
Million Dollar iOS9 Bug Bounty - FredericJ
https://zerodium.com/ios9.html
======
stirlo
I for one actually feel much more secure knowing that iOS is so secure that $1
million is considered the public value of an exploit. Vupen bought flash zero
days for $30,000 in the past so knowing that iOS exploits are now valued
enough to attract this kind of bounty makes me much more confident script
kiddies and scammers will not be able afford to attack me. And lets face it,
we were never secure from the NSA in the first place...

~~~
MatekCopatek
This is purely market value. If iOS simply had less users, the price would be
lower. So I think your conclusion of it being more secure because of this is
incorrect.

About less people being able to afford it - this again depends on what
ZERODIUM intends to do with it. They may sell it for cheap and count on a
large number of sales because, again, iOS is so popular.

~~~
jgome
Did you read the announcement?

> Apple iOS, like all operating system, is often affected by critical security
> vulnerabilities, however due to the increasing number of security
> improvements and the effectiveness of exploit mitigations in place, Apple's
> iOS is currently the most secure mobile OS. But don't be fooled, secure does
> not mean unbreakable, it just means that iOS has currently the highest cost
> and complexity of vulnerability exploitation and here's where the Million
> Dollar iOS 9 Bug Bounty comes into play.

BTW, I guess Flash is as popular as iOS9 (the Steam hardware survey used to
show that 99.9% of the Steam users had Flash installed), yet, as stirlo says,
they only paid up to $30k for Flash exploits.

~~~
MatekCopatek
I was replying to stirlo's deduction, which I felt was wrong, not the original
announcement.

You do make a great point with that Flash comparison, though.

------
Klathmon
I might be missing something, but has there ever been _any_ exploit (or string
of simultaneous exploits) for iOS or android which meets all the criteria?

It must be through a text message or web page, it must be remote, reliable,
silent, require no interaction, must be entirely comprised of 0-day exploits
throughout the whole chain, must affect multiple architectures and all
supported devices, and must bypass all security checks to allow full root
access.

~~~
captainmuon
You used to be able to jailbreak one of the first iPhones and install Cydia
just by visiting some page in Safari and clicking on a button, IIRC. I never
did this myself, so my memories might be inaccurate though.

~~~
SlashmanX
You're correct. jailbreak.me I think it was called

~~~
mbrd
It was always amusing to visit the Apple store and see a jailbroken iPhone on
display when this vulnerability worked.

------
tptacek
And all you have to do is sell your unicorn vulnerability to this company:

 _ZERODIUM customers are major corporations in defense, technology, and
finance, in need of advanced zero-day protection, as well as government
organizations in need of specific and tailored cybersecurity capabilities_

The offer to buy RCE in PHPBB/vBulletin is a nice touch.

~~~
Mahn
So, let me get this straight, this company is in the business of buying zero-
day exploits and selling them to corporations and government organizations.
How does this even exist? Is it legal? Can anyone buy and sell zero day
exploits with total impunity?

~~~
tptacek
Yes, they can.

------
eyeareque
A million bucks for a iOS 9 vulnerability sounds nice. But is that worth
having the death, imprisonment, or torture of possibly innocent people on your
conscience? If a government is buying these vulns, there is no telling what
they will do with them.

~~~
JabavuAdams
If you live in the US or Canada and voted for a recent government, this is
already on your conscience.

The realization that there's a dirty, dirty underside to our standard of
living seems to polarize people. Some dedicate themselves to helping. Some
conclude that the world is run by gangsters, so they might as well pick a gang
and profit. Most, either never realize or just decide that the problem is too
big and they should focus on their own little islands of comfort.

------
jjoe
Is this a Zerodium ad masquing the politically incorrect PR of "zerodium has
0day exploits available for sale"? I mean how else would anyone advertise
availability of 0day without compromising their credibility? $1M per exploit
would sure get you lots of press.

~~~
camillomiller
Considering the strictness of the requirements, I can think of two options:

\- this is just a PR stunt, nobody will realistically deliver such a piece of
code before oct. 31st.

\- they know that someone in the jailbreak community is cooking something big
like that and they're trying to tempt them and acquire a very interesting
exploit before anybody else.

