Zerodium To Pay $1 Million For Exploit That Breaks iOS 9's Enhanced Security

Zerodium, a zero-day vulnerability company that specializes in buying and selling exploits, announced that it will offer a record-breaking $1 million for a full iOS 9 browser-based exploit delivered to it by October 31. The company will be able to offer up to three such prizes for a total of $3 million.

Zerodium was created by Chaouki Bekrar, the founder of VUPEN, a company akin to the Hacking Team, which created its own exploits and then sold them to the highest bidder (even if that was a country that often uses such exploits to violate human rights).

After the Hacking Team hack and all the media and political attention that came with it, the founder of VUPEN decided to focus on only buying and selling premium exploits instead of developing them.

His new firm, Zerodium, now wants to focus on getting unique iOS 9 exploits and is willing to pay $1 million for up to three such exploits. The amount is 10 times more than what the company usually pays for a mobile vulnerability.

The reason Zerodium is willing to pay this much is in part because it must have also realized it would garner much attention from zero-day vulnerability developers, but also in part because iOS 9 comes with many security enhancements and patches, which make it much harder to exploit.

The company had the following to say about its motives for the new exploit prize:

“Apple iOS, like all operating systems, is often affected by critical security vulnerabilities, however due to the increasing number of security improvements and the effectiveness of exploit mitigations in place, Apple's iOS is currently the most secure mobile OS. But don't be fooled, secure does not mean unbreakable, it just means that iOS has currently the highest cost and complexity of vulnerability exploitation and here's where the Million Dollar iOS 9 Bug Bounty comes into play."

Zerodium wanted an exploit that can beat the iOS 9 zero-day mitigations such as ASLR, sandboxes, rootless, code signing and bootchain. It also wants it to work on the latest version of iOS 9 at the time of delivery, and it should be able to allow installation of an arbitrary app such as Cydia.

The company also required that the exploit worked silently, without any interaction from the user other than loading a web page in Safari or Chrome, or receiving a media file in an SMS or MMS.

The announcement should get malware developers' attention, but also that of the media and governments, which are already working on an arrangement to increase the limitations they put on those who work with security vulnerabilities (which can also lead to negative consequences).

If Zerodium is willing to pay up to $3 million for three zero-day iOS 9 exploits, that could also mean that it already has one or multiple buyers that are willing to pay them back even more for these exploits. The likely candidates could be either other governments or criminal organizations.

The NSA, for instance, is known for buying such exploits regularly, and was even willing to pay "billions" for something that could break into Skype's former ultra-secure P2P architecture a few years ago. Of course, since then, Microsoft has already completely replaced Skype's P2P architecture with one that is more centralized and more mobile-friendly, but also more wiretap-friendly.

Now that Zerodium has made this announcement, it could also make Apple's security engineers even more vigilant about the security architecture of iOS, and they may work even harder to fix whatever flaws it may have left in it. The data of hundreds of millions of iOS 9 users could be at risk.

Follow us @tomshardware, on Facebook and on Google+.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • derekullo
    The even scarier side to this is they don't ask for Microsoft Edge based exploits.

    This gives the impression that either they already have enough Edge exploits to sell or that they are so many exploits in Edge that it is not worth trying to sell.
    Reply
  • bookwormsy
    The even scarier side to this is they don't ask for Microsoft Edge based exploits.

    This gives the impression that either they already have enough Edge exploits to sell or that they are so many exploits in Edge that it is not worth trying to sell.
    The even scarier side to this is they don't ask for Microsoft Edge based exploits.

    This gives the impression that either they already have enough Edge exploits to sell or that they are so many exploits in Edge that it is not worth trying to sell.

    Or because Microsoft Edge isn't available on iOS 9?
    Reply
  • chicofehr
    It would be great if ransomeware could be made that works on iphones that are not jail broken. I don't like iphones if you want to know.
    Reply
  • agentbb007
    16662475 said:
    The even scarier side to this is they don't ask for Microsoft Edge based exploits.

    This gives the impression that either they already have enough Edge exploits to sell or that they are so many exploits in Edge that it is not worth trying to sell.
    Or Google Chrome, or Firefox why pick on MS Edge? I think they are targeting iOS 9 so the obvious choice of attack is the default browser iOS 9 uses.
    Reply
  • derekullo
    Every new windows 10 computer will have Microsoft Edge.

    Therefore you already have a growing population base.
    Reply
  • royalcrown
    IT WOULD BE GREAT IF SUPPORTING RANSOMWARE MAKES YOU A DOUCHE BAG.

    It would be great if ransomeware could be made that works on iphones that are not jail broken. I don't like iphones if you want to know.
    Reply