Find a Bug in iOS 9, Earn $1 Million

22 Sep 2015 | Author: | No comments yet »

$1 million bounty dangled for Apple iOS 9 exploits.

The market for unpatched vulnerabilities has grown so much that an exploit reseller is willing to pay $1 million dollars for an attack that can compromise iOS 9 devices. “Apple iOS, like all operating system[s], is often affected by critical security vulnerabilities,” Zerodium said in an announcement. “However due to the increasing number of security improvements and the effectiveness of exploit mitigations in place, Apple’s iOS is currently the most secure mobile OS. “But don’t be fooled, secure does not mean unbreakable, it just means that iOS has currently the highest cost and complexity of vulnerability exploitation,” the company continued. “And here’s where the Million Dollar iOS 9 Bug Bounty comes into play.” Of the $3 million prize money, $1 million will go to each individual or team that creates and submits an “exclusive, browser-based, and untethered jailbreak” for iOS 9.Apple’s newest mobile operating system has only been available for a few days, but hackers are already being offered a hefty sum in exchange for finding a way to break it Security researchers who can find a way to crack into iOS 9, the system that comes standard on all new iPhones and iPads, are now eligible to win $1 million. Zerodium says the initial attack vector must be a Web page targeting the mobile browser or any application reachable through the browser, or a text message delivered via a SMS OR MMS.

The process involves chaining together exploits for different vulnerabilities in the OS and its components in order to gain the highest possible privilege on the system—root access. Plus, the exploitation process should be achievable “remotely, reliably, silently, and without requiring any user interaction” except visiting a website or reading a message, Zerodium said.

Zerodium, a security startup that bills itself as an acquisition platform for software vulnerabilities, announced this week that it’s putting a bounty on the line for iOS 9 exploits. Most importantly, the jailbreak must work reliably on the iPhone 6s, 6s Plus, 6, 6 Plus, 5, 5c, and 5s, as well as iPad Air 2, iPad Air, fourth-gen iPad, third-gen iPad, iPad mini 4, and iPad mini 2. Recently we have seen something of a spike in Apple-related threats, so perhaps a bounty system that would encourage problem-spotters to disclose what they find rather than exploit it is a positive development. The program is open until October 31, and may be terminated prior to its expiration if the total payout to researchers reaches three million US dollars, says the company. The attack must be launched either through a Web browser or via text message, and must rely on “a full chain of unknown, unpublished and unreported vulnerabilities.” Zerodium was launched in July by Chaouki Bekrar, the founder of Vupen, a French exploit vendor that has previously held contracts with intelligence services run by the U.S. and German governments. “[T]here are many experienced researchers working on iOS exploits or stockpiling iOS zero-days for various reasons, and we believe that many of these talents will be attracted by the bounty and will definitely succeed,” Mr.

For example, the JailbreakMe.com website that ran between 2007 and 2011 allowed iPhone users to intentionally jailbreak their devices by simply pressing a button. Engadget, however, warns hackers to beware of Zerodium: founder Chaouki Bekrar has a history of selling exploits to the highest bidder, rather than disclosing issues to the manufacturer, according to the tech blog.

Exploits for older versions of Apple’s iOS operating system have previously been bought by vendors in the same business as Vupen and Zerodium for $500,000, The New York Times reported. He is the man behind the French hacking firm Vupen, reportedly involved into developing intrusion techniques for software with the aim of selling them to government agencies across the globe. Its goal seems to be similar to that of Vupen, but instead of creating its own exploits, it acquires them from third-party researchers. “Zerodium extensively analyzes and documents all acquired vulnerability research and provides it, along with protective measures and security recommendations, to its clients as part of the Zerodium Security Research Feed (Z-SRF),” the company says on its website. Zerodium’s campaign, meanwhile, comes after Apple was forced to pull several apps from its App Store after legitimate apps were infected with malware.

The offer of $1 million, however, could provide enough incentive for some people working on public jailbreaks for the iOS community, to sell them instead.

Here you can write a commentary on the recording "Find a Bug in iOS 9, Earn $1 Million".

* Required fields
Twitter-news
Our partners
Follow us
Contact us
Our contacts

dima911@gmail.com

ICQ: 423360519

About this site