------
soared
"The whole exploitation/jailbreak process should be achievable remotely,
reliably, silently, and without requiring any user interaction except visiting
a web page or reading a SMS/MMS (attack vectors such as physical access,
bluetooth, NFC, or baseband are not eligible for the Million Dollar iOS 9 Bug
Bounty. ZERODIUM may, at its sole discretion, make a distinct offer to acquire
such attack vectors.)."

Can someone explain this part? Jailbreak from a website, sms, or mms seems ...
impossible. Has this even been possible with older jailbreaks?

~~~
moviuro
Stagefright (Remote Android code execution) does exactly that
[http://arstechnica.com/security/2015/07/950-million-
android-...](http://arstechnica.com/security/2015/07/950-million-android-
phones-can-be-hijacked-by-malicious-text-messages/)

~~~
TwoBit
Stagefright was not a rootable exploit.

~~~
saurik
Not alone, but as part of a chain of exploits (which is what most jailbreaks
are, and which is what this document expressly asks for), certainly it is: it
allows you to get arbitrary code execution on the device, which can be paired
with a kernel exploit (something that has been comparatively quite common) to
get root. I mean, this same argument can be said about the individual
components of JailbreakMe 2.0 and 3.0: the initial exploit in FreeType only
just barely got you the ability to run code as Safari within its even-at-the-
time relatively restricted sandbox: it was then paired with a kernel exploit
to finish the jailbreak. Zimperium actually did a demo on stage at BlackHat of
using Stagefright as the vector to push a privilege escalation (probably some
old kernel exploit; I think they said, but I don't remember) to the device,
and they have also posted a video of that process.

[https://www.youtube.com/watch?v=PxQc5gOHnKs](https://www.youtube.com/watch?v=PxQc5gOHnKs)

------
JoshTriplett
I have to wonder: what stops someone from selling the "exclusive" rights to an
exploit, waiting for the check to clear, and then disclosing it privately to
the vendor to get fixed?

~~~
hyperpape
Trust. That sounds funny, given that it's a grey market, but there were
excerpts from the Hacking Team email dump where they talked extensively about
which exploit providers were high quality, reliable, etc.

Someone absolutely can try and play games, but the people they sell to will do
their best to determine whether that's happening and penalize them.

------
ins0
_The exploit /jailbreak must support and work reliably on the following
devices (32-bit and 64-bit when applicable): \- iPhone 6s / iPhone 6s Plus /
iPhone 6 / iPhone 6 Plus \- iPhone 5 / iPhone 5c / iPhone 5s \- iPad Air 2 /
iPad Air / iPad (4rd generation) / iPad (3th generation) / iPad mini 4 / iPad
mini 2_

So did i read this correct and the exploit must be backwards compatible in
order to get the full bounty?

~~~
stirlo
Seems to just be a list of iOS 9 supported devices...

~~~
ins0
Thanks. Make sense. I was confused as it not list devices that also support
iOS9 like the iPad mini 3.

~~~
zuck9
Nor the iPad 2 and iPhone 4s.

~~~
ck2
How well does ios9 run on a 1ghz dual-core/512mb device like the 4s?

~~~
zuck9
Worse than iOS 6/7, better than iOS 8.0

iOS 9 has the same performance as iOS 8.4

------
halestock
off topic, but wow it's really annoying that the site overrides your scroll-
speed settings.

~~~
nkrisc
It's terribly annoying. It also hijacks my ability to move forward/backward in
the browser by swiping my trackpad.

------
ck2
Has anyone tried a really long password ;-)

~~~
alexivanovs
_______

------
lawnchair_larry
Sounds like ios8 will be the last jailbreakable version. Shame.

~~~
userbinator
If the last 8 versions were jailbreakable I think this one will be too -
eventually - but it is certainly the case that devices are becoming more
secure both for and against their owners. The tension between freedom and
security is definitely increasing.

~~~
ikeboy
But who's going to release one publically when they can get $1 million for not
doing so?

~~~
burkaman
You can only get a million for a really impressive jailbreak. If it involves
plugging the phone into your computer and downloading something, or even just
pushing a button, it doesn't qualify for this bounty.

~~~
ikeboy
Fair enough; but if you're a hacker looking for exploits, what do you search
for first?

------
fla
Saurik, you can do it ;)

------
myohan
What they're not telling you is finding this exploit entails NP=P. It sure has
the same bounty value on its head. jk

