Unknown to Ms. Thompson, there is a healthy market for bugs and the code to weaponize them, which allow governments, defense contractors and cybercriminals to invisibly spy on people’s devices without their knowledge, capturing everything from their locations to information caught on their microphones and cameras. The FaceTime flaw, and other Apple bugs, can fetch tens of thousands, if not hundreds of thousands or even millions of dollars, from dozens of brokers. Those brokers then sell those bugs for ever higher sums to governments and intelligence and law enforcement agencies around the world. On the seedier side of the spectrum are brokers who will sell these tools on the dark web to the highest bidder.
The only catch is that hackers must promise never to disclose the flaw to the vendor for patching, so that buyers can keep their access.
The market for Apple flaws has soared in the post-Edward Snowden era as technology makers include more security, like end-to-end encryption, to thwart would-be spies. This month, Zerodium, a well-known broker and security firm, raised its reward for an Apple iOS bug to $2 million.
In part to compete in that market, and reward those who do right by the company by notifying it of potentially lucrative bugs, Apple announced its own bounty program in 2016 — the last of the Silicon Valley companies to do so.
At a hacker conference that year in Las Vegas, Apple made a surprise announcement: It said it would start paying rewards as high as $200,000 to hackers who responsibly turned over crucial flaws in its products. But the bounty program has been slow going, in part, hackers say, because they can make multiples of that bounty on the black market, and because Apple has taken its time rewarding them for reporting problems.
The FacePalm bug is a particularly egregious case, researchers say, not just because it was discovered by a teenager simply trying to use his phone, but because it allowed full microphone and video access.