iOS exploit found, $1m bounty paid

Exploit broker Zerodium has awarded a $1 million bounty to a team that has uncovered a way to remotely jailbreak iOS 9 devices and bypass all exploit mitigation protections, and appears to be willing to sell the method to the highest bidders.

Zerodium tweeted this week that one winning team has developed a remote browser-based jailbreak for iOS 9.1 and 9.2b, winning a $1 million reward under the company’s bug bounty program.

The company, which bills itself as a “premium zero-day vulnerability and exploit acquisition” company, launched the bounty in September. The company offered to pay out a total of $3 million for iOS exploits and jailbreaks, including a $1 million prize for a browser-based jailbreak.

To be eligible for the prize, an exploit needed to allow for remote, privileged and persistent installation of an app, bypassing all exploit mitigations including code signing and bootchain. The exploit also could not rely on device tethering via Wi-Fi, Bluetooth, NFC or other methods.

Development of the exploit has led to the concern that governments will seek to acquire knowledge of the exploit to more effectively be able to spy on iPhone owners. Zerodium’s own website states that the company provides the results of its research to “government organizations in need of specific and tailored cybersecurity capabilities”.

Security specialists believe the exploit could be used to gain unauthorised access to a device’s camera or audio, as well as phone logs, SMS and application data.

The company said it also targets “major corporations in defense, technology, and finance, in need of advanced zero-day protection”.

News of the award of the bounty evokes the controversy over the exposure of Hacking Team’s involvement with selling malware, zero-day exploits and other such capabilities to foreign governments. Hacking Team fell victim to a massive data breach earlier this year, with over 400 GB of stolen documents leaked online.

It also follows the discovery of a series of exploits for iOS devices that threaten to shake the reputation of the platform as a more secure alternative to Android.

Last month, Palo Alto Networks announced the discovery in the wild of the first iOS malware that attacks non-jailbroken devices. The YiSpecter malware abuses private APIs to implement malicious functionalities, including the installation of malicious code from command and control servers and the download and installation of arbitrary iOS apps.

YiSpecter was itself discovered weeks after the public disclosure of XcodeGhost, a compiler malware designed to hide malicious code inside iOS and OSX applications. XcodeGhost used techniques originally developed and demonstrated by the US CIA, as revealed in documents leaked by whistleblower Edward Snowden.

In August, WeipTech and Palo Alto Networks uncovered an iOS malware designed to steal password from Apple accounts. The KeyRaider malware was found to have compromised over 2,250,000 accounts, with the passwords being stored on a server.

Research from Centrify conducted that month meanwhile indicated that unmanaged use of Apple devices is exposing companies to major liabilities. The survey showed that 45% of US workers were using at least one Apple device for work purposes, but more than half of these are protected only by weak passwords and only 28% have company-provided mobile device management software installed.

Image courtesy Apple