earlier claims for $4M if so.

[jancsika]

I think it's funny that you were able to exploit someone working in the industry into giving up information they shouldn't have merely by stating your speculation as fact.

Who needs 0-days when you have Cunningham's Law[1]?

I'm just trolling, but it apparently did happen here. :)

1: https://meta.wikimedia.org/wiki/Cunningham%27s_Law

[lossolo]

Anyone has copy of the answers? Seems that it was interesting but was edited.

[Veserv]

From memory it was approximately:

1a. $2M for something. Maybe a messenger/important app?

1b. $3.5-4M for zero click in default install (sandbox escape + local privilege escalation)

2. $20M for high level individual talent for a firm like NSO with a $250M revenue/$150M expenses.

3. $400k for a senior engineer. $250k-500k spot bonus for a person in the team who finds a zero-click. Some other words.

4. 500% to 1000%. Some other words.

5. 0-2 zero-click on-hand or maybe per year. 1-3 lesser ones in messaging/browsers/etc I think? Some other words.

6. The answer to 5 is sparse enough that statistics do not really apply.

7. 7-15 months.

[petre]

Israel did not need bullets or cruise missiles to shut down Iran's centrifiges twice. But I generally agree that the US 3 letter agencies are better funded and have more sophisticated cyberwarfare tooklits.