An anonymous team of hackers has been awarded a million-dollar bounty after successfully hacking Apple’s IOS 9.1 mobile operating system. The money has been paid out by Zerodium, a company that pays for security information and exploits, ready to sell them on to the highest bidder. It announced the competition — which it called The Million Dollar iOS 9 Bug Bounty — in late September, and confirmed it had a winner via its official Twitter account at the beginning of November.
According to Zerodium’s founder Chaouki Bekrar, speaking to Wired, there were two teams in the hunt for victory, but only one came up with the real deal. The company was looking for something far beyond the publicly available jailbreak methods, requiring a browser or SMS-based, remotely carried out hack, that would result in the “remote, privileged, and persistent installation of an arbitrary app.”
However, while this sounds innocuous, Zerodium will go on to sell the hack to its customers, which apparently include technology companies, finance institutions, and defense corporations. Government agencies are also mentioned as Zerodium clients. Bekrar says he expects to sell the new iOS hack to a U.S. customer. While such exploits could be valuable to companies wanting to ensure their own devices are highly secure, they could also be equally valuable to those interested in illicit surveillance.
There’s little chance of the vulnerabilities being fixed by Apple in the very near future, at least off the back of this competition, because Zerodium has no intention of informing Apple of the methods used at this time. It may do so at a later date, but certainly not before its big payday. If you’re wondering, while ethically questionable, Zerodium and its clients aren’t doing anything illegal. The million-dollar bug hunt bounty competition is therefore unlikely to be the last of its type, given the obvious financial benefit to all involved.