You are using an older browser version. Please use a supported version for the best MSN experience.

Zero-Day Merchant: $1 Million For Anyone Who Can Jailbreak iOS 9

Forbes logo Forbes 22-09-2015 Thomas Fox-Brewster, Forbes Staff

Is it a marketing ploy or an honest offer? Zerodium, headed up by one of the world’s best-known exploit dealers, told FORBES today it has a spare $3 million in its coffers for three researchers who can provide the firm with exploits for Apple's latest iPhones.

Specifically, Chaouki Bekrar, CEO of Zerodium and Vupen, wants to pay out $1 million each to those who can demonstrate a workable, remote and untethered jailbreak that will persist even after reboot. Jailbreaks see iOS exploited to the point that the user has total control over what they can install on the phone.

Bekrar told FORBES the company was paying such a high price due to the quality of security protections in Apple’s latest iPhone operating system. “iOS is the most secure mobile OS as of today… and Zerodium is buying all kinds of stuff, why not iOS?” The full rules, which include a stipulation that the jailbreaks must work on iPhone 6 or the iPhone 6s, can be found on Zerodium’s website. Applicants have to attack the phone via Apple’s Safari, Google’s Chrome browser or a text message – something only the most talented hackers will be able to achieve. They have until 6pm ET 31 October, Halloween, to submit their research.

© Apple CEO Tim Cook introduces the iPhone 6s during an Apple media event in San Francisco, California...

Bekrar also claimed the firm was paying out an astonishing $100,000 to $150,000 each week to researchers who’d disclosed exploits and zero-days – unpatched and previously-unknown vulnerabilities. “We have … paid for a fair amount of exploits in Internet Explorer, Chrome, Firefox, Flash, Office and Android,” Bekrar added. The firm offers most for mobile exploits – typically as high as $100,000 – whilst researchers can earn as much as $50,000 for browser hacks and up to $40,000 for attacks on Microsoft Office products. When researcher Joshua Drake disclosed the critical Stagefright zero-days in Google's Android, Bekrar said he would have paid $100,000 for the findings.

There have been no public disclosure of bounties, however. That’s largely because of its business model, which discloses vulnerabilities to paying customers only. Vendors of the affected products are not informed and flaws remain in their software, leaving users unprotected. Some don’t approve of that model. Vupen was once described by Chris Soghoian, principal technologist and senior policy analyst at ACLU, as “a modern-day merchant of death”.

Despite the criticism, the exploit market has only grown. The market for iOS vulnerabilities is particularly buoyant. In its own investigation, FORBES was told by scores of iPhone jailbreakers that the going price for such exploits was at least $1 million, possibly even higher. Chinese giants, including Alibaba, were inadvertently funding the jailbreak scene, which is especially fecund in China due to the vast number of third-party app stores.

If the ‘Million Dollar iOS 9 Bug Bounty’ is just a ploy for Bekrar’s youngest start-up to get some press (guilty as charged), he could be made to look rather unprofessional if he fails to pay up to researchers who discover a jailbreak and correctly disclose to Zerodium. Given its customers are said to be law enforcement, governments and major private companies, such a strategy would be unwise.

Regardless of who the buyer is, however, the $1 million race to hack an iPhone is well and truly on.

More From Forbes

image beaconimage beaconimage beacon