Hackers win $1 million bug bounty in remotely jailbreaking iOS 9 hacking contest
Zerodium, a security agency based in Washington, D.C. had announced in September this year that it was willing to offer $1 million to any hacker or team of hackers that could find a way to remotely jailbreak an iPhone or iPad running the latest version of iOS. Zerodium is in the controversial business of buying and selling information about software vulnerabilities.
The bounty challenge expired at the end of October, and Chaouki Bekrar, founder of Zerodium took to Twitter yesterday to announce that one hacking team had successfully created a browser-based jailbreak for iOS 9.1 and iOS 9.2, the latest versions of iOS 9, earning $1 million during this week.
The important part of the contest rules was that the vulnerability should be achievable remotely without requiring user interaction beyond reading a text message or visiting a website via Chrome or Safari or a text or multimedia message on an iOS device. In other words, a hacker would need to discover not a single but a whole series of vulnerabilities in order to remotely install apps.
“Making the jailbreak remotely triggerable via Safari or Chrome requires at least two to three additional exploits compared to a local jailbreak,” – noted Bekrar.
Bekrar explained that the winning team found a “number of vulnerabilities” in Chrome and iOS to bypass “almost all mitigations” and achieve “a remote and full browser-based (untethered) jailbreak.”
Zerodium stands out from many tech companies that offer bounties for vulnerabilities, as their bounty is much higher. Also, they do not release detailed information about exploits and vulnerabilities. And the most important thing is that they sell the new exploits to its customers, which include major technology, finance, and defense corporations, along with government agencies.
Bekrar refused to divulge information regarding the winning team, as well as details about the exploits they found. He also declined to say how much he is planning to sell this exploit for. However, if his company was ready to pay $1 million dollars for this exploit, presumably the new customer will be ready to pay much more.
Bekrar said that Zerodium is still testing the vulnerabilities to make sure the exploit chain ”fully meets the bounty rules.”
He also added that Apple will probably patch this bugs in ”a few weeks to a few months” and that Zerodium customers now have a chance to learn about iOS’s security and ”make better decisions regarding the mobile devices that they’ll use (iOS vs Android) and they will better protect themselves.”
”This challenge is one of the best advertisement for Apple as it has confirmed once again that iOS security is real and not just about marketing,” Bekrar said. ”No software other than iOS really deserves such a high bug bounty.”