
Somebody Just Claimed a $1M Bounty for Hacking the iPhone - bko
http://motherboard.vice.com/read/somebody-just-won-1-million-bounty-for-hacking-the-iphone
======
roymurdock
This is the business model of the company that put out the $1m bounty on the
remote iOS 9.1 and 9.2b jailbreak:

 _Bekrar and Zerodium, as well as its predecessor VUPEN, have a different
business model. They offer higher rewards than what tech companies usually pay
out, and keep the vulnerabilities secret, revealing them only to certain
government customers, such as the NSA._

Can anyone explain why iOS jailbreaking info would be worth more than $1m to
the NSA? Also, isn't it weird that we are funding the government's ability to
jailbreak iPhones? It's like a double slap in the face.

I would imagine that Apple would be willing to pay at least $5m (~0.000025% of
cash reserves) in order to buy the exploit and patch it in order to protect
their image as one of the last "good guys" in the fight against government
surveillance creep.

~~~
tshtf
Apple pays $0 for security bugs, of any severity. You probably won't even get
a lousy t-shirt.

They are kind enough to credit you by name on security updates.

------
Miner49er
Pretty unethical to claim this reward, IMO (if it actually happened and this
isn't just a publicity stunt). The people who claimed it had to know it was
going to be sold to government agencies (including potentially oppressive
countries that may use this to target activists). If they didn't care about
ethics, I wonder why they didn't just sell it themselves and cut out the
middle man?

~~~
s5edvvddd
Presumably you don't want to call NSA/Apple, tell them what a great hack you
did, and then ask them for One Million Dollars.

~~~
55555
Why not? Is it illegal to hack your own iphone on a closed LAN? Do you have to
be a startup to negotiate with the NSA? I reckon it would be worth a try.

I'm not pro-surveillance, so I wouldn't, but speaking hypothetically here.

~~~
hatsix
Yes, it may be illegal. Tablets are always illegal to jailbreak. Phones are
illegal to jailbreak if it allows unlocking of the phone, and the phone was
sold before 2013. It IS legal to jailbreak your phone for the SOLE purpose of
accessing copyright information that you have legal rights to.

[http://arstechnica.com/tech-policy/2012/10/jailbreaking-
now-...](http://arstechnica.com/tech-policy/2012/10/jailbreaking-now-legal-
under-dmca-for-smartphones-but-not-tablets/)

------
DavideNL
I don't understand, if nobody knows what team hacked it, and nobody knows
anything about the actual exploits, or whether the payment was really made,
how can anyone prove this is actually real?

~~~
s5edvvddd
Article is based on the tweet:
[https://twitter.com/Zerodium/statuses/661240316331069443](https://twitter.com/Zerodium/statuses/661240316331069443)

Welcome to modern journalism.

------
0x0
I guess our only hope here, then, is that at least some of those who gets
ahold of the exploit accidentally triggers a crash report and autosubmits it
to apple so they can fix the bugs...

~~~
armitron
Obviously the logical assumption to make here is that this isn't the only
exploitable bug for this version of iOS. Many many more exist and are already
in the hands of various nation state actors, possibly even common criminals.

Look at the capabilities Snowden revealed, some of them read like SciFi and
NSA had them close to a decade ago. Do you seriously believe the NSA and any
other similarly well-funded actor _does not_ have multiple remote exploits for
iOS and if they just fix this one, everything will be alright?

There are other actors, not quite top-of-the-pyramid-NSA level, that would
gladly pay a million $ for this though, and this is where zerodium is selling.

Your only hope is to assume that everything can be compromised and if you have
reason to fear said compromise (some would say do it even if you don't), come
up with a plan that takes that into account (risk analysis,
compartmentalization, segmentation, assumption of compromise).

------
Fastidious
Am I missing something, or there is no link to the claimed $1M bounty "press
release?"

I have been on Zerodium page, and there are no indications that this has
happened. Vice.com says really nothing, other than repeating what the bounty
entails, and that some "unknown group of hackers" did it.

~~~
davidcollantes
I think it is a PR stunt, as I have not been able to find (other than the
tweet) anything on this.

------
samfisher83
Apple has a few 100 billion in the bank. Why don't they pay out some money for
the exploit.

~~~
armitron
Because it doesn't affect their bottom line aka they don't _have to_.

~~~
markwakeford
I cant imagine it will help their bottom line if we all wake up tomorrow to
Rick Astley on our background.

------
joshmn
I wonder what the party is like for these guys. Like, how do you celebrate
this?

