On September 21, Zerodium, a firm specializing in the sale of zero-day exploits, announced that it would pay the biggest bug bounty ever offered, $ 1 million, to anyone who could remotely jailbreak the most recent version of the iPhone (iOS 9.1 and 9.2b). In other words, the company would pay this sum to anyone who could take complete, administrative control of an iPhone without coming into physical contact with it; something that many security experts believed was not possible. These experts concluded that it would take a number of zero-day exploits to accomplish this and that was asking too much.
Despite these misgivings, on November 2nd, one team was able to claim the award.
However, there are a number of questions that arise from this challenge.
- Where did Zerodium get $1 million dollars?
- Since Zerodium survives by selling zero-day exploits, who will they sell this to?
- Is there really a team that performed this feat or is this just a marketing ploy by Zerodium?
It could be that Zerodium already had a customer that would pay far more than $1 million for such an exploit. Some possible customers include the NSA and FBI who have repeatedly complained about iPhone encryption. As FBI director, James Comey, has stated,
“with Apple’s new operating system, the information stored on many iPhones and other Apple devices will be encrypted by default. Shortly after Apple’s announcement, Google announced plans to follow suit with its Android operating system. This means the companies themselves won’t be able to unlock phones, laptops, and tablets to reveal photos, documents, e-mail, and recordings stored within”.
Now, many of you reading this may think this to be a positive development. However, Comey’s opinion is that encryption is “the equivalent of a closet that can’t be opened. A safe that can’t be cracked. And my question is, at what cost?” He concludes that, “encryption threatens to lead all of us to a very dark place.”
Apple has given each user a separate key that the company cannot control. Thus, even if the government presented Apple with a court order to release its encryption key, it could not do so since each user controls that. Apple countered this criticism by saying that most people store data in ‘the cloud’ and the FBI can access this data legally. This, however, did not mollify the FBI which prefers to have access to individual devices. This tactical encryption move by Apple must certainly have angered FBI and NSA officials. Without a doubt, they would pay a lot (certainly more than $1 million) to get an exploit that would enable them to achieve administrative control of individual iPhones. Actually, the NSA has a $25 million budget dedicated solely to buying zero-day exploits. One million dollars for such a powerful exploit would be a bargain. Did the NSA or FBI ask Zerodium to help them find an exploit that would undermine this encryption? You’d have to ask Chaouki Bekrar, Zerodium’s somewhat shady founder. After all, he was also the founder of Vupen Security, a firm which began the idea of selling zero-day exploits and which had as its customers both the NSA and the German intelligence agency, BND.
Of course, there are others besides the NSA and FBI who would like such an exploit, but to pay the prices Zerodium will demand, these others would almost certainly have to be nation-states. Most private criminal organizations simply do not have this kind of money. Besides, Zerodium makes no secret that their customers are “government organizations in need of specific and tailored cybersecurity capabilities”.
You may think that Zerodium could sell the exploit to Apple to help it improve its security, but Apple is one of the few companies that don’t pay bug bounties. Zerodium may tell Apple the details of the exploit in the future, but it certainly cannot do so while those who bought the exploit are using it. That’s part of the deal. Why buy a zero-day exploit if everyone already knows about it and can mount a defense against it? It’s possible that the buyers will agree to a contract that gives them a certain amount of time to use the exploit, after which Zerodium can inform Apple and make it look like the company is performing a public service.
Some doubt that Zerodium will actually pay the million dollars to those who found this exploit. My guess is, however, that they will make more than enough from this exploit to easily cover the cost. In any event, at some point, the details of the exploit will become public knowledge, Apple will, then, patch their platform and it will be even more secure than ever. Some believe that being the target of history’s highest bounty will also be good advertising for Apple. After all, they must have good security if someone is willing to pay such a high price to circumvent it. However, the main beneficiary of this challenge will be Zerodium, whether they pay the bounty or not.
Zerodium is still looking to purchase exploits for its clients. Here are some that they are looking for, or at least these are exploits that some of their clients would like to have.
There are those who believe that this whole million dollar challenge was nothing but a publicity stunt. That is unlikely. I say this because all iPhones have been repeatedly jailbroken, usually by the same hacking teams. If I were to venture a guess, I’d have to say that the two leading contenders for developing this exploit are the Pangu hacking team or K33n (Keen) Team. Both are Chinese based hacking groups. It is also possible that they worked on this exploit together to get the prize. Coincidentally, both presented topics related to jailbreaking Apple’s iOS at POC2015 in South Korea; a conference which Zerodium helps sponsor.
Of course, Apple will go to work patching any vulnerabilities they may find in their system and might, by accident, patch those that were used to win this contest. If this is the case, we will then learn who won the million dollar bounty. This, however, could take weeks or even months. Unfortunately, we are unlikely to ever learn who Zerodium sold the exploit to. That would not be good for business.