Find a zero-day exploit to hack IOS 9 and win a $1m prize

Zerodium is an Exploit trader and it’s offering a million dollar prize to any person that finds zero-day flaws in iOS 9, and you can imagine the motivation.

Zerodium is an Exploit trader and it’s offering a million dollar prize to any person that finds unknown, unpatched bug in iOS 9 with the main purpose to jailbreak iThings.

Zerodium a startup of the popular French Security firm VUPEN, which is considered one of the most active firm in the trading of zero-day exploits.

The individual (or team) have to present a working exploit being able to do remote code execution on an iOS device via safari/chrome or by SMS/MMS, this is the condition to cash out the price.

The company added that the zero-day exploit/jailbreak “must lead to and allow a remote, privileged, and persistent installation of an arbitrary app (e.g. Cydia) on a fully updated iOS 9 device.”

The working zero-day exploit can combine other vulnerabilities to perform a jailbreak without the need of a reboot or a connection to an external device.

“The whole exploitation/jailbreak process should be achievable remotely, reliably, silently, and without requiring any user interaction except visiting a web page or reading a SMS/MMS (attack vectors such as physical access, bluetooth, NFC, or baseband are not eligible for the Million Dollar iOS 9 Bug Bounty. ZERODIUM may, at its sole discretion, make a distinct offer to acquire such attack vectors.).”

The exploit/jailbreak must support and work reliably on the following devices (32-bit and 64-bit when applicable):
     – iPhone 6s / iPhone 6s Plus / iPhone 6 / iPhone 6 Plus
     – iPhone 5 / iPhone 5c / iPhone 5s
     – iPad Air 2 / iPad Air / iPad (4rd generation) / iPad (3th generation) / iPad mini 4 / iPad mini 2

Since many people don’t mind do pay for jailbreaking their iDevices, there’s cash to be made with the jailbreak by packaging up the bug into a jailbreak tool, and after all you need is visit a specific page in your browser to initiate the installation.

Besides, a remote code execution is the technique to inject and execute malicious code in the people’s devices and take over them.

Normally the zero-day vulnerabilities discovered in iphone/iPAD are used to enable the device to be jailbreaked and only after Apple patches the flaws in their security updates.

Zerodium explained that they are willing to pay up to three bounties ($3m) for the program until October 31. The successful exploits also need to be able to run on iOS for iPhone 5 and later (including the iPhone 6S and 6S Plus), iPad Mini 2 and later, and iPad Air

“The whole exploitation/jailbreak process should be achievable remotely, reliably, silently, and without requiring any user interaction except visiting a web page or reading an SMS/MMS. Attack vectors such as physical access, bluetooth, NFC, or baseband are not eligible for the Million Dollar iOS 9 Bug Bounty,” states a blog post published by Zerodium.

The availability of such kind of exploit is very dangerous for the Apple communities, zero-day exploit can be sold by the Zerodium to its customers for users easy to imagine.

About the Author Elsio Pinto

Elsio Pinto (@high54security) is at the moment the Lead McAfee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog McAfee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog McAfee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog http://high54security.blogspot.com/

Edited by Pierluigi Paganini

(Security Affairs – iOS 9, zero-day)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Canada ordered ByteDance to shut down TikTok operations in the country over security concerns

Canada ordered ByteDance to shut down TikTok operations over security concerns but did not issue…

6 hours ago

Critical bug in Cisco UWRB access points allows attackers to run commands as root

Cisco fixed a critical flaw in URWB access points, allowing attackers to run root commands,…

7 hours ago

INTERPOL: Operation Synergia II disrupted +22,000 malicious IPs

A global law enforcement operation called Operation Synergia II dismantled over 22,000 malicious IPs linked…

15 hours ago

Memorial Hospital and Manor suffered a ransomware attack

Georgia, a ransomware attack disrupted Memorial Hospital and Manor’s access to its Electronic Health Record…

17 hours ago

South Korea fined Meta $15.67M for illegally collecting and sharing Facebook users

South Korea fined Meta $15.67M for illegally collecting and sharing Facebook users' sensitive data, including…

1 day ago

Synology fixed critical flaw impacting millions of DiskStation and BeePhotos NAS devices

Synology addressed a critical vulnerability in DiskStation and BeePhotos NAS devices that could lead to…

1 day ago

This website uses cookies.