A well-known buyer and seller of zero-day vulnerabilities in popular software has posted a$1 million bounty for any security researcher who is able to provide a successful jailbreak of Apple Inc’s iOS 9.
Zerodium, which describes itself as “the premium zero-day acquisition platform,” has issued the bounty and says it is willing to put up $3 million for up to three of these jailbreaks, which need to be executable remotely. A jailbreak allows users to gain complete control over what software they can install on an iPhone, but the real value for Zerodium is in using the exploit in tools it sells to its customers, which are said to include governments and law enforcement agencies.
Zerodium is among a growing number of companies in the exploit market that purchase software bugs from researchers at top prices but don’t inform the companies that make the software — Apple in this case — and so they remain exploitable for longer. One such company was Hacking Team, which earlier this year gained notoriety when huge troves of its emails and source code were published online.
Dubbed the Million Dollar iOS 9 Bug Bounty, Zerodium’s campaign will be seen by many as a PR stunt, but the company said it was willing to pay such a high price due to the high level of security built into Apple’s platform:
“Apple iOS, like all operating systems, is often affected by critical security vulnerabilities, however due to the increasing number of security improvements and the effectiveness of exploit mitigations in place, Apple’s iOS is currently the most secure mobile OS. But don’t be fooled, secure does not mean unbreakable, it just means that iOS has currently the highest cost and complexity of vulnerability exploitation, and here’s where the Million Dollar iOS 9 Bug Bounty comes into play.”
Zerodium said the bounty was aimed at experienced security researchers, reverse engineers and jailbreak developers, adding that it will pay out $1 million to each individual or team who “creates and submits an exclusive, browser-based and untethered jailbreak for the latest Apple iOS 9 operating system and devices.”
The jailbreaks will need to work on all Apple smartphones, including the iPhone 6s and iPhone 6s Plus, which go on sale on Friday, as well as remain working on the device after a reboot. The bounty program will remain open until Oct. 31 but will be closed if the total $3 million bounty has been paid out before that time.
Looking at the specific conditions of the bounty, Zerodium says the initial attack vector must be either a Web page targeting the browser in its default configuration, a Web page targeting any application reachable through the browser or a text message and/or a multimedia file delivered through an SMS or MMS.
The company said that if the vulnerability required physical access to the target phone, Bluetooth or NFC connectivity then it would not be eligible for the $1 million reward. “The whole exploitation/jailbreak process should be achievable remotely, reliably, silently and without requiring any user interaction,” the company’s website reads.
Apple iOS security is seen as the gold standard in mobile, but just this week Apple has confirmed that it has removed apps from the App Store due to a breach of security that originated in China as hackers continue to look for weaknesses in the software.