Team claims $1 million bounty for remotely jailbreaking iOS 9.1 & 9.2

Posted:
in iPhone edited November 2015
An anonymous team has claimed a $1 million bounty for zero-day exploits in iOS 9.1 and the 9.2 beta, potentially allowing someone to jailbreak an Apple device over the Internet.




The bounty was offered by Zerodium, a startup marketing itself as the "premium zero-day vulnerability and exploit acquisition program." It was first announced on Sept. 21, but only claimed this weekend -- hours before it was set to expire, Zerodium founder Chaouki Bekrar told Motherboard.

Rules stated that the hack had to come through Safari, Chrome, or an SMS or MMS message. This is said to have made the bounty particularly complex, demanding a string of undiscovered bugs, and as late as mid-October two teams were blocked by the same problem.

The winning team used a combination of Chrome and iOS vulnerabilities to create a browser-based jailbreak, which is still being double-checked make sure it meets the bounty's terms. Bekrar declined to offer any details about the technique, or whom he intends to sell it to.

Zerodium is reportedly geared toward selling to government customers however, and its predecessor, VUPEN, previously counted the U.S. National Security Agency as a client.

That could mean the NSA and/or other government organizations will be able to circumvent iOS 9's security safeguards, such as full-disk encryption, and install eavesdropping apps or simply sabotage a device.

Bekrar suggested however that Apple will likely patch the related iOS holes in "a few weeks to a few months," and that the bounty is actually a credit to Apple's work.

"This challenge is one of the best advertisements for Apple as it has confirmed once again that iOS security is real and not just about marketing," he said. "No software other than iOS really deserves such a high bug bounty."

Remote jailbreaks have become a rarity with iOS, the last known technique being available for iOS 7.
«134

Comments

  • Reply 1 of 78
    fallenjtfallenjt Posts: 4,053member
    Good luck with the remote jailbreak. I'm no longer believing in this. Since iOS 7, no remote jailbreak ever happened. 9.1? I doubt it.
  • Reply 2 of 78
    sog35 wrote: »
    No device can be 100% jailbreak proof as long as it connects to the internet.

    Its all about probability of an successful attack.  At this point Android is 100x more vunerable.

    Why can it not be jailbreak proof? Or are you referring to practically, rather than theoretically?
  • Reply 3 of 78



    Not sure why they would boast about the hack if they couldn't actually do it, except great publicity, who knows if they have actually done it?

    if they have, can they truly hack a remote phone, or do they need a local user to do something special first? 

  • Reply 4 of 78
    entropysentropys Posts: 4,152member

    Not sure why they would boast about the hack if they couldn't actually do it, except great publicity, who knows if they have actually done it?
    if they have, can they truly hack a remote phone, or do they need a local user to do something special first? 
    at the very least it appears they need chrome installed. Not sure what else and what settings.
  • Reply 5 of 78
    Quote:

    Originally Posted by Entropys View Post





    at the very least it appears they need chrome installed. Not sure what else and what settings.

     

    I caught that as well...and that should nicely limit it as I doubt many people will load Chrome on their iOS devices...

  • Reply 6 of 78
    mstonemstone Posts: 11,510member
    Quote:
    Originally Posted by sog35 View Post

     

    No device can be 100% jailbreak proof as long as it connects to the internet.

     

    Its all about probability of an successful attack.  At this point Android is 100x more vunerable.


    Not sure where you got that data. The links below seem to be some of the most detailed I could find.

     

    I'm not trying to make a case that Android is more secure because there are certainly huge differences between the two platforms which relate to how quickly the exploits are patched, if ever, and the severity of the threat such as complete access versus partial, local verses remote and so on. In these records it appears that Android attacks are generally more serious, but there are several different circumstances to consider.  Android being more fragmented with more old installations than iOS also contributes to overall lack of security, but just measuring in shear number of incidents, iOS has had many more exploits over the years.

     

    I think your 100x more vulnerable figure is another one of the numbers you just pulled out of thin air.

     

    Android known exploits since 2009-05-26 

    Total = 138

    https://www.cvedetails.com/vulnerability-list/vendor_id-1224/product_id-19997/Google-Android.html

     

    iPhone known exploits since 2007-07-23

    Total = 749

    https://www.cvedetails.com/vulnerability-list/vendor_id-49/product_id-15556/Apple-Iphone-Os.html

  • Reply 7 of 78
    fallenjtfallenjt Posts: 4,053member

    Not sure why they would boast about the hack if they couldn't actually do it, except great publicity, who knows if they have actually done it?
    if they have, can they truly hack a remote phone, or do they need a local user to do something special first? 
    They need user's interaction by following certain commands to install the jailbreak package.
  • Reply 8 of 78
    sflocalsflocal Posts: 6,092member
    Quote:

    Originally Posted by Cyberzombie View Post

     

     

    I caught that as well...and that should nicely limit it as I doubt many people will load Chrome on their iOS devices...




