Winner claimed in $1 million iOS 9 hacking contest

Bug bounty firm Zerodium will make the vulnerability information available to its customers

A team of security researchers may have found a way to remotely penetrate the defenses of Apple's latest mobile OS, making them eligible for a $1 million reward.

The money was offered in a contest run by a Washington, D.C.-based company called Zerodium, which is in the controversial business of buying and selling information about software vulnerabilities.

It congratulated the winning team on Twitter Monday, though it didn't identify the researchers, which made its claim about finding a new security hole in iOS 9 impossible to verify.

Apple officials didn't immediately have a comment.

Chaouki Bekrar, Zerodium's founder, said via email that the winning team's exploit "is still being extensively tested by Zerodium to verify and document each of the underlying vulnerabilities."

Apple's iOS is one of the most challenging for hackers to exploit and the company has engineered strong defenses around iOS that make it hard to infect with malware.

Zerodium launched its contest in September, saying it would reward the first group to come up with a remote, browser-based exploit. That means the unauthorized code had to be delivered to an iOS device by getting the user to visit a web page using Chrome or Safari, or via a text or multimedia message sent to the device, according to Zerodium's conditions.

"It's definitely very technically challenging," said Patrick Wardle, director of research with Synack, a service that matches security researchers with bug-hunting work.

Despite the difficulty, enthusiasts have found ways around Apple's defenses in the past to install unapproved apps, a process known as jailbreaking.

Jailbreakers usually want to run apps from Cydia, a store for unauthorized apps. The jailbreak exploit code is publicly available and those who developed it weren't paid.

Zerodium, however, keeps the vulnerabilities it buys close and only makes them available to clients who subscribe to its Security Research Feed.

Bekrar said the vulnerabilities found by the winning team may be reported to Apple later by Zerodium.

The reward that the company is allegedly paying shows how valuable the information could be to other companies, organizations and even nation states.

"If they’re paying a million dollars, I'm sure that means someone is willing to buy it for that or more," Wardle said in a phone interview Monday.

The flaws are known as "zero-day" vulnerabilities since Apple hasn't had time yet to develop a patch. It may be hard for Apple to figure out how to fix the flaws if more information doesn't leak out.

Wardle said the team likely found several software flaws that are used in a chain to ensure any planted code stays on an iOS 9 device even after it is rebooted.

That probably means the group has found a browser vulnerability and then another one around the core of the operating system, known as the kernel, Wardle said. A third flaw would also be needed to ensure the unauthorized code stays on the device on reboot since Apple checks for strange apps, he said.

Bekrar wouldn't reveal much detail other than that "the exploit chain includes a number of vulnerabilities affecting both Google Chrome browser and iOS, and bypassing almost all mitigations in place."

A second team also participated in the contest as well, Bekrar wrote. That team developed a partial jailbreak and may be eligible for partial reward, he said.

Bekrar also founded Vupen, a now-shuttered vulnerability broker that sold information to government agencies and other organizations.

Vupen's business model was criticized by some in the security community, who contended that sharing vulnerability information without notifying software vendors could put people at unnecessary risk if the information is abused.

Join the CSO newsletter!

Error: Please check your email address.

More about AppleGoogleTwitter

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place