Team claims $1 million bounty for remotely jailbreaking iOS 9.1 & 9.2
An anonymous team has claimed a $1 million bounty for zero-day exploits in iOS 9.1 and the 9.2 beta, potentially allowing someone to jailbreak an Apple device over the Internet.
The bounty was offered by Zerodium, a startup marketing itself as the "premium zero-day vulnerability and exploit acquisition program." It was first announced on Sept. 21, but only claimed this weekend -- hours before it was set to expire, Zerodium founder Chaouki Bekrar told Motherboard.
Rules stated that the hack had to come through Safari, Chrome, or an SMS or MMS message. This is said to have made the bounty particularly complex, demanding a string of undiscovered bugs, and as late as mid-October two teams were blocked by the same problem.
The winning team used a combination of Chrome and iOS vulnerabilities to create a browser-based jailbreak, which is still being double-checked make sure it meets the bounty's terms. Bekrar declined to offer any details about the technique, or whom he intends to sell it to.
Zerodium is reportedly geared toward selling to government customers however, and its predecessor, VUPEN, previously counted the U.S. National Security Agency as a client.
That could mean the NSA and/or other government organizations will be able to circumvent iOS 9's security safeguards, such as full-disk encryption, and install eavesdropping apps or simply sabotage a device.
Bekrar suggested however that Apple will likely patch the related iOS holes in "a few weeks to a few months," and that the bounty is actually a credit to Apple's work.
"This challenge is one of the best advertisements for Apple as it has confirmed once again that iOS security is real and not just about marketing," he said. "No software other than iOS really deserves such a high bug bounty."
Remote jailbreaks have become a rarity with iOS, the last known technique being available for iOS 7.
The bounty was offered by Zerodium, a startup marketing itself as the "premium zero-day vulnerability and exploit acquisition program." It was first announced on Sept. 21, but only claimed this weekend -- hours before it was set to expire, Zerodium founder Chaouki Bekrar told Motherboard.
Rules stated that the hack had to come through Safari, Chrome, or an SMS or MMS message. This is said to have made the bounty particularly complex, demanding a string of undiscovered bugs, and as late as mid-October two teams were blocked by the same problem.
The winning team used a combination of Chrome and iOS vulnerabilities to create a browser-based jailbreak, which is still being double-checked make sure it meets the bounty's terms. Bekrar declined to offer any details about the technique, or whom he intends to sell it to.
Zerodium is reportedly geared toward selling to government customers however, and its predecessor, VUPEN, previously counted the U.S. National Security Agency as a client.
That could mean the NSA and/or other government organizations will be able to circumvent iOS 9's security safeguards, such as full-disk encryption, and install eavesdropping apps or simply sabotage a device.
Bekrar suggested however that Apple will likely patch the related iOS holes in "a few weeks to a few months," and that the bounty is actually a credit to Apple's work.
"This challenge is one of the best advertisements for Apple as it has confirmed once again that iOS security is real and not just about marketing," he said. "No software other than iOS really deserves such a high bug bounty."
Remote jailbreaks have become a rarity with iOS, the last known technique being available for iOS 7.
Comments
Why can it not be jailbreak proof? Or are you referring to practically, rather than theoretically?
Not sure why they would boast about the hack if they couldn't actually do it, except great publicity, who knows if they have actually done it?
if they have, can they truly hack a remote phone, or do they need a local user to do something special first?
at the very least it appears they need chrome installed. Not sure what else and what settings.
I caught that as well...and that should nicely limit it as I doubt many people will load Chrome on their iOS devices...
No device can be 100% jailbreak proof as long as it connects to the internet.
Its all about probability of an successful attack. At this point Android is 100x more vunerable.
Not sure where you got that data. The links below seem to be some of the most detailed I could find.
I'm not trying to make a case that Android is more secure because there are certainly huge differences between the two platforms which relate to how quickly the exploits are patched, if ever, and the severity of the threat such as complete access versus partial, local verses remote and so on. In these records it appears that Android attacks are generally more serious, but there are several different circumstances to consider. Android being more fragmented with more old installations than iOS also contributes to overall lack of security, but just measuring in shear number of incidents, iOS has had many more exploits over the years.
