Zero-Day exploit acquisition firm, Zerodium, is offering a million dollars to anyone who can find or create a security exploit in iOS9. The security exploit is required to jailbreak iOS.
The unpatched vulnerabilities market has grown a lot in the recent years. While there is money offered for finding exploits in different OSes to improve security, Zerodium wants to keep the whole process a secret from the rest of the world and the manufacturers. The firm also requires exploits for other Apple devices and has a total of $3 million on offer for any flaws that it deems useful. Partial exploits are also included in the offer but will not be subject to the Million Dollar Bounty.
What is Jailbreaking?
Jailbreaking is the process of bypassing security in an iOS device to install applications that aren’t offered through Apple’s app store and aren’t authorised. In other words, it allows the ability to gain root access.
What’s Needed to Get the Million Dollar Bounty?
The firm requires an “exclusive, browser-based, and untethered jailbreak for the latest Apple iOS 9 operating system and devices”. Zerodium’s bounty page also states ““Eligible submissions must include a full chain of unknown, unpublished, and unreported vulnerabilities/exploits (aka zero-days) which are combined to bypass all iOS 9 exploit mitigations including: ASLR, sandboxes, rootless, code signing, and bootchain”.
It also wants the exploits not to trigger any alarms in the OS, work reliably and only require visiting a web page or receiving a message. After a hacker has found the exploit they will be required to send a detailed explanation over an encrypted email and would be bound not to tell anyone about any of the vulnerabilities.
iOS security has grown much more complex over the years so the process of jailbreaking, which used to be simple, has become a sizable task
Apple’s iOS was hackable using just a webpage from 2007 to 2011 and users used a popular website for doing so but in recent years the OS has improved in security rendering the old ways useless.
The jailbreak process will require hackers to chain multiple security loopholes to bypass different OS restrictions and security alarms to gain the highest possible control over the system. While the process of finding security bugs is good if sent to the OEM, it can be very dangerous if used by government agencies or hackers.
What Will Zerodium Do With the Jailbreak?
Zerodium is the kind of firm that will acquire these jailbreaks and security loopholes and sell them to governments and their agencies. An iOS9 jailbreak is estimated to sell for around $300,000 when bought by a government agency, defense departments and the tech industry. The need for zero-day exploits by such corporations is easy to guess. There are several other firms like Zerodium who are already hard at work on finding similar loopholes in mainstream devices.
When Will the Bounty End?
The bounty will run until the 31st of October and could also finish earlier if their goals are met or if the $3 million amount gets used up for other Apple exploits.
