Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Mobile security firm offers cash to hackers for their old exploits

Lucian Constantin | Feb. 2, 2017
The company hopes to bring old exploits into the open and encourage better patching in the mobile ecosystem

The company's mobile security technology is used by carriers and handset vendors for very large deployments of tens of millions of users and needs to offer protection even for older mobile devices that are no longer supported and don't receive security updates. It's on such devices where the older "N-days" exploits, as Zimperium calls them, can still have value for attackers.

"For us, supporting old devices is a key decision to help where the update policy have failed the consumers," Avraham said.

The company will acquire exploits for both remotely and locally exploitable vulnerabilities, as well as for bugs that can lead to information disclosure. The exploits can target any version of Android or iOS aside from the latest ones.

Zimperium has not disclosed prices for the different types of exploits it plans to acquire, as each one will be evaluated individually by a special committee. However, the company has allocated $1.5 million for the program.

Exploit developers can even analyze the monthly patches of mobile OS makers, write working exploits for the patched vulnerabilities and submit them to the program, because the existence of working exploits could drive patch adoption in the ecosystem.

"Multiple Zimperium Handset Alliance (ZHA) partners explained to us that without proof of exploitability, it’s hard to convince the security teams to allocate resources needed for a complete patch cycle, even for known issues," Avraham said.

Zimperium will use the exploits to enhance its z9 mobile protection engine, which  uses machine learning to detect and block network, local and application attacks. It  will also share the exploits with the ZHA, which includes security team members from more than 30 global device manufacturers and carriers.

Zimperiuym also plans to release the exploits publicly after three months unless their authors specifically asks the company not to.

"Our goal is to help the community, penetration testers, mobility and IT Admins to better evaluate their security and protect their devices," Avraham said.

 

Previous Page  1  2 

Sign up for CIO Asia eNewsletters.