[indolering]

The publicly available exploit prices put a browser zero day at $200k-$500k. That's the same cost as firing a few Javalin missiles. OS RCE runs into $1-$2 million. Much less than a cheap Russian tank. [1]

The cost of internally developed exploits is probably much lower. They aren't one shot assets either, they can be used until someone plugs the hole.

There are private companies selling devices to law enforcement that can extract information from locked phones [2]. Availability of that sort of access to anyone's phone by local law enforcement is absurdly cheap.

[1]: https://opzero.ru/en/prices/

[2]: https://arstechnica.com/gadgets/2025/10/leaker-reveals-which...

[SahAssar]

> [1]: https://opzero.ru/en/prices/

Those are the prices that they are buying for, they do not indicate at all that these are common or how large the market is for RCE on any OS.

> [2]: https://arstechnica.com/gadgets/2025/10/leaker-reveals-which...

Those are (mostly) not RCE, and are for consumer devices configured in a default way.

---

The parent stated that "Any government can get RCE on any OS with the change in their couch."

That implies that Kiribati currently could easily buy RCE on for example hardened Linux or OpenBSD running the most sensitive infra in the world. I just don't buy that, since if it was true any current conflict would look much different.

Of course there are security holes and major fuckups do happen, but not at the scale the parent implied.

[indolering]

These prices are consistent (actually more costly) than public bounties by (now defunct) western based exploit brokers and manufacturer bounties.

> Those are (mostly) not RCE, and are for consumer devices configured in a default way.

I'm more worried about activists and journalists in developing counties without the financial means to afford flagship phones. But even Google can't manage to keep out a pedestrian mid sized security outfit selling to the cops and the FBI.

When activists lobbying for a fucking sugar tax in Mexico get hacked, then the bar is too fucking low.

Let's not talk about the nightmare that is old networking equipment or IoT devices.

[SahAssar]

Come on, you said:

> Any government can get RCE on any OS with the change in their couch

If you were extremely hyperbolic for effect that's fine, that's why I asked if you actually believed that, but what you are saying now is not at all arguing the same point.

[indolering]

I was not being hyperbolic: a couple million dollars is very cheap for virtually any military. Both exploit broker bounties and corporate bug bounties are in that range.

What is your objection?

[DANmode]

“Extremely hyperbolic”,

or relative?

$50k-$150k+ is a low-to-medium cost case to carry out for US law enforcement. or military.

Much like the $3 in change you could dig out of your couch or car to get a small drink or sandwich.

[SahAssar]

Nobody in this thread has provided anything that would lead me to believe that any government can easily buy RCE on any OS. Read the quote again:

> Any government can get RCE on any OS with the change in their couch

[Veserv]

That is inanely pedantic. The municipal government of Monowi, Nebraska probably can not buy a RCE in any OS as they only govern a single person. That is also utterly meaningless to argue as it bears no effect on the core thrust of the argument that COTS operating systems in use by military and critical infrastructure are easily and cheaply hackable by potential adversaries. They are demonstrably grossly inadequate for purpose.

[lossolo]

This shouldn't be downvoted because it's stating facts. RCEs for critical infrastructure/OSes are very rare, they don't just grow on trees. I agree that OP exaggerated by saying that any government can buy whatever RCE they want and get access to any system they want, like buying candy in a candy shop. That's not reality.

[indolering]

Thankfully, there are regulatory regimes that require physically segregated systems for most cars, airplanes, power stations, etc

However, safety critical is not limited to cars: it also includes the phones of activities and journalists living under authoritarian regimes.

Monolithic kernels written in portable assembly mean that such bugs DO grow on trees [1] and the lack backporting means they just drop to the ground: the poor are sold phones that may never receive a security update. So even sugar tax activists in Mexico are the target of spyware!

We have seen the sophistication of these attacks ramp up as cryptocurrency has made them profitable and the North Koreans have made a killing exploiting these bugs.

Maybe you are right and it is very difficult to find these bugs but that just means low demand is what is keeping the price down. But that's probably because there enough LPEs and known RCEs that they are not needed most of the time.

[1]: https://www.cvedetails.com/vulnerability-list/vendor_id-33/L...

[irundebian]

Just because the market would buy something for X$, doesn't mean that you could buy that if you have more than X$.

[indolering]

Militaries have billion dollar budgets.

[irundebian]

That doesn't mean anything.