
Think you can hack the newest iPhones and iPads? It could have scored you a cool million.
In September, Zerodium, a zero-day acquisition platform, offered a reward of $1 million to anyone that could hack the newest iOS 9 and remote jailbreak both iPhones and iPads. With recent security improvements in place, iOS 9 is known as the most secure mobile operating system. Zerodium was confident that with the right reward in place, iOS 9 could be beaten. However, no one has been able to remotely jailbreak an iOS 9 since it’s release over a year ago. Until now.
Our iOS #0day bounty has expired & we have one winning team who made a remote browser-based iOS 9.1/9.2b #jailbreak (untethered). Congrats!
— Zerodium (@Zerodium) November 2, 2015
Many tech companies like Google and Facebook prefer to pay hackers for any vulnerabilities they discover. Apple, on the other hand, doesn’t offer a bug bounty so companies like Zerodium cash in big. But how does Zerodium make a profit with this information if Apple won’t pay out? Essentially, they sell the information to their customers, in Zerodium’s case, government clientele like the NSA, CIA or the FBI. The newest mobile encryption practices of both iOS and Android have made it nearly impossible for the government to keep tabs on cell users. Although the government’s “spying” on its citizens may be technically legal, tech companies also aren’t breaking any laws by securing their mobile operating systems. And it makes information like how to hack the iOS 9 all the more valuable for government agencies.
Here were requirements to win the million dollar bounty. Although Zerodium announced a winner, they are still reviewing their submission to ensure it meets all of these requirements.
Eligible submissions must include a full chain of unknown, unpublished, and unreported vulnerabilities/exploits (aka zero-days) which are combined to bypass all iOS 9 exploit mitigations including: ASLR, sandboxes, rootless, code signing, and bootchain.
The exploit/jailbreak must lead to and allow a remote, privileged, and persistent installation of an arbitrary app (e.g. Cydia) on a fully updated iOS 9 device (see below).
The initial attack vector must be either:
– a web page targeting the mobile browser (Mobile Safari OR Google Chrome) in its default configuration; OR
– a web page targeting any application reachable through the browser; OR
– a text message and/or a multimedia file delivered through a SMS or MMS.
The whole exploitation/jailbreak process should be achievable remotely, reliably, silently, and without requiring any user interaction except visiting a web page or reading a SMS/MMS (attack vectors such as physical access, bluetooth, NFC, or baseband are not eligible for the Million Dollar iOS 9 Bug Bounty. ZERODIUM may, at its sole discretion, make a distinct offer to acquire such attack vectors.).
The exploit/jailbreak must support and work reliably on the following devices (32-bit and 64-bit when applicable):
– iPhone 6s / iPhone 6s Plus / iPhone 6 / iPhone 6 Plus
– iPhone 5 / iPhone 5c / iPhone 5s
– iPad Air 2 / iPad Air / iPad (4rd generation) / iPad (3th generation) / iPad mini 4 / iPad mini 2
Partial or incomplete exploits/jailbreaks will not be eligible for the Million Dollar iOS 9 Bug Bounty. ZERODIUM may, at its sole discretion, make a distinct offer to acquire such partial exploits.
All submissions must be made exclusively to ZERODIUM and must include the fully functioning exploit and its source code (if any), and a detailed whitepaper describing all the zero-day vulnerabilities and techniques used in the jailbreak.