Firm: Two iOS Exploits Could Qualify for $1 Million Bounty

One team qualified for the $1 million bounty for a working, remote exploit or jailbreak for devices running Apples iOS 9 operating system, according to the security firm Zerodium.
One team qualified for the $1 million bounty for a working, remote exploit or jailbreak for devices running Apples iOS 9 operating system, according to the security firm Zerodium.

In-brief: One team qualified for the $1 million bounty for a working, remote exploit or jailbreak for devices running Apples iOS 9 operating system, according to the security firm Zerodium. A second may also qualify for at least a partial bounty. However, Apple may only be informed of the holes at a later date. 

A firm that counts some of the world’s top intelligence agencies as customers said it will pay a $1 million dollar bounty for a working, remote exploit of Apple’s iOS mobile operating system to one team of hackers who submitted the proof just hours ahead of an October 31st deadline.

Zerodium, a company that trades in software vulnerabilities used Twitter on Monday to announce that one company had submitted a working exploit of iOS and would relay that information to its paying customers – though not to iOS’s creator, Apple Corp. – at least not right away.

“Our iOS #0day bounty has expired & we have one winning team who made a remote browser-based iOS 9.1/9.2b #jailbreak (untethered). Congrats!”

In an e-mail to The Security Ledger, Chaouki Bekrar, Zerodium’s founder, said that one of two teams that were actively participating to the Zerodium iOS bounty was able to to achieve a “remote and full browser-based (untethered) jailbreak of iOS 9.1 and 9.2 beta.” A second team “has a partial jailbreak and may potentially qualify for a partial reward,” he wrote.

Zerodium, based in the U.S., is a kind of cyber intelligence middleman, buying exclusive rights to information on security holes in well-known software and methods to exploit it. That information is made available to the company’s customers, including Fortune 500 firms and “three-letter agencies,” said Bekrar.

A message posted via Zerodiums Twitter account claims that one team has claimed a $1 million bounty for a remotely exploit for the Apple iOS 9 operating system.
A message posted via Zerodiums Twitter account claims that one team has claimed a $1 million bounty for a remotely exploit for the Apple iOS 9 operating system.

The company announced the eye-popping $1 million bounty on September 21, saying it would pay up to three, million dollar bounties for “an exclusive, browser-based, and untethered jailbreak for the latest Apple iOS 9 operating system and devices.”

In subsequent interviews, Bekrar told Security Ledger that the difficulty of defeating Apple’s content protections and other security features justified the size of the bounty.

“iOS 9 is currently the most secure mobile operating system and it’s a very complex and long process to develop a full chain of exploits which can bypass the advanced mitigations in place,” he wrote on September 23. “We believe that one million US dollars is high enough to motivate many talented researchers to accept this highly technical challenge.”

In the intervening weeks, one security firm – the Chinese hacking outfit Pangu – released what it claims is a tool to jailbreak Apple devices running iOS 9. Bekrar said that Pangu had not contacted Zerodium regarding the bounty, but that the exploit likely would not have qualified for the reward because its exploit could only be used with local access to the device. Zerodium’s bounty was contingent on the ability to do a remote compromise of the device, Bekrar explained.

“Pangu’s jailbreak lacks two or three additional vulnerabilities and exploits to be eligible for the Zerodium bounty … this is a potential reason why Pangu did not participate to the bounty,” he wrote.

Remote exploits of iOS are far more valuable to would-be buyers because they allow attackers to compromise a device without having physical access to it. Possible attacks might come in the form of a malicious mobile application that users are tricked into downloading, or a malicious link sent via e-mail, text or social media and designed to compromise a local application like the Safari web browser.

[Read more Security Ledger coverage of security issues facing Apple.]

One prominent iOS security expert said the bar for developing a remote exploit for iOS 9 was set dizzyingly high.

“It will likely require 2-4 vulnerabilities,” wrote Charlie Miller, a security researcher who did some of the earliest work on exploiting iOS and – more recently – has turned his attention to testing the security of connected vehicles.

