Tech

Hacker claims $1 million iOS 9 exploit bounty

With only a few hours to go, a hacking team has scooped up the $1 million prize by providing the platform with a remote zero-day exploit for iOS 9.

Written by Charlie Osborne, Contributing Writer Nov. 3, 2015 at 1:48 a.m. PT

Premium exploit platform Zerodium has announced the payout of a seven-figure prize to a team which has provided a remote exploit for Apple's latest mobile operating system, iOS 9.

Announced on Monday, Zerodium said a team has managed to provide an exclusive exploit for use against iPhone users running iOS 9, leading to an award of $1 million.

Startup Zerodium first hit the headlines this September by offering the lucrative prize to anyone who submitted a viable, exclusive hack for Apple's iOS 9 operating system.

While Chinese research team Pangu has already made an iOS 9 jailbreak available, the hack is not acceptable to the program as it misses components -- the jailbreak is not remote and is publicly available, failing to meet the requirement of "an exclusive, browser-based, and untethered jailbreak."

Featured

The platform also required the exploit to lead to "a remote, privileged, and persistent installation of an arbitrary app" on a fully updated iOS 9 device after the victim visited a compromised web page through the Safari or Chrome browsers, or alternatively a text or multimedia text message.

Zerodium calls itself a "premium zero-day vulnerability and exploit acquisition program" which sells threat and exploit data to "major corporations in defense, technology, and finance, in need of advanced zero-day protection, as well as government organizations in need of specific and tailored cybersecurity capabilities."

By purchasing exploits which have not been publicly disclosed, the company is able to turn a profit by selling this data to clients looking to tamper with smartphones.

Speaking to Motherboard, Zerodium CEO Chaouki Bekrar said "making the jailbreak remotely triggerable via Safari or Chrome requires at least two to three additional exploits," and so creating a viable exploit was no easy task.

It was only a few hours before the competition's deadline that one team found a way thanks to a "number of vulnerabilities" in Chrome and iOS 9, leading to the bypass of "almost all mitigations" and a full, untethered jailbreak.

There is little doubt that Apple-based zero-day exploits are hot property. Law enforcement agencies in the West are constantly complaining about Google and Apple's shift towards encryption by default, and vulnerabilities hidden from software vendors could give them the chance to bypass these attempts to thwart surveillance.

Apple is not the only target. Zerodium offers financial rewards for exploits targeting major products including Google's Android mobile OS, Windows, Mac, Safari, Chrome, Adobe Flash and Windows Phone, among others.