​$1m grabbed for iOS 9.1 bug that will be kept from Apple

Zero-day broker Zerodium claims to have awarded $1 million to an unnamed hacking team that found a remotely exploitable bug in iOS 9.1 that it almost certainly will not share with Apple.

The firm, which buys software exploits from hackers and sells them to governments for “tailored cybersecurity capabilities”, announced on Monday that the bounty went to one team that had submitted a remote browser-based jailbreak effective against iOS 9.1 and iOS 9.2 beta.

“Our iOS #0day bounty has expired & we have one winning team who made a remote browser-based iOS 9.1/9.2b #jailbreak (untethered). Congrats!,” Zerodium said on Twitter.

Chaouki Bekrar, founder and CEO of Zerodium, noted that the bounty wouldn’t this time make a single person a millionaire.

“It's a team so they will share the million...after paying taxes to their Gov who will use that money to buy useful things :-)),” he wrote in response to a comment on Twitter about the bounty.

Zerodium hasn’t revealed the name of the team who won the bounty or its members.

Had the bug not been remotely exploitable it wouldn’t have qualified. An example was the Pangu Team jailbreak for iOS 9.1 that Apple patched in October, which required an iOS device be tethered to a PC for a successful jailbreak. Besides that, the Pangu jailbreak — itself an exploit for iOS 9 — was in the public domain already.

One reason Zerodium isn’t interested in publicly known exploits is the vendor has a chance to neutralise the attack. Apple patched the bugs in the Pangu jailbreak a week after it was published. The jailbreak offered users iOS prior to iOS 9.1 a way to install an alternative app store, but the same jailbreak could in different circumstances be used by a remote attacker to gain control of the device.

Zerodium announced its “Million Dollar iOS 9 Bug Bounty” in September, offering up to $3 million for qualifying jailbreaks that it valued at $1 million a piece, so long the bug was sold exclusively to it.

The company said it offered a high price because it considered iOS “the most secure” mobile OS, which “has currently the highest cost and complexity of vulnerability exploitation”.

Another reason that justifies the high price is because of the profile of Zerodium’s customers. The company likely plans on reselling the same exploit to intelligence agencies at multiple governments, Robert Graham, CEO of Errata Security noted when the bounty was launched.

“If they can sell it to four different countries for $300,000, they'll make a profit. On the other hand, some countries will pay more for exclusive access to a bug -- paying for the privilege of cyber-superiority,” he wrote.

He also doubted the exploit would be sold as a jailbreak, given the likelihood of it being reverse engineered by other hackers once released, which ultimately would reduce the value of the exploit as a tool for government agencies.

Zerodium phrases their bounty in terms of "jailbreaks", but I'm pretty sure the market for "intelligence 0days" is much greater. Actually using it for jailbreaks would mean it would quickly get reverse engineered, and even fixed by Apple, so I doubt they'd use it for that purpose.

The other reason for such a high price were the stringent conditions to qualify. For example, eligible exploits would need to bypass all Apple’s OS hardening methods. Also, the attack needed to support remote execution, so that it could be launched from a web page or text message. Technically remote attacks that still require proximity to a targeted device, for example, one that uses Bluetooth, were excluded.

Want to know more?

Why not become a CSO member and subscribe to CSO's mailing list.

Get newsletters, updates, events and more right here.