​$1m grabbed for iOS 9.1 bug that will be kept from Apple

Zero-day broker Zerodium claims to have awarded $1 million to an unnamed hacking team that found a remotely exploitable bug in iOS 9.1 that it almost certainly will not share with Apple.

The firm, which buys software exploits from hackers and sells them to governments for “tailored cybersecurity capabilities”, announced on Monday that the bounty went to one team that had submitted a remote browser-based jailbreak effective against iOS 9.1 and iOS 9.2 beta.

“Our iOS #0day bounty has expired & we have one winning team who made a remote browser-based iOS 9.1/9.2b #jailbreak (untethered). Congrats!,” Zerodium said on Twitter.

Chaouki Bekrar, founder and CEO of Zerodium, noted that the bounty wouldn’t this time make a single person a millionaire.

“It's a team so they will share the million...after paying taxes to their Gov who will use that money to buy useful things :-)),” he wrote in response to a comment on Twitter about the bounty.

Zerodium hasn’t revealed the name of the team who won the bounty or its members.

Had the bug not been remotely exploitable it wouldn’t have qualified. An example was the Pangu Team jailbreak for iOS 9.1 that Apple patched in October, which required an iOS device be tethered to a PC for a successful jailbreak. Besides that, the Pangu jailbreak — itself an exploit for iOS 9 — was in the public domain already.

One reason Zerodium isn’t interested in publicly known exploits is the vendor has a chance to neutralise the attack. Apple patched the bugs in the Pangu jailbreak a week after it was published. The jailbreak offered users iOS prior to iOS 9.1 a way to install an alternative app store, but the same jailbreak could in different circumstances be used by a remote attacker to gain control of the device.

Zerodium announced its “Million Dollar iOS 9 Bug Bounty” in September, offering up to $3 million for qualifying jailbreaks that it valued at $1 million a piece, so long the bug was sold exclusively to it.

The company said it offered a high price because it considered iOS “the most secure” mobile OS, which “has currently the highest cost and complexity of vulnerability exploitation”.

Another reason that justifies the high price is because of the profile of Zerodium’s customers. The company likely plans on reselling the same exploit to intelligence agencies at multiple governments, Robert Graham, CEO of Errata Security noted when the bounty was launched.

“If they can sell it to four different countries for $300,000, they'll make a profit. On the other hand, some countries will pay more for exclusive access to a bug -- paying for the privilege of cyber-superiority,” he wrote.

He also doubted the exploit would be sold as a jailbreak, given the likelihood of it being reverse engineered by other hackers once released, which ultimately would reduce the value of the exploit as a tool for government agencies.

Read more: The week in security: Building the open-source SOC; 215m Aussie malware hits last year

Zerodium phrases their bounty in terms of "jailbreaks", but I'm pretty sure the market for "intelligence 0days" is much greater. Actually using it for jailbreaks would mean it would quickly get reverse engineered, and even fixed by Apple, so I doubt they'd use it for that purpose.

The other reason for such a high price were the stringent conditions to qualify. For example, eligible exploits would need to bypass all Apple’s OS hardening methods. Also, the attack needed to support remote execution, so that it could be launched from a web page or text message. Technically remote attacks that still require proximity to a targeted device, for example, one that uses Bluetooth, were excluded.

Want to know more?

Why not become a CSO member and subscribe to CSO's mailing list.

Get newsletters, updates, events and more right here.

Join the CSO newsletter!

Error: Please check your email address.

Tags software exploitsZerodiumiOS 9.1Robert GrahambugtwitterHacking TeamCSO AustraliaPangu Team#jailbreakApple

More about AppleApple.CSOTwitter

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place