Some Hackers Just Made $ 1 Million Finding Remote Jailbreak of Running iPhone
The bounty was offered last month by Zerodium, a company that searches for, buys and sells zero-days – new vulnerabilities that haven’t been patched. And today he announced a winner on
– Zerodium (@Zerodium) November 2, 2015
But Zerodium didn’t say who won or how they did it. Whoever they are, they probably spent a lot of time trying to meet the stringent requirements of the Million Dollar Bounty: A remote attack that managed to take control of an iPhone through the Safari browser d ‘Apple,
Chaouki Bekrar, founder of Zerodium and famous zero-day hunter, did not respond to a request for comment. As with his previous exploits, some will worry about who ends up buying Bekrar’s iOS zero-days. Little is known about Zerodium customers. Bekrar previously sold primarily to governments and he doesn’t disclose issues to vendors, meaning the world at large is rarely told about the exploits he deals with.
Bekrar told FORBES that two teams submitted entries to the competition, but only one of them had successfully completed a “remote and fully browser-based” jailbreak for iOS 9.1 and 9.2. “The other team has a partial jailbreak and they could qualify for a partial reward (still under discussion),” he wrote via email.
“The winning team submitted the achievements just hours before the Zerodium bounty expired because they worked very hard to complete and polish the code until the last day.
“The exploit chain includes a number of vulnerabilities affecting both the Google Chrome and iOS browser, and bypassing almost any mitigation in place. The exploit is still extensively tested by Zerodium to understand each of the underlying vulnerabilities. “
The $ 1 million figure might sound like a lot, but it has long been known that the hardest to find flaws can bring in a lot of money. During research of the iOS jailbreak market, I have been repeatedly told that a stable iPhone exploit will be rewarded with $ 1 million or more.
However, some researchers are not very enthusiastic about making money from jailbreaking. Team Pangu, the only hacker team known to have jailbroken iOS 9, decided not to sell their findings (although they would not have qualified for the Zerodium bounty), nor to take sponsorship from a supplier of third-party app store, like Pangu and others have done before.