It’s Cheap to Exploit Software — and That’s a Major Security Problem

It's Cheap to Exploit Software — and That's a Major Security Problem

How much would it cost to hack your phone? The best guess for an iPhone is between $0 and $65,000 — and that price mainly depends on you. If you skipped a really important security update, the cost is closer to $0.

Say you were up to date. That $65,000 figure is an upper cost of exploiting the median individual — switch to an Android, a Mac, or a PC and it could get a lot lower. Apple has invested enormous resources in hardening the iPhone. The asking price for an individual exploit, rather than as a service, can go as high as $8 million. Compare that to the cost of an exploit of a PDF reader like Adobe Acrobat — notoriously riddled with security vulnerabilities — which according to this TrendMicro research report (PDF) is $250 and up.

Switch from targeting a specific person to targeting any of the thousands of people at a large company and there are myriad ways in. An attacker only needs to find the cheapest one.

The fact that a modern iPhone exploit sells for millions versus hundreds for an Adobe Acrobat exploit is an extraordinary achievement for Apple, worth celebrating and trying to replicate elsewhere. It reflects that big tech companies have quietly spent enormous resources to raise the cost to exploit software over the past 20 years.

How Do We Increase the Cost of Exploitation?

Outside the largest technology companies, the idea of trying to make software harder to exploit has often been seen as a lost cause. Imagine there’s a worm moving across your network. It’s hard to get 1,000 office workers to reboot their computers, so you put a firewall at the network perimeter to block the worm’s network packets. That will keep the worm out, but the machines are still vulnerable if it gets inside the network. 

The modern approach (zero trust, pioneered by Forrester) is to assume the “perimeter” is already breached — so now each device and application, regardless of network location, needs to be hardened. How? By raising the cost to exploit software itself.

Although this has been seen as a prohibitively expensive approach, it’s gaining in popularity. Here are some techniques that have notably raised the cost of exploiting software, along with what makes them expensive or challenging to roll out:

What Are Potential Solutions?

I believe the future requires three things. First, more security engineers and engineering: Hiring security engineers that have development backgrounds and getting engineering leadership buy in on the concept of increasing the cost to exploit software. Second, shifting our focus from tools that clean up detection and response to building tools that raise the cost to exploit. Third, not building new tools in an isolated, security-centric world, but in conjunction with developer stakeholders and considering the needs of the business to ship fast.

Software is eating the world, and software is cheap to exploit. We’re definitely not going to slow down the former, so let’s change the latter.