Hackers win $1 million bounty for iOS 9 remote hack

Pierluigi Paganini November 03, 2015

A team of hackers has received a million-dollar payout for disclosing a iOS zero-day vulnerability that could allow an attacker to remotely hack any Phone.

Bad news for the Apple users, a team of hackers have received a million-dollar payout for disclosing an iOS zero-day vulnerability that could allow an attacker to remotely hack any Phone running the latest version of iOS, i.e. iOS 9.

The unknown group of hackers has sold a zero-day vulnerability to Zerodium, the  Exploit trade company controlled by the security firm Vupen which is specialized in Buys and Sells zero-day exploits.

In September Zerodium offered a million dollar prize to any person that finds unknown, unpatched bug in iOS 9 with the main purpose to jailbreak iThings.

The company announced the payment of a working exploit being able to do remote code execution on an iOS device via safari/chrome or by SMS/MMS, it also added that the zero-day exploit/jailbreak “must lead to and allow a remote, privileged, and persistent installation of an arbitrary app (e.g. Cydia) on a fully updated iOS 9 device.”

The working zero-day exploit can combine other vulnerabilities to perform a jailbreak without the need of a reboot or a connection to an external device.

“The whole exploitation/jailbreak process should be achievable remotely, reliably, silently, and without requiring any user interaction except visiting a web page or reading a SMS/MMS (attack vectors such as physical access, Bluetooth, NFC, or baseband are not eligible for the Million Dollar iOS 9 Bug Bounty. ZERODIUM may, at its sole discretion, make a distinct offer to acquire such attack vectors.).”

The exploit/jailbreak must support and work reliably on the following devices (32-bit and 64-bit when applicable):
     – iPhone 6s / iPhone 6s Plus / iPhone 6 / iPhone 6 Plus
     – iPhone 5 / iPhone 5c / iPhone 5s
     – iPad Air 2 / iPad Air / iPad (4rd generation) / iPad (3th generation) / iPad mini 4 / iPad mini 2

Now it seems that someone has found the way to remotely hack the new IpPhone.

As I have explained several times the untethered jailbreaks allows users to gain root access to the operating system of the Apple devices allowing to bypass all the security features designed by Apple.

Jailbreaking a device is possible to install and execute software that could not otherwise be installed or run on that device, or to remove pre-installed software that could not otherwise be uninstalled.

ios 9

In the attack scenario described by the group of hackers, they are able to exploit a zero-day in order to perform a remote browser-based jailbreak. Experts speculate that the new zero-day works on the new iPhone 6 and iPhone 5 models, iPad Air 2 and Air, iPad 4 and 3, and the iPad mini 4 and iPad mini 2.

The bug hunters have found three flaws in iOS 9.x and Google Chrome that lead them to remotely hack any iPhone running iOS 9.x.

“No software other than iOS really deserves such a high bug bounty,” founder Chaouki Bekrar told Vulture South. “Our bounty required much more work than a classic jailbreak as it had to be remote and browser-based, so this required two to three additional zero-days compared to a public jailbreak.” “The exploit chain includes a number of vulnerabilities affecting both Google Chrome browser and iOS, and bypassing almost all mitigations in place.”

According to Bekrar, the winners submitted the zero-day exploit a few hours before the contest closed, there was also another team of hacker that reported a partial jailbreak and could gain a partial reward.

Actually the experts at Zerodium are testing the zero-day exploit, obviously only the Zerodium clients will have the access to the remote browser-based untethered jailbreaking, the company confirmed that the zero-day will not be disclosed in public.

“We will first report the vulnerabilities to our customers, and we may later report them to Apple,” Bekrar added.

Who are the clients of companies like Zerodium and Vupen? Which is the final use of such kind of zero-day exploits?

The exploits could be acquired by totalitarian governments that could use them for surveillance and to track opponents. An attacker could use them to install any application that could allow to track individuals, including spyware and surveillance software.

Apple users have no choice, the must hope that security experts at Apple will find the zero-day bug and will fix it before someone could exploit it in the wild.

[adrotate banner=”9″]


Pierluigi Paganini

(Security Affairs – Apple zero-day, hacking)

you might also like

leave a comment