Apple devices are widely considered extremely secure and hard to hack. But as the internet adage says, everything can be hacked—even the new iPhone.
Over the weekend, somebody claimed the $1 million bounty set by the new startup Zerodium, according to its founder Chaouki Bekrar, a notorious merchant of unknown, or zero-day, vulnerabilities.
The challenge consisted of finding a way to remotely jailbreak a new iPhone or iPad running the latest version of Apple’s mobile operating system iOS (in this case iOS 9.1 and 9.2b), allowing the attacker to install any app he or she wants with full privileges. The initial exploit, according to the terms of the challenge, had to come through Safari, Chrome, or a text or multimedia message.
This essentially meant that a participant needed to find a series, or a chain, of unknown zero-day bugs, not just one, according to Patrick Wardle, a researcher that works at security firm Synack. For example, the Chinese white hat hacking team Pangu already found a way to jailbreak the new iPhone, but that method didn’t work remotely.
In other words, it wasn’t an easy challenge. In fact, in mid October, Bekrar told Motherboard that nobody had claimed the prize yet, even though Zerodium was in contact with two separate teams working independently. But both, he said, were “stuck” and couldn’t get around the same hurdle.
“Making the jailbreak remotely triggerable via Safari or Chrome requires at least two to three additional exploits compared to a local jailbreak,” Bekrar told me via Twitter direct message, adding that he was mulling over the possibility of extending the challenge.
Eventually, however, one of the teams found a way.
“The winning team has submitted the exploits just a few hours before the expiration of the Zerodium bounty,“ Bekrar told Motherboard in an email.
Bekrar explained that the winning team found a “number of vulnerabilities” in Chrome and iOS to bypass “almost all mitigations” and achieve “a remote and full browser-based (untethered) jailbreak.”
If true, this is a considerable feat. No one had found a way (at least that’s publicly known) to jailbreak an iPhone remotely for more than a year, since iOS 7.
Many tech companies in the last few years, such as Facebook and Google, have launched bug-bounty programs, offering rewards to friendly hackers who find vulnerabilities and disclose them to the company so that they can get fixed. There are also several bug bounty middle men, such as HackerOne and Bugcrowd, who act as platforms for crowdsourced bug-hunting. (Apple does not offer a bug bounty program.)
Bekrar and Zerodium, as well as its predecessor VUPEN, have a different business model. They offer higher rewards than what tech companies usually pay out, and keep the vulnerabilities secret, revealing them only to certain government customers, such as the NSA.
Bekrar declined to identify the team that won the prize, as well as details about the exploits they found. He also declined to say how much he is planning to sell this exploit for.
But there’s no doubt that for some, this exploit is extremely valuable. Intelligence agencies such as the NSA and the CIA have run into problems when trying to hack into iPhones to spy on their targets, and the FBI has publicly complained about Apple’s encryption for months. This exploit would allow them to get around any security measures and get into the target’s iPhone to intercept calls, messages, and access data stored in the phone.
A source, who used to work for the NSA, told Motherboard a few weeks ago that $1 million is actually a good price for such an exploit, because “if you sell it to the right people” you can fetch much more.
Apple did not respond to a request for comment.
Some experts, in any case, were not surprised that somebody claimed the prize—although one researcher is skeptical that Zerodium will actually follow through on its promise. “Finding a suitable exploit isn’t shocking…seeing them actually pay out will be,” independent security researcher Jonathan Zdziarski, who has done research on Apple devices for years, told Motherboard in an email. “Isn’t the prize a million dollars? I’m not sure anyone really believes it until they see it. But props if they do.”
Bekrar said that Zerodium is still testing the vulnerabilities to make sure the exploit chain ”fully meets the bounty rules.”
He also added that Apple will probably patch this bugs in ”a few weeks to a few months” and that Zerodium customers now have a chance to learn about iOS’s security and ”make better decisions regarding the mobile devices that they’ll use (iOS vs Android) and they will better protect themselves.”
”This challenge is one of the best advertisement for Apple as it has confirmed once again that iOS security is real and not just about marketing,” Bekrar said. ”No software other than iOS really deserves such a high bug bounty.”
Wardle, the director of research at Synack, a firm that acts as a middleman connecting its customers to security researchers, said a few days ago that with every new release, Apple fixes “a ton of security issues,” which means Apple’s iDevices aren’t by their own nature impossible to hack.
“Apple’s OS isn’t necessarily more bug-free that other [operating systems],” Wardle told me.
And now, thanks to an unknown group of hackers, we know that’s true.