The million dollar iOS 9 hack



Zerodium, a company that pays for security information and exploits, is going to pay an anonymous group of hackers $1 million dollars for finding a hack into Apple’s iOS 9.1 mobile operating system. The company started a competition in September, called The Million Dollar iOS 9 Bug Bounty, promising to pay anyone who found vulnerabilities in the iPhone’s operating system a million dollars, and apparently they have a winner.

The company behind the competition describes itself as follows:

ZERODIUM is a privately held and venture backed startup, founded by cybersecurity veterans with unparalleled experience in advanced vulnerability research and exploitation. We've created ZERODIUM to build a global community of talented and independent security researchers working together to provide the most up-to-date source of cybersecurity research and capabilities.

Chaouki Bekrar first founded VUPEN, a company that, unlike others, did its own research in finding bugs and vulnerabilities. But after attracting the attention of lawmakers and governments, who questioned the legality and morality of his doings, Bekrar moved on to start Zerodium “a zero-day vulnerability and exploit acquisition program” as he puts it.

Bug bounties are nothing new, they are widely used as a motivation for hackers to find weaknesses in systems, before they go public. In this case, Zerodium has no intention of fixing anything, but selling the acquired knowledge to the highest bidding company or organization, indifferent to the buyer’s intentions. The requirements or conditions to win the bounty sound very much like the search for a new jailbreak; but this will give an unknown buyer, who is willing to pay at least over a million dollars, the capability to infiltrate all devices running on iOS 9.1 and do whatever he pleases. Spooky.  .

Here is what the hackers had to achieve if they wanted to get the whole jackpot.

Eligible submissions must include a full chain of unknown, unpublished, and unreported vulnerabilities/exploits (aka zero-days) which are combined to bypass all iOS 9 exploit mitigations including: ASLR, sandboxes, rootless, code signing, and bootchain.

The exploit/jailbreak must lead to and allow a remote, privileged, and persistent installation of an arbitrary app (e.g. Cydia) on a fully updated iOS 9 device (see below).

The initial attack vector must be either:

    - a web page targeting the mobile browser (Mobile Safari OR Google Chrome) in its default configuration; OR

    - a web page targeting any application reachable through the browser; OR

    - a text message and/or a multimedia file delivered through a SMS or MMS.

The whole exploitation/jailbreak process should be achievable remotely, reliably, silently, and without requiring any user interaction except visiting a web page or reading a SMS/MMS (attack vectors such as physical access, bluetooth, NFC, or baseband are not eligible for the Million Dollar iOS 9 Bug Bounty. ZERODIUM may, at its sole discretion, make a distinct offer to acquire such attack vectors.).

The exploit/jailbreak must support and work reliably on the following devices (32-bit and 64-bit when applicable):

    - iPhone 6s / iPhone 6s Plus / iPhone 6 / iPhone 6 Plus

    - iPhone 5 / iPhone 5c / iPhone 5s

    - iPad Air 2 / iPad Air / iPad (4rd generation) / iPad (3th generation) / iPad mini 4 / iPad mini 2

Partial or incomplete exploits/jailbreaks will not be eligible for the Million Dollar iOS 9 Bug Bounty. ZERODIUM may, at its sole discretion, make a distinct offer to acquire such partial exploits.

All submissions must be made exclusively to ZERODIUM and must include the fully functioning exploit and its source code (if any), and a detailed whitepaper describing all the zero-day vulnerabilities and techniques used in the jailbreak.



Joe Jejune

I am a gadget freak and love everything about technology. In my day job I work at a startup and help build applications for the healthcare industry. 


More

The top antivirus programs for your iPhone

With the launch of new age smartphones, security risks have literally increased tenfold. Hackers and malware developers are doing their best to crack into your phone and mess it up or steal all the data. And with the new technologies being used in modern smartphones, this has become extremely easy. So today we will take a look at some of the top antivirus software you can use on your iPhone for better security. Read on to find out more. McAfee Mobile Security McAfee is considered as the perfect security tool for your iPhone if you want to keep nosy family members and friends away from the...

IoT, its future and its impact on our lives

A radical change in our lives brought about by the Internet of Things – An overview

How to get your business through stormy weather

Having your own business is very rewarding in many ways, but it comes with a price. When you run your own business, no matter how big or small, you are responsible for yourself and the people that you employ, there is no monthly paycheck unless you provide for it. That is why having a solid financial base is crucial to keep your business alive if or when the going gets rough. There are lots of reasons your income or turnover could slack, not the right season, the economy is slow, there is a new and better product on the market or even new competition. In most cases, if you play your cards...