Hackers Claim Zerodium's $1M Bounty for Breaking into iPhone
It took more than a month, but an anonymous team of hackers finally claimed the $1 million bounty offered by cybersecurity startup Zerodium to hack the iPhone’s iOS 9 operating system. In mid-September, Zerodium offered a reward to an individual or team that created and submitted an exclusive, browser-based, "jailbreak" for the latest version of Apple's mobile operating system and its devices.
The bounty was claimed over the weekend, according to Zerodium founder Chaouki Bekrar. Bekrar told Wired that the exploit developed by the hackers, who were not identified, will be given to one or more of Zerodium’s customers. The company’s client base includes companies in technology, finance, as well as defense corporations, and government agencies.
The contest required that the hackers carry out the winning exploit of iOS 9.1 or iOS 9.2 -- the latest versions of iOS 9 -- remotely, without any user interaction beyond reading a text message or visiting a Web site via Chrome or Safari on an iOS device. That meant uncovering not just one but a series of previously unknown zero-day bugs in the OS. Although jailbreaks for the new iPhone have been discovered previously, they haven't worked remotely.
No One Is Safe
We reached out to Rick Holland, an analyst at Forrester Research Inc., who told us that the overriding message of Zerodium’s bounty and the winning entry is that anything can be hacked if the hacker is determined enough.
"Anything that runs code is vulnerable and the potential economic gains dictate how likely the software is to be targeted," said Holland. "I don't think this bounty indicates there will be a major shift in cybercriminals targeting iOS; they have plenty of lower-hanging fruit that they can make significant returns on."
The contest, which closed at 6 p.m. EDT on October 31, offered a total payout of $3 million if more than one successful jailbreak was submitted. However, the winning team submitted its entry just hours before the deadline, Bekrar said.
To the Highest Bidder
The competition was unusual in that, unlike with other bug-bounty programs sponsored by such companies as Facebook and Google, Zerodium was never planning to share the details of the jailbreak with anyone but its clients. The company presumably will make its money back by selling the sensitive exploit information.
As a result, Zerodium said that it does not plan to report the vulnerabilities in iOS 9 to Apple. Bekrar said the company might share the details of the hack at some point in the future. The information won’t be provided to the general public, but the public will benefit from knowing that while the security features of Apple’s mobile OS is sound, it’s not invulnerable, according to Bekrar.
Zerodium counts among its clients the National Security Agency. The NSA and other Intelligence agencies have reportedly struggled to hack into iPhones to spy on their targets, and the FBI has also publicly complained about Apple’s encryption. The exploit uncovered by this hacking team would presumably let those agencies sidestep security measures and get into their targets' iPhones to intercept calls, messages and data.
Recently, an anonymous former NSA employee told the Motherboard news Web site that $1 million is a good price to pay for the exploit submitted to Zerodium because presumably its resale value will be much higher if the right customer is found.