A new United Arab Emirates-based startup is offering up to $20 million for hacking tools that could help governments break into any smartphone with a text message.
Advanced Security Solutions launched this month and is now offering some of the highest prices, at least public ones, in the whole zero-day market. Zero-days are flaws in software that are unknown to the affected developer at the time of their discovery. These tools can be highly valuable for hackers, especially those working for law enforcement and intelligence agencies.
Apart from the highest bounty of $20 million, which applies to any mobile operating system, the company also offers bounties for exploits in various software: $15 million for the same type of zero-days for Android devices and for iPhones; $10 million for Windows; $5 million for Chrome; $1 million for Apple’s Safari and Microsoft Edge browsers, among others.
It’s unclear who is behind the company, and its customers.
“We empower government agencies, intelligence services, and law enforcement to operate with precision in the digital battlefield,” reads the company’s website. “We maintain continuous cooperation with over 25 governments and intelligence agencies worldwide. Our clients consistently return for new services, reflecting the trust and strategic value we provide in high-stakes operational contexts, including counterterrorism and narcotics control.”
The website also says that while the company is new, “it is staffed exclusively by professionals with over 20 years of operational experience in elite intelligence units and private military contractors.”
Advanced Security Solutions did not respond to a series of questions, including who funds, owns, and runs the company, who the customers are, as well as whether the company has any self-imposed ethical or legal restrictions on which governments to sell to.
Contact Us
Do you have more information about Advanced Security Solutions, or other zero-day providers? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email. You also can contact TechCrunch via SecureDrop.
A security researcher with experience in the world of zero-days told TechCrunch that the prices offered by Advanced Security Solutions are approximately in line with the current market.
“Normally these advertised prices are in the ball park,” the person told TechCrunch on the condition of anonymity to speak candidly about the zero-day industry. The person added that the $20 million bounty “is low depending on how unscrupulous you are.”
The researcher also warned that, personally, he wouldn’t deal with a company that doesn’t disclose who is behind it, such as in this case. “I don’t think you should sell bugs to anyone who’s trying to hide who they are,” he said.
The market for zero-days has expanded considerably in the last 10 years, both in terms of the number of companies participating in it, as well as the prices offered.
In 2015, Zerodium, a broker that much like Advanced Security Solutions also acquires zero-days from researchers and resells them to governments, was among the first-ever companies to publicize their price list. At the time, the company founded by veteran exploit broker Chaouki Bekrar offered up to $1 million for tools to hack iPhones. Then, three years later, came Crowdfense offering $3 million for the same type of zero-days.
More recently, the prices of zero-days have skyrocketed, in part because there is higher demand and also because it’s getting more difficult to hack modern devices and software, thanks to big tech companies improving their security.
Last year, Crowdfense published its new price list, which offered up to $7 million for zero-days to break into iPhones, and $5 million for the same type of exploits for Android. Customers can also buy zero-days for specific apps, especially messaging apps like WhatsApp (up to $8 million) and Telegram (up to $4 million).
For its part, Advanced Security Solutions says it offers $2 million for Telegram, Signal, and WhatsApp zero-days.
Russian zero-day company Operation Zero was an outlier in the market, offering up to $20 million for the same type of exploits that Advanced Security Solutions is looking for. Operation Zero is in a unique position because it says it works only with the Russian government, and for many researchers in the U.S. and Europe, it’s illegal to sell their hacking tools to Russia, which means Operation Zero may have a harder time finding what it looks for.
We’re always looking to evolve, and by providing some insight into your perspective and feedback into TechCrunch and our coverage and events, you can help us! Fill out this survey to let us know how we’re doing and get the chance to win a prize in return!