Zerodium offers hackers $1 million for Apple iOS 9 bugs

23 Sep 2015 | Author: | No comments yet »

$1 million bounty dangled for Apple iOS 9 jailbreak exploits.

Computer security firm Zerodium on today offered a USD 1 million bounty to hackers who can find a way to breach Apple’s latest iOS 9 mobile operating system.The market for unpatched vulnerabilities has grown so much that an exploit reseller is willing to pay $1 million dollars for an attack that can compromise iOS 9 devices.”Apple iOS, like all operating system[s], is often affected by critical security vulnerabilities,” Zerodium said in an announcement. “However due to the increasing number of security improvements and the effectiveness of exploit mitigations in place, Apple’s iOS is currently the most secure mobile OS. “But don’t be fooled, secure does not mean unbreakable, it just means that iOS has currently the highest cost and complexity of vulnerability exploitation,” the company continued. “And here’s where the Million Dollar iOS 9 Bug Bounty comes into play.” Of the $3 million prize money, $1 million will go to each individual or team that creates and submits an “exclusive, browser-based, and untethered jailbreak” for iOS 9.

The public perception of the black-hat hacker is of a lone person sitting in a dark room creating malware and unleashing it on the world and reaping the profits of their exploit. Zerodium says the initial attack vector must be a Web page targeting the mobile browser or any application reachable through the browser, or a text message delivered via a SMS OR MMS. The process involves chaining together exploits for different vulnerabilities in the OS and its components in order to gain the highest possible privilege on the system—root access. Plus, the exploitation process should be achievable “remotely, reliably, silently, and without requiring any user interaction” except visiting a website or reading a message, Zerodium said.

Zerodium, a security startup that bills itself as an acquisition platform for software vulnerabilities, announced this week that it’s putting a bounty on the line for iOS 9 exploits. A few days after its release, a company named Zerodium has announced a million dollar reward to those who come up with vulnerabilities in Apple’s latest mobile iOS 9. Most importantly, the jailbreak must work reliably on the iPhone 6s, 6s Plus, 6, 6 Plus, 5, 5c, and 5s, as well as iPad Air 2, iPad Air, fourth-gen iPad, third-gen iPad, iPad mini 4, and iPad mini 2. Founder Chaouki Bekrar has a history of selling exploits to the highest bidder instead of disclosing the issue to the maker of the compromised product.

It then analyses the security data to help corporate and government agency clients to beef up their online defences. “The strength of iOS is essentially based on layers of security that are individually vulnerable but extremely effective together. Recently we have seen something of a spike in Apple-related threats, so perhaps a bounty system that would encourage problem-spotters to disclose what they find rather than exploit it is a positive development. It flies in the face of responsible disclosure of exploits by security researchers and means that anyone with enough cash will have the ammunition to ruin the digital life of anyone with an iPhone.

Unlike corporate bug-bounty programs that pay researchers to share exploits found in products so that a company can squash those problems, Zerodium doesn’t want these exploits closed. The attack must be launched either through a Web browser or via text message, and must rely on “a full chain of unknown, unpublished and unreported vulnerabilities.” Zerodium was launched in July by Chaouki Bekrar, the founder of Vupen, a French exploit vendor that has previously held contracts with intelligence services run by the U.S. and German governments. “[T]here are many experienced researchers working on iOS exploits or stockpiling iOS zero-days for various reasons, and we believe that many of these talents will be attracted by the bounty and will definitely succeed,” Mr.

For example, the JailbreakMe.com website that ran between 2007 and 2011 allowed iPhone users to intentionally jailbreak their devices by simply pressing a button. Lance Cottrell, chief scientist of security firm Ntrepid told Engadget that these exploits are “almost certainly going to be used against people’s best interests.” That’s if the bounty is ever collected. Exploits for older versions of Apple’s iOS operating system have previously been bought by vendors in the same business as Vupen and Zerodium for $500,000, The New York Times reported. He is the man behind the French hacking firm Vupen, reportedly involved into developing intrusion techniques for software with the aim of selling them to government agencies across the globe. EDT, and may be terminated prior to its expiration if the total payout to researchers reaches three million U.S. dollars ($3,000,000.00).” We asked Apple, which offers a wall of fame spot for exploit finders rather than a cash reward, if it would like to comment on the bounty offer but so far it hasn’t got back to us. µ

Its goal seems to be similar to that of Vupen, but instead of creating its own exploits, it acquires them from third-party researchers. “Zerodium extensively analyzes and documents all acquired vulnerability research and provides it, along with protective measures and security recommendations, to its clients as part of the Zerodium Security Research Feed (Z-SRF),” the company says on its website. Zerodium’s campaign, meanwhile, comes after Apple was forced to pull several apps from its App Store after legitimate apps were infected with malware. The offer of $1 million, however, could provide enough incentive for some people working on public jailbreaks for the iOS community, to sell them instead. Bekrar doesn’t see any issues with how his company deals with exploits, “if morality is giving to a multi-billion dollar company such as Apple or Google advanced security research for free or for a ridiculous bug bounty, many researchers do not agree to follow such a morality.” Zerodium instead shares the exploits it purchases with its client base. While it won’t share that list or how much it charges for its wares, there’s a good possibility that some of the company’s inventory will end up in the hands of a government entity like the United States.

You’ll get to keep your current user name (as long as it doesn’t contain invalid characters, in which case you’ll have to go through a few extra steps to make the transfer), and all your old comments will eventually (not immediately) migrate with you.

Here you can write a commentary on the recording "Zerodium offers hackers $1 million for Apple iOS 9 bugs".

* Required fields
Twitter-news
Our partners
Follow us
Contact us
Our contacts

dima911@gmail.com

ICQ: 423360519

About this site