Back in September, zero-day acquisition firm Zerodium made a very bold offer—a $1 million bug bounty for a browser-based, untethered jailbreak of Apple’s new iOS 9 mobile operating system. The $1 million prize represents that largest public bug bounty ever offered, and there was some speculation in the IT security world that it would never be awarded.
But the $1 million will be awarded, as at least one group of security researchers met Zerodium’s Oct. 31 deadline to exploit iOS 9.
“Two teams have been actively participating to the Zerodium iOS bounty. However, only one of them has been able to achieve a remote and full browser-based [untethered] jailbreak of iOS 9.1 and 9.2 beta,” Chaouki Bekrar, founder of Zerodium, told eWEEK. “The other team has a partial jailbreak, and they may qualify for a partial reward.”
Whether or not the second team will get a partial reward is still under discussion at Zerodium. As it turns out, the Oct. 31 Halloween deadline was a tight timeline for the security researchers. Zerodium has not publicly identified either group that submitted research for the Zerodium iOS bounty.
“The winning team submitted the exploits just a few hours before the expiration of the Zerodium bounty, as they have been working very hard to finish and polish the code until the last day,” Bekrar said.
Exploiting iOS 9 is not a trivial task as Apple has multiple levels of exploit mitigation and security sandbox hardening in place. No one single vulnerability alone can exploit iOS 9, but rather, Apple’s new mobile operating system can be beaten by what is referred to as an exploit chain of multiple vulnerabilities linked together.
As expected when Zerodium first announced the iOS 9 bug bounty, part of the exploit chain involves vulnerabilities in the WebKit browser rendering engine. Apple’s Safari makes use of WebKit as its rendering engine, while Google Chrome using Blink, which is a fork of WebKit. Typically, when iOS is exploited at hacking contests, including the Hewlett-Packard Zero Day Initiative (ZDI) Pwn2Own event, WebKit vulnerabilities are the root cause.
“The exploit chain includes a number of vulnerabilities affecting both the Google Chrome browser and iOS, and bypassing almost all mitigations in place,” Bekrar said. “The initial attack vector is affecting the WebKit/Blink engine.”
While the researchers have submitted their exploit chain, Zerodium is still extensively testing the exploit to verify and document each of the underlying vulnerabilities, according to Bekrar.
Zerodium is an independent, privately held company that started its operations in July. The Zerodium Security Research Feed (Z-SRF) is made available to Zerodium clients and includes security information about vulnerabilities as well as recommendations and protective measures.
“We will first report the vulnerabilities to our customers, and we may later report them to Apple,” Bekrar said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.