In addition to exploiting the local web browser on the device, attackers would need to discover and find a way to exploit a handful of other holes to read and write data to the device and to break out of local application sandbox on iOS and – possibly – yet another exploitable hole to elevate the user’s privileges to allow them to modify protected areas of the operating system.

“Lets just say it is hard enough that I don’t bother trying,” Miller wrote.

Bekrar’s account of the winning submission supports that. He described it as an exploit chain containing multiple vulnerabilities affecting both the Google Chrome browser on iOS and the operating system itself. It bypassed “almost all” mitigations, Bekrar wrote.

Still, Zerodium is testing the exploit to verify and document each of the underlying vulnerabilities, he said.

Assuming the company is satisfied that the team has qualified for the bounty, Zerodium will pay the bounty and report the vulnerabilities to its customers. It may report them to Apple, as well, though Bekrar said that would be done “later.”

Apple did not immediately respond to a request for comment. It is one of a shrinking number of leading technology firms that does not offer bounties for information on security holes in its software. That policy has earned it criticism from the security community which argues that the Cupertino company could deploy just a sliver of its massive cash hoard of more than $200 billion to effectively corner the market for security holes in OS X and iOS.

“The only effective way to combat this is [to] open up their bug bounty,” said Mark Litchfield, founder of Bug Bounty HQ and one of the world’s top independent vulnerability researchers.

“Clearly they would never offer [$1 million] but if they can give some reasonable bounty amounts I am sure they would have some great issues reported to them responsibly,” he said.

2 Comments

  1. do you not believe that by publicising the fact that iOS 9.1 or later is vulnerable will invite cyber criminals to try and cause damage, or worse, to any and all iOS devices??? irving levington

    • These bounty programs usually come with very difficult/complicated to exploit bugs that are almost exclusively sold to hack high-value targets — which is to say it’s your governments paying for it, and extensive ‘agreements’ are signed to prevent them from being shared or resold (are they? who knows. it’s not like this is an ethical practice in the first place, and Waasenaar should have stopped stuff like this not make it okay for governments and private parties to capitalize on such things).

      Either way I’d be more concerned for the average person being bombarded by Android, Mac, and other exploits that are almost impossible to eradicate (especially the android ones) once they’ve been exploited. People think they’re no big deal so they release them — then we get stuff like stagefright (android) and thunderstruck/prince harming (macs) which are almost impossible to do anything about, in the former case because android device manufacturers want you to buy another phone not upgrade (good luck trying — and good luck cleaning up after, especially if it just gets exploited again with a single mms for example) — and as for the mac issue — once that’s bootkitted (true for pretty much any pc or mac, but the mac stuff hit the news hard this past year so I’m stressing it because there were NO fixes and it’s pretty much impossible for any average user to clean it up — or any mac store to know how to) well, good luck.

      So yeah, this ios stuff is bad. And a lot of private bug bounties that go to exploit ‘high value targets’ that are probably more often people with stuff people want access to, not terrorists (but I’m not sure, so don’t quote me on this) — and anything where the value is so high that killing the bug is important not to do — those get used less often, and more carefully. Which doesn’t make them ‘nice’.

      But nobody’s going to be giving that million dollar bug out for free (probably, especially since someone else would be willing to buy it if someone else figured it out).

      Worry more about android and your personal devices and other stuff that’s not patched before exploits are released — or are never patched at all. That means especially android — which is rarely patched, and is basically unpatchable (and more often than not is also ‘ownable’ on upgrade via a (windows-only, of course) upgrade).

      If you want to push for change, press google to fix their upgrade cycles and change the way they push security and operating system fixes. As it stands you CANNOT patch android. I’d write a nice note demanding to know why your phone isn’t secure and cannot ever be secure, despite the fact that millions and millions of devices are, right now, totally exploitable because of vendor greed and poor (or deliberate) design choices.

      Hopefully this post doesn’t upset anybody.

      If you do have to get an android, get a Nexus. They at least usually put the newest images up first — so if there are security fixes, they’re the ones (the FEW) that might get a chance at getting fixed. They’re not cheap. But android is buggier than ios. IOS almost always requires some sort of tether to root, too.