    Sadly, we had to load Chrome on our iPhones here because Chrome was actually more HTML5 compliant than Safari was.  There is a bug in Safari that caused it not to work with bluetooth scanners whereas Chrome handled it just fine.



    Who knows when Apple was going to address it.  Sad.  I expected better from Apple on this.  I have the idea of having to use 3rd-party browsers on my iPhone.

  • Reply 9 of 78
    Quote:

    Originally Posted by sog35 View Post

     

    No device can be 100% jailbreak proof as long as it connects to the internet.

     

    Its all about probability of an successful attack.  At this point Android is 100x more vunerable.


     

    Well, "vulnerable" is binary, not a scalar, when the motivation is high enough. All popular platforms have been compromised.

  • Reply 10 of 78
    eightzeroeightzero Posts: 3,056member

    Hum. How is it Zerodium isn't a defendant in a suit by Apple? 

  • Reply 11 of 78
    mstonemstone Posts: 11,510member
    Quote:

    Originally Posted by eightzero View Post

     

    Hum. How is it Zerodium isn't a defendant in a suit by Apple? 




    I think because jailbreaking is lawful according to federal regulators

  • Reply 12 of 78
    mknelsonmknelson Posts: 1,118member

    There was a fellow (on Ars?) who made an offhand guess that it required Chrome and commented that he would delete it immediately.

     

    I hesitate to go back and see all the "I told you sos!"

     

    It probably didn't involve Flash though ;) 

  • Reply 13 of 78
    Quote:

    Originally Posted by mstone View Post

     

    I think your 100x more vulnerable figure is another one of the numbers you just pulled out of thin air.

     

    Android known exploits since 2009-05-26 

    Total = 138

    https://www.cvedetails.com/vulnerability-list/vendor_id-1224/product_id-19997/Google-Android.html

     

    iPhone known exploits since 2007-07-23

    Total = 749

    https://www.cvedetails.com/vulnerability-list/vendor_id-49/product_id-15556/Apple-Iphone-Os.html


     

     

    Of course Android isn't 100x as bad - it's just a joke.

     

    Your source is not exactly accurate either. First you have the severity of the issue (as you mentioned). Then you have to look at how long it took before it was patched. And some issues could show up as multiple exploits but be caused by a single piece of code. Strictly looking at the number of exploits is a poor way to measure security (and one that happens to be very common on Android forums).

     

    It's impossible to create software that's 100% bug free and secure. The single biggest safeguard against exploits is the ability to rapidly issue updates/patches to devices so any impact is minimized/prevented when an issue is discovered. And in this regard iOS (and Windows or Mac OS) are light years ahead of Android.

     

    This single fact alone will prevent Android from ever being as secure as iOS.

  • Reply 14 of 78
    charlitunacharlituna Posts: 7,217member
    Quote:

    Originally Posted by mstone View Post

     



    I think because jailbreaking is lawful according to federal regulators




    jailbreaking might be excepted from the DMCA but I doubt that means doing it without someone's permission. Which is what this is all about. 

     

    many of the hacks and threats that have been found in the wild require the device to be jailbroken. Thus why they were looking for a way to do it without user permission, or at least knowledge permission. I'm sure I could find a way to trick someone into saying yes when it should be no with some carefully crafted social engineering

  • Reply 15 of 78
    calicali Posts: 3,494member
    Android is no where near the security of iOS.

    100x isn't accurate either, I'd say it's a lot worse.
  • Reply 16 of 78
    Headlines tomorrow: "NSA and Apple have deal to install backdoors on iPhones running iOS 9. More after this commercial..."
  • Reply 17 of 78
    lkrupplkrupp Posts: 10,557member

    Is there a reason we should even believe this? Is everything you read in the Internet true?

  • Reply 18 of 78
    eightzeroeightzero Posts: 3,056member
    Quote:

    Originally Posted by mstone View Post

     



    I think because jailbreaking is lawful according to federal regulators


    I think you mean the Library of Congress believes that it is not a violation of the DMCA. Not sure that would mean much when it is clear that this company is inviting/ inducing others to violate federal computer security statutes. The "anonymous" group likely is violating Apple's Terms of Service - and theoretically Zerodeum has information of who they are. Start there, and watch the cockroaches scatter.

  • Reply 19 of 78
    payecopayeco Posts: 580member
    sflocal wrote: »

    Sadly, we had to load Chrome on our iPhones here because Chrome was actually more HTML5 compliant than Safari was.  There is a bug in Safari that caused it not to work with bluetooth scanners whereas Chrome handled it just fine.


    Who knows when Apple was going to address it.  Sad.  I expected better from Apple on this.  I have the idea of having to use 3rd-party browsers on my iPhone.

    Huh? 3rd party browsers on iOS use the exact same rendering engine as Safari. Chrome is just a wrapper around the built in WebKit engine.
  • Reply 20 of 78

    Interesting that Google code had to be installed on the device to create the security hole...

     

    Now, if someone can crack a purely native device with no third party pieces installed, that would be big news.

Sign In or Register to comment.