Exploit acquisition firm Zerodium announced on Monday that a team of hackers has completed its million-dollar iOS 9 zero-day challenge.
Zerodium, a company launched this summer by Chaouki Bekrar, the founder of the French security firm Vupen, announced in September that security researchers, reverse engineers and jailbreakers can earn up to $1 million for exclusive iOS 9 exploits and jailbreaks as part of a bug bounty program running until October 31.
According to Zerodium, there is one winning team, which managed to develop a remote browser-based untethered jailbreak that works on iOS 9.1 and 9.2 beta.
Our iOS #0day bounty has expired & we have one winning team who made a remote browser-based iOS 9.1/9.2b #jailbreak (untethered). Congrats!
— Zerodium (@Zerodium) November 2, 2015
The first jailbreak for iOS 9 was released in mid-October by Pangu Team, a Chinese group specializing in iOS jailbreaks. However, Pangu Team’s jailbreak requires physical access to the targeted device, while Zerodium has been looking for a full chain of zero-day exploits that can be used remotely, silently and with minimal user interaction.
“If what Zerodium says is true, then it’s now possible to jailbreak an iPhone running iOS 9 by simply tricking it into visiting a webpage hosting a zero-day exploit or sending it a boobytrapped SMS message,” security expert Graham Cluley said on Intego’s blog.
The rules of Zerodium’s million-dollar bug bounty program specify the Apple Safari and Google Chrome browsers as the initial attack vector, but it’s unclear which of these has been targeted by the winning team.
Many users have asked Zerodium to release the jailbreak, but that is unlikely to happen. Zerodium’s customers are, as described by the company, “major corporations in defense, technology, and finance, in need of advanced zero-day protection, as well as government organizations in need of specific and tailored cybersecurity capabilities.” These are the types of organizations that will be able to get the details of the iOS 9 zero-day, most likely for a significant amount of money.
However, Bekrar told Wired that his company might “later” disclose the vulnerability to Apple engineers.
Despite @Zerodium iOS remote jailbreak I still feel safe using my iPhone, knowing how hard it is. Attacking iOS costs x10 more than Android!
— Chaouki Bekrar (@cBekrar) November 3, 2015
“The one silver lining, at least for now, is that because of the high expense of the new jailbreaking exploit it is unlikely to be used in a widespread attack — instead, whoever stumps up the cash is likely to use it in very targeted situations, hoping that the jailbreak doesn’t leak into the wild, dramatically reducing its potency in future hacks,” Cluley noted.
In addition to the iOS 9 million-dollar bug bounty, which only ran for a limited time period, researchers can earn “premium rewards” from Zerodium for fully functional zero-day exploits that work against major desktop and mobile operating systems, web browsers, web applications, email and web servers, players and readers, and security solutions.