Zero-day Dealer Zerodium has claimed that its iOS zero-day bug bounty program has gained a winner, a hacker who cracked iOS 9.1/9.2b, in an untethered and remote hijack, according to Zerodium.
Although Apple devices have traditionally been known to be notoriously hard to hack, the old adage goes “there’s nothing that cannot be hacked.” And so it proved to be true as Zerodium announced that a bug bounty program offered by the company for a million dollars has a winner.
Zerodium released a tweet to make the announcement:
Our iOS #0day bounty has expired & we have one winning team who made a remote browser-based iOS 9.1/9.2b #jailbreak (untethered). Congrats!
— Zerodium (@Zerodium) November 2, 2015
It has to be noted that Zerodium has not revealed the winners nor the means in which the hack was pulled by the bounty collector(s). The requirements were simple and yet daunting. A proof-of-concept remote hack was the demand. A remote hack that successfully exploited the iPhone by Apple’s own Safari browser, a text message, or Google’s Chrome. An additional caveat for the bounty also stated that the hack had to work on the iPhone 6 or 6S, the latest models of Apple’s flagship mobile devices. No previous phones were eligible.
Also read: iOS 9 Hackers Get a Million Dollar Bug Bounty Program
Forbes notes that Zerodium’s founder has been sought out for comment, to no avail. Zerodium, unlike Hacking Team, is discreet about the company’s customers. However, Zerodium founder Chaouki Bekrar has previously revealed that information has been sold to governments while the zero-day vulnerabilities or other holes open for exploits are not communicated to the companies developing the software.
The remote hack involved the challenge of exploiting the iPhone to allow the hacker to install any application onto the phone, with complete privileges.
This is far from an easy challenge as the only other successful exploit to jailbreak the iPhone was achieved by Pangu, a white-hat hacking team from China. Their exploit did not involve a remote hack.
Bekrar told Motherboard:
“Making the jailbreak remotely triggerable via Safari or Chrome requires at least two to three additional exploits compared to a local jailbreak.
The winning team has submitted the exploits just a few hours before the expiration of the Zerodium bounty,” he added.
Law enforcement agencies have publicly taken on Apple for the tech giant’s refusal to budge on its encryption policies. For the buyer, the exploit is likely to cost a whole lot more than a million dollars.