A new United Arab Emirates-based startup is offering up to $20 million for hacking tools that could help governments break into any smartphone with a text message. Advanced Security Solutions launched this month and is now offering some of the highest prices, at least public ones, in the whole zero-day market. Zero-days are flaws in software that are unknown to the affected developer at the time of their discovery. These tools can be highly valuable for hackers, especially those working for law enforcement and intelligence agencies.
Apart from the highest bounty of $20 million, which applies to any mobile operating system, the company also offers bounties for exploits in various software. It offers $15 million for zero-days for Android devices and for iPhones, $10 million for Windows, $5 million for Chrome, and $1 million for Apple’s Safari and Microsoft Edge browsers, among others.
It is unclear who is behind the company and who its customers are. The company’s website states, “We empower government agencies, intelligence services, and law enforcement to operate with precision in the digital battlefield. We maintain continuous cooperation with over 25 governments and intelligence agencies worldwide. Our clients consistently return for new services, reflecting the trust and strategic value we provide in high-stakes operational contexts, including counterterrorism and narcotics control.”
The website also says that while the company is new, it is staffed exclusively by professionals with over 20 years of operational experience in elite intelligence units and private military contractors. Advanced Security Solutions did not respond to a series of questions, including who funds, owns, and runs the company, who the customers are, and whether the company has any self-imposed ethical or legal restrictions on which governments it sells to.
A security researcher with experience in the world of zero-days stated that the prices offered by Advanced Security Solutions are approximately in line with the current market. The person, who spoke on condition of anonymity, said that normally these advertised prices are in the ballpark. The person added that the $20 million bounty is low depending on how unscrupulous a seller is. The researcher also warned that he would not personally deal with a company that does not disclose who is behind it, stating that one should not sell bugs to anyone trying to hide their identity.
The market for zero-days has expanded considerably in the last ten years, both in terms of the number of companies participating and the prices offered. In 2015, Zerodium, a broker that acquires zero-days from researchers and resells them to governments, was among the first companies to publicize its price list. At the time, it offered up to $1 million for tools to hack iPhones. Three years later, Crowdfense offered $3 million for the same type of zero-days.
More recently, the prices of zero-days have skyrocketed. This is partly due to higher demand and also because it is getting more difficult to hack modern devices and software, thanks to big tech companies improving their security. Last year, Crowdfense published a new price list offering up to $7 million for zero-days to break into iPhones and $5 million for the same type of exploits for Android. Customers can also buy zero-days for specific apps, especially messaging apps like WhatsApp and Telegram.
Advanced Security Solutions says it offers $2 million for Telegram, Signal, and WhatsApp zero-days. Russian zero-day company Operation Zero was an outlier in the market, offering up to $20 million for the same type of exploits that Advanced Security Solutions is looking for. Operation Zero is in a unique position because it says it works only with the Russian government. For many researchers in the U.S. and Europe, it is illegal to sell their hacking tools to Russia, which means Operation Zero may have a harder time finding what it seeks.