(If you found a security vulnerability, would you sell it for one million dollars? Just remember the going to hell part...)
Everyone wants to get rich building a company from scratch these days. And God bless them. Now-a-days anyone can be founder…and everyone qualifies as CEO. On a mission for them greens, entrepreneurs will market, scheme and scream for the chance to make a little scratch.
But that takes time. Maybe you don’t have that much time. Maybe you don’t want to spend the time finding the talent to put together the team it takes to be successful. Maybe you just want to sit home and figure out how to install a tweak on an iPhone running iOS 9 and still make a million bucks.
Apparently it is possible to do this.
ZERODIUM will pay out one million U.S. dollars ($1,000,000.00) to each individual or team who creates and submits to ZERODIUM an exclusive, browser-based, and untethered jailbreak for the latest Apple iOS 9 operating system and devices.
Zerodium is a security start-up, started in July. Founded by Chaouki Bekrar (who sells zero-day exploits to Government intelligence agencies) of Vupen fame. Vupen makes millions of dollars from the insecurity of software, or software engineering ineptitude. Bekra brokers hacks from the hacker to the agency (example: NSA) and makes a profit from it. Obviously there is a component of lucre in this market or he wouldn’t be able to claim he has $3 million dollars laying around in wait for the mule who will sell to him what his customer will then producer from Bekrar.
You will be a millionaire by, at the latest, October 31 of this year.
You will probably go to hell.
iOS has been jail-broken…countless times. Each time the exploit is made public and the OEM (Apple in this case) will patch the vulnerability. These vulnerabilities are limited in number only if the code doesn’t change. When hacks get patched code gets changed and there is the possibility of exploiting another weakness
But Zerodium wants a specific method to be used, and they will pay $1 Million (three times) for the exploit to be disclosed to them exclusively. But you want to know what the stipulations are.
- ASLR (placing data in memory addresses randomly to mitigate prediction), Code signing (Apples method for verifying firmware installation), Rootless (a new jailbreak counter-measure from Apple) and bootchain (How Apple ensures only authorized software in installed) must all be defeatable.
- Has to be deployed from a webpage or SMS/MMS
- Must be achieved remotely.
There has never been a (publicly released) method to achieve code injection from SMS/MMS. However, one guy actually achieved a remote jailbreak a few years ago. An epic hack in its own right, but the level it was taken to Apple by the community was a bit apoplectic. Scores of videos featuring jailbreakers going to Apple stores and jail-breaking every device that “Jailbreakme” supported started popping up on YouTube. They would literally hack them in a matter of minutes. All of them.
- Slide to jailbreak
No one has been able to do it since. Nicholas Allegra (Comex) has achieved some pretty awesome exploits since then (like AppleWatch hacks), but a remote jailbreak deployed from a webpage using a browser has not been duplicated for iOS.
This is what Zerodium wants. An easy iOS exploit all packaged up and ready to go that is easy to use so some government civilian can follow 1 step without getting too confused.
Re-selling easy. Diabolical genius.
Well there you have it. We have become a society that is willing to pay money…a shit load of money…to someone who has the level of talent to compromise the security of a mobile device remotely. It’s not a new concept, Hacking for Cash. Hackithons are popular. Project Zero (Google) pays analysts to find exploits in their own code and their competitors products. Google will then patch the security holes in their code, and publicly announce the lack of security ‘they found’ in Microsoft and Apple code.
But this is the first time that I have seen a company put a bounty on iOS exploits with the implication (yes…I will connect the dots) that they will sell the exploit to an agency whose declared purpose is intelligence gathering. Zeroding would never know, or care to know for that matter, the causality of a foreign government having the ability to compromise your iPhone remotely, quietly and without the owners cognizance. I guess not having to stare at the wake left by the sale of ‘your product’ has its benefits.
If you add up all of the money iOS hackers have made from selling exploits to anyone, the current running tally is $0. In fact, every one of them made the decision to give the exploit to everyone for nothing. Each and every time a jailbreak exploit is packaged up and deployed for use, it goes to an iPhone or iPad user for the low, low price of free. That hacker, the guy credited with the exploit is usually assisted by other experts in the community…the iPhone Dev Team members and others…to get the exploit to iOS users reliably and in a way that it is easy to use.
That’s not to say they didn’t make any money. They definitely did. A lot of people make money from iOS jailbreak exploits. But they make money by selling tweaks and tools to the iOS community made possible because of the exploit and not from the direct sale of the vulnerability. Making the decision to give the jailbreak to the iOS community is the catalyst for an ecosystem that is based on hackers selling their own legitimate code. Much of this code has been appropriated by Apple and used in their own ‘official’ features of iOS.
iOS jailbreaks are worth far more than a million bucks to the community. Bekra should be ashamed for low-balling the value of an iOS jailbreak exploit.
The guy who comes up with the next remote hack for an iOS mobile device and has the complete lack of moral ethic needed to understand the consequence that his exploit will be re-sold and used by a government agency deserves two things:
- $1 Million
- His ass kicked