In-brief: One team qualified for the $1 million bounty for a working, remote exploit or jailbreak for devices running Apples iOS 9 operating system, according to the security firm Zerodium. A second may also qualify for at least a partial bounty. However, Apple may only be informed of the holes at a later date.
A firm that counts some of the world’s top intelligence agencies as customers said it will pay a $1 million dollar bounty for a working, remote exploit of Apple’s iOS mobile operating system to one team of hackers who submitted the proof just hours ahead of an October 31st deadline.
Zerodium, a company that trades in software vulnerabilities used Twitter on Monday to announce that one company had submitted a working exploit of iOS and would relay that information to its paying customers – though not to iOS’s creator, Apple Corp. – at least not right away.
“Our iOS #0day bounty has expired & we have one winning team who made a remote browser-based iOS 9.1/9.2b #jailbreak (untethered). Congrats!”
In an e-mail to The Security Ledger, Chaouki Bekrar, Zerodium’s founder, said that one of two teams that were actively participating to the Zerodium iOS bounty was able to to achieve a “remote and full browser-based (untethered) jailbreak of iOS 9.1 and 9.2 beta.” A second team “has a partial jailbreak and may potentially qualify for a partial reward,” he wrote.
Zerodium, based in the U.S., is a kind of cyber intelligence middleman, buying exclusive rights to information on security holes in well-known software and methods to exploit it. That information is made available to the company’s customers, including Fortune 500 firms and “three-letter agencies,” said Bekrar.
The company announced the eye-popping $1 million bounty on September 21, saying it would pay up to three, million dollar bounties for “an exclusive, browser-based, and untethered jailbreak for the latest Apple iOS 9 operating system and devices.”
In subsequent interviews, Bekrar told Security Ledger that the difficulty of defeating Apple’s content protections and other security features justified the size of the bounty.
“iOS 9 is currently the most secure mobile operating system and it’s a very complex and long process to develop a full chain of exploits which can bypass the advanced mitigations in place,” he wrote on September 23. “We believe that one million US dollars is high enough to motivate many talented researchers to accept this highly technical challenge.”
In the intervening weeks, one security firm – the Chinese hacking outfit Pangu – released what it claims is a tool to jailbreak Apple devices running iOS 9. Bekrar said that Pangu had not contacted Zerodium regarding the bounty, but that the exploit likely would not have qualified for the reward because its exploit could only be used with local access to the device. Zerodium’s bounty was contingent on the ability to do a remote compromise of the device, Bekrar explained.
“Pangu’s jailbreak lacks two or three additional vulnerabilities and exploits to be eligible for the Zerodium bounty … this is a potential reason why Pangu did not participate to the bounty,” he wrote.
Remote exploits of iOS are far more valuable to would-be buyers because they allow attackers to compromise a device without having physical access to it. Possible attacks might come in the form of a malicious mobile application that users are tricked into downloading, or a malicious link sent via e-mail, text or social media and designed to compromise a local application like the Safari web browser.
[Read more Security Ledger coverage of security issues facing Apple.]
One prominent iOS security expert said the bar for developing a remote exploit for iOS 9 was set dizzyingly high.
“It will likely require 2-4 vulnerabilities,” wrote Charlie Miller, a security researcher who did some of the earliest work on exploiting iOS and – more recently – has turned his attention to testing the security of connected vehicles.
In addition to exploiting the local web browser on the device, attackers would need to discover and find a way to exploit a handful of other holes to read and write data to the device and to break out of local application sandbox on iOS and – possibly – yet another exploitable hole to elevate the user’s privileges to allow them to modify protected areas of the operating system.
“Lets just say it is hard enough that I don’t bother trying,” Miller wrote.
Bekrar’s account of the winning submission supports that. He described it as an exploit chain containing multiple vulnerabilities affecting both the Google Chrome browser on iOS and the operating system itself. It bypassed “almost all” mitigations, Bekrar wrote.
Still, Zerodium is testing the exploit to verify and document each of the underlying vulnerabilities, he said.
Assuming the company is satisfied that the team has qualified for the bounty, Zerodium will pay the bounty and report the vulnerabilities to its customers. It may report them to Apple, as well, though Bekrar said that would be done “later.”
Apple did not immediately respond to a request for comment. It is one of a shrinking number of leading technology firms that does not offer bounties for information on security holes in its software. That policy has earned it criticism from the security community which argues that the Cupertino company could deploy just a sliver of its massive cash hoard of more than $200 billion to effectively corner the market for security holes in OS X and iOS.
“The only effective way to combat this is [to] open up their bug bounty,” said Mark Litchfield, founder of Bug Bounty HQ and one of the world’s top independent vulnerability researchers.
“Clearly they would never offer [$1 million] but if they can give some reasonable bounty amounts I am sure they would have some great issues reported to them responsibly,” he said.