HACKING APPLE’S IOS isn’t easy. But in the world of cybersecurity, even the hardest target isn’t impossible—only expensive. And the price of a working attack that can compromise the latest iPhone is apparently somewhere around $1 million.
On Monday, the security startup Zerodium announced that it’s agreed to pay out that seven-figure sum to a team of hackers who have successfully developed a technique that can hack any iPhone or iPad that can be tricked into visiting a carefully crafted web site. Zerodium describes that technique as a “jailbreak”—a term used by iPhone owners to hack their own phones to install unauthorized apps. But make no mistake: Zerodium and its founder Chaouki Bekrar have made clear that its customers include governments who no doubt use such “zero-day” hacking techniques on unwitting surveillance targets.
In fact, Bekrar tells WIRED that two teams of hackers had attempted to claim the bounty, which was announced in September with an October 31st deadline. Only one proved to have developed a complete, working iOS attack. “Two teams have been actively working on the challenge but only one has made a full and remote jailbreak,” Bekrar writes. “The other team made a partial jailbreak and they may qualify for a partial bounty (unconfirmed at this time).”
Bekrar confirmed that Zerodium plans to reveal the technical details of the technique to its customers, whom the company has described as “major corporations in defense, technology, and finance” seeking zero-day attack protection as well as “government organizations in need of specific and tailored cybersecurity capabilities.” Zerodium’s founder also notes that the company won’t immediately report the vulnerabilities to Apple, though it may “later” tell Apple’s engineers the details of the technique to help them develop a patch against the attack.
According to the rules of the bounty offer made public in September, the iPhone attack must “be achievable remotely, reliably, silently, and without requiring any user interaction except visiting a web page” or reading a text message. Only two iOS web browsers were designated as fair game for the bounty: Google Chrome and Apple’s own Safari. Bekrar didn’t respond to a question from WIRED as to which of those two browsers the successful exploit had targeted. Apple hasn’t yet responded to a request for comment.
Little is known about Zerodium, Bekrar’s zero-day brokering startup that launched in July. But Bekrar has been more vocal about his older company Vupen, a hacking firm based in his native France that builds rather than buys zero-day attack techniques. Vupen has at times publicly flaunted that it doesn’t help companies to patch the attacks it builds and sells to surveillance clients, including the NSA.