Hacking Apple's iOS isn't easy. But in the world of cybersecurity, even the hardest target isn't impossible—only expensive. And the price of a working attack that can compromise the latest iPhone is apparently somewhere around $1 million.
On Monday, the security startup Zerodium announced that it's agreed to pay out that seven-figure sum to a team of hackers who have successfully developed a technique that can hack any iPhone or iPad that can be tricked into visiting a carefully crafted web site. Zerodium describes that technique as a "jailbreak"—a term used by iPhone owners to hack their own phones to install unauthorized apps. But make no mistake: Zerodium and its founder Chaouki Bekrar have made clear that its customers include governments who no doubt use such "zero-day" hacking techniques on unwitting surveillance targets.
In fact, Bekrar tells WIRED that two teams of hackers had attempted to claim the bounty, which was announced in September with an October 31st deadline. Only one proved to have developed a complete, working iOS attack. "Two teams have been actively working on the challenge but only one has made a full and remote jailbreak," Bekrar writes. "The other team made a partial jailbreak and they may qualify for a partial bounty (unconfirmed at this time)."
Bekrar confirmed that Zerodium plans to reveal the technical details of the technique to its customers, whom the company has described as "major corporations in defense, technology, and finance" seeking zero-day attack protection as well as "government organizations in need of specific and tailored cybersecurity capabilities.” Zerodium's founder also notes that the company won't immediately report the vulnerabilities to Apple, though it may "later" tell Apple's engineers the details of the technique to help them develop a patch against the attack.
According to the rules of the bounty offer made public in September, the iPhone attack must "be achievable remotely, reliably, silently, and without requiring any user interaction except visiting a web page" or reading a text message. Only two iOS web browsers were designated as fair game for the bounty: Google Chrome and Apple's own Safari. Bekrar didn't respond to a question from WIRED as to which of those two browsers the successful exploit had targeted. Apple hasn't yet responded to a request for comment.
Little is known about Zerodium, Bekrar's zero-day brokering startup that launched in July. But Bekrar has been more vocal about his older company Vupen, a hacking firm based in his native France that builds rather than buys zero-day attack techniques. Vupen has at times publicly flaunted that it doesn't help companies to patch the attacks it builds and sells to surveillance clients, including the NSA.
Bekrar has pointed to Vupen's policy of selling those hacking techniques only to NATO governments and “NATO partners.” But civil liberties and privacy groups have nonetheless criticized Vupen for selling "the bullets for cyberwar." Google's security staffers have publicly argued with Bekrar and gone so far as to call him an "ethically challenged opportunist."
“Vupen doesn’t know how their exploits are used, and they probably don’t want to know," Chris Soghoian, the lead technologist at the ACLU, told me in 2012. "As long as the check clears.”
Bekrar responds that this iOS exploit will "likely" only be sold to US customers. And more broadly, his two companies haven't been shown to be doing anything illegal—trading in intrusion software is generally not a crime, at least for now—hence his brazenly public bounty and payout announcement. "We planned initially to not release any information about the outcome of the bounty but we've decided to do it to inform the community about the security of iOS which is definitely very hardened but not unbreakable," Bekrar writes to WIRED. "Those who have any doubt about that may be surprised." Not as surprised, of course, as the iPhone users who could soon be the victim of a $1 million zero-day surveillance technique.
