This past weekend, a team allegedly claimed a million-dollar prize for hacking into the new iPhone operating system.
The $1 million bounty was listed by a new startup, Zerodium, founded by Chaouki Bekrar, reported Motherboard. Hackers were given the challenge of remotely jailbreaking the latest versions of Apple’s mobile operating system, iOS 9.1 and 9.2b, on a new iPhone or iPad. Jailbreaking the product would allow the hacker to install any app they so wish.
According to the terms of the challenge, the attack was required to go through Apple’s Safari browser, Google Chrome or multimedia message. Patrick Wardle, a researcher at Synack security firm, explained that challengers were forced to find a series, or chain, of unknown zero-day bugs. A zero-day vulnerability is essentially a hole in a software, unknown to the vendor, that hackers could exploit before the manufacturer can fix it.
The winning team submitted their exploits a few hours before the Zerodium bounty expired. Bekrar said that the team had discovered a “number of vulnerabilities” in Chrome and iOS to bypass “almost all mitigations” that resulted in “a remote and full browser-based (untethered) jailbreak.”
Remotely jailbreaking an iPhone iOS system is incredibly difficult as no one has publicly done so for over a year since the iOS 7. Tech companies such as Facebook and Google typically hold contests offering prizes for hackers who discover vulnerabilities in their systems and disclose them to the company.
Bekrar is neither releasing the names of members of the team who won the million-dollar prize nor details of the exploits and vulnerabilities they found. The founder of Zerodium has also declined to state the asking price for this exploit.
The information behind this hack is especially valuable given that government agencies including the NSA and CIA have had difficulty hacking into iPhones. Apple has yet to comment, but Bekrar noted Apple will likely be patching bugs in “a few weeks to a few months.”