In-brief: The CEO of a company offering a $1 million bounty for a working exploit of Apple’s iOS operating system said two teams are closing in on the prize. The offer – for up to three iOS exploits – runs through October 31st.
A firm offering up a one million dollar bounty for a method to defeat the security of Apple’s latest version of the iOS operating system said it is tracking two teams who are close to qualifying for the award.
Zerodium is in “direct contact” with one team that is “very close” to achieving a jail break of iOS 9.1, Chaouki Bekrar told Security Ledger. “They still lack a couple of vulnerabilities to finish the full chain, but they are the first potential winner of the bounty.”
Bekrar said that the company is “aware of” another team that has a working iOS 9.1 exploit and is “willing to submit it” prior to expiration of the bounty offer, at the end of October. However, the company “lacks technical details about their advancement,” Bekrar said.
Bekrar announced the million dollar bounty on September 21st, saying his company set aside $3 million for up to three “browser-based, untethered jailbreaks” for devices running the latest Apple iOS 9 operating system. Both exploits of iOS and jailbreaks – techniques for defeating iOS’s content controls – qualify. But the offer expires on October 31st.
Apple’s mobile operating system is widely recognized as one of the most difficult pieces of software to hack. Bekrar, who founded the security consulting firm VUPEN, said The Million Dollar iOS 9 Bug Bounty is meant for “experienced security researchers, reverse engineers, and jailbreak developers.”
Bekrar declined to describe the kinds of exploits the teams were working on, though he predicted in September that Apple’s browser engine, Webkit, or Google’s more recent fork of Webkit, dubbed “Blink” were likely targets for researchers – at least initially. “It is widely recognized that there are still many vulnerabilities affecting this component despite the efforts of Google and Apple,” Bekrar wrote in an e-mail.
The $1 million offer is well above anything that is being offered on the public market for information on vulnerabilities. There, information on remotely executable holes typically fetch between $10,000 and $25,000 each. Though there are exceptions. Microsoft, for example, will pay awards of $100,000 for “truly novel exploitation techniques” against protections built into the latest version of Windows or for “defensive ideas that accompany a qualifying Mitigation Bypass submission.”
The offer has been met with criticism, especially from privacy and civil liberties advocates concerned that Zerodium will turn over any working exploits to intelligence agencies who are the company’s main customers.
But Bekrar has maintained that exploiting iOS will require more than just discovering a single vulnerability. Smaller bounties “are definitely not worth a sophisticated and reliable exploit which required many weeks of hard work and/or a chain of multiple vulnerabilities,” he wrote. “This is the gap that Zerodium is filling.”