The million dollar iOS 9 hack

Zerodium, a company that pays for security information and exploits, is going to pay an anonymous group of hackers $1 million dollars for finding a hack into Apple’s iOS 9.1 mobile operating system. The company started a competition in September, called The Million Dollar iOS 9 Bug Bounty, promising to pay anyone who found vulnerabilities in the iPhone’s operating system a million dollars, and apparently they have a winner.

The company behind the competition describes itself as follows:

ZERODIUM is a privately held and venture backed startup, founded by cybersecurity veterans with unparalleled experience in advanced vulnerability research and exploitation. We’ve created ZERODIUM to build a global community of talented and independent security researchers working together to provide the most up-to-date source of cybersecurity research and capabilities.

Chaouki Bekrar first founded VUPEN, a company that, unlike others, did its own research in finding bugs and vulnerabilities. But after attracting the attention of lawmakers and governments, who questioned the legality and morality of his doings, Bekrar moved on to start Zerodium “a zero-day vulnerability and exploit acquisition program” as he puts it.

Bug bounties are nothing new, they are widely used as a motivation for hackers to find weaknesses in systems, before they go public. In this case, Zerodium has no intention of fixing anything, but selling the acquired knowledge to the highest bidding company or organization, indifferent to the buyer’s intentions. The requirements or conditions to win the bounty sound very much like the search for a new jailbreak; but this will give an unknown buyer, who is willing to pay at least over a million dollars, the capability to infiltrate all devices running on iOS 9.1 and do whatever he pleases. Spooky.  .

Here is what the hackers had to achieve if they wanted to get the whole jackpot.

Eligible submissions must include a full chain of unknown, unpublished, and unreported vulnerabilities/exploits (aka zero-days) which are combined to bypass all iOS 9 exploit mitigations including: ASLR, sandboxes, rootless, code signing, and bootchain.

The exploit/jailbreak must lead to and allow a remote, privileged, and persistent installation of an arbitrary app (e.g. Cydia) on a fully updated iOS 9 device (see below).

The initial attack vector must be either:

    – a web page targeting the mobile browser (Mobile Safari OR Google Chrome) in its default configuration; OR

    – a web page targeting any application reachable through the browser; OR

    – a text message and/or a multimedia file delivered through a SMS or MMS.

The whole exploitation/jailbreak process should be achievable remotely, reliably, silently, and without requiring any user interaction except visiting a web page or reading a SMS/MMS (attack vectors such as physical access, bluetooth, NFC, or baseband are not eligible for the Million Dollar iOS 9 Bug Bounty. ZERODIUM may, at its sole discretion, make a distinct offer to acquire such attack vectors.).

The exploit/jailbreak must support and work reliably on the following devices (32-bit and 64-bit when applicable):

    – iPhone 6s / iPhone 6s Plus / iPhone 6 / iPhone 6 Plus

    – iPhone 5 / iPhone 5c / iPhone 5s

    – iPad Air 2 / iPad Air / iPad (4rd generation) / iPad (3th generation) / iPad mini 4 / iPad mini 2

Partial or incomplete exploits/jailbreaks will not be eligible for the Million Dollar iOS 9 Bug Bounty. ZERODIUM may, at its sole discretion, make a distinct offer to acquire such partial exploits.

All submissions must be made exclusively to ZERODIUM and must include the fully functioning exploit and its source code (if any), and a detailed whitepaper describing all the zero-day vulnerabilities and techniques used in the jailbreak.