Hackers Claim $1 Million ZERODIUM Bounty For Browser-Based iOS 9.1 Jailbreak
Apple's operating systems might be considered as some of the most secure on the planet, but as has been proven time and time again, nothing is bulletproof. Not even the company's latest iOS build, it seems. ZERODIUM, a firm that rewards those for finding unknown bugs, has just announced that a team has secured its rights to a bounty worth a staggering $1 million, or roughly the equivalent of 1,333x 16GB iPhone 6S Plus units. Speaking of which, if you are in the dark about what the 6S Plus brings to the table, check out our in-depth review.
In order to succeed in ZERODIUM's challenge, the attackers had to remotely exploit an iOS 9.1/9.2b device to install an app with full permissions. The initiator of this attack had to be done through Safari, Chrome, or a text message, which means that multiple vulnerabilities needed to be taken advantage of, not just one (that'd be a bit too "simple").
With this attack being confirmed, it does in fact mean that someone with the right skills could install malware with full permissions on your iOS device should you fall victim to a malicious text message or webpage. Given the massive prize here, though, it's clear that this attack is far from being an easy one to pull off.
Our iOS #0day bounty has expired & we have one winning team who made a remote browser-based iOS 9.1/9.2b #jailbreak (untethered). Congrats!
— Zerodium (@Zerodium) November 2, 2015One thing that makes this success interesting is that it's the first time someone (or a team) has been able to remotely attack an iOS device this way in over a year. All things considered, it's safe to say that iOS is still a very secure mobile OS.
So, how on Earth does a random company pay out $1 million for the rights to exploits? Companies like ZERODIUM work by keeping their exploits secret, exposing them only to the right customer - customers that of course pay much more than they did. It's an interesting business model, to say the least, and because of it, it means that Apple isn't going to be granted a peak, so these flaws will go unpatched until the company discovers the string of flaws itself, or buys the rights to the information from ZERODIUM - if it's even allowed to.