I think your 100x more vulnerable figure is another one of the numbers you just pulled out of thin air.
Android known exploits since 2009-05-26
Total = 138
https://www.cvedetails.com/vulnerability-list/vendor_id-1224/product_id-19997/Google-Android.html
iPhone known exploits since 2007-07-23
Total = 749
https://www.cvedetails.com/vulnerability-list/vendor_id-49/product_id-15556/Apple-Iphone-Os.html
I caught that as well...and that should nicely limit it as I doubt many people will load Chrome on their iOS devices...
Sadly, we had to load Chrome on our iPhones here because Chrome was actually more HTML5 compliant than Safari was. There is a bug in Safari that caused it not to work with bluetooth scanners whereas Chrome handled it just fine.
Who knows when Apple was going to address it. Sad. I expected better from Apple on this. I have the idea of having to use 3rd-party browsers on my iPhone.
No device can be 100% jailbreak proof as long as it connects to the internet.
Its all about probability of an successful attack. At this point Android is 100x more vunerable.
Well, "vulnerable" is binary, not a scalar, when the motivation is high enough. All popular platforms have been compromised.
Hum. How is it Zerodium isn't a defendant in a suit by Apple?
Hum. How is it Zerodium isn't a defendant in a suit by Apple?
I think because jailbreaking is lawful according to federal regulators
There was a fellow (on Ars?) who made an offhand guess that it required Chrome and commented that he would delete it immediately.
I hesitate to go back and see all the "I told you sos!"
It probably didn't involve Flash though
I think your 100x more vulnerable figure is another one of the numbers you just pulled out of thin air.
Android known exploits since 2009-05-26
Total = 138
https://www.cvedetails.com/vulnerability-list/vendor_id-1224/product_id-19997/Google-Android.html
iPhone known exploits since 2007-07-23
Total = 749
https://www.cvedetails.com/vulnerability-list/vendor_id-49/product_id-15556/Apple-Iphone-Os.html
Of course Android isn't 100x as bad - it's just a joke.
Your source is not exactly accurate either. First you have the severity of the issue (as you mentioned). Then you have to look at how long it took before it was patched. And some issues could show up as multiple exploits but be caused by a single piece of code. Strictly looking at the number of exploits is a poor way to measure security (and one that happens to be very common on Android forums).
It's impossible to create software that's 100% bug free and secure. The single biggest safeguard against exploits is the ability to rapidly issue updates/patches to devices so any impact is minimized/prevented when an issue is discovered. And in this regard iOS (and Windows or Mac OS) are light years ahead of Android.
This single fact alone will prevent Android from ever being as secure as iOS.
I think because jailbreaking is lawful according to federal regulators
jailbreaking might be excepted from the DMCA but I doubt that means doing it without someone's permission. Which is what this is all about.
many of the hacks and threats that have been found in the wild require the device to be jailbroken. Thus why they were looking for a way to do it without user permission, or at least knowledge permission. I'm sure I could find a way to trick someone into saying yes when it should be no with some carefully crafted social engineering
100x isn't accurate either, I'd say it's a lot worse.
Is there a reason we should even believe this? Is everything you read in the Internet true?
I think because jailbreaking is lawful according to federal regulators
I think you mean the Library of Congress believes that it is not a violation of the DMCA. Not sure that would mean much when it is clear that this company is inviting/ inducing others to violate federal computer security statutes. The "anonymous" group likely is violating Apple's Terms of Service - and theoretically Zerodeum has information of who they are. Start there, and watch the cockroaches scatter.
Huh? 3rd party browsers on iOS use the exact same rendering engine as Safari. Chrome is just a wrapper around the built in WebKit engine.
Interesting that Google code had to be installed on the device to create the security hole...
Now, if someone can crack a purely native device with no third party pieces installed, that would be big news.