$1M Bounty for iPhone Hack

I don't know whether to believe this story. Supposedly the startup Zerodium paid someone $1M for an iOS 9.1 and 9.2b hack.

Bekrar and Zerodium, as well as its predecessor VUPEN, have a different business model. They offer higher rewards than what tech companies usually pay out, and keep the vulnerabilities secret, revealing them only to certain government customers, such as the NSA.

I know startups like publicity, but certainly an exploit like this is more valuable if it's not talked about.

So this might be real, or it might be a PR stunt. But companies selling exploits to governments is certainly real.

Another news article.

Posted on November 3, 2015 at 2:31 PM • 25 Comments

Comments

Kai HowellsNovember 3, 2015 2:53 PM

At this stage they've received so much publicity for it that their name will be mud if they don't follow through and pay out. Their only wiggle room seems to be if the exploit "fully meets the bounty rules".

There's also the unnamed source "who used to work for the NSA" who said that paying out $1M for such an exploit isn't so unbelievable as you can sell it to "the right people" (presumably three-letter agencies or foreign nation states) for much more.

Still, it will be interesting to see where it all goes from here, and how quickly Apple get on to patching it.

Alien JerkyNovember 3, 2015 3:30 PM

might be a shell company from Apple so they can grab the exploit without anyone knowing about it.

RyanNovember 3, 2015 3:42 PM

I think this feels more like an attempt to draw attention to the fact that researchers aren't always 'good guys', and that selling 0days to interested parties is an activity that has gone on unchecked for some time. Many of us already know this type of thing happens, but putting this type activity in the limelight may actually be a good idea.

ianfNovember 3, 2015 3:59 PM


@ Alien Jerky

It's possible, but such a scenario hangs on Apple's software managers AND engineers, each a Master of the Universe in its own patch, being mature enough to distrust themselves as a matter of principle, rather than in response to some emergency. For that reason alone I simply can not see it.

The fact that we're even talking about it may also mean that (a) it's a publicity stunt, there's no $1M to be had; (b) the exploit exists, but has a limited "critical mass," or "sell-by" date, after which it'll lose all its value, so the company tries to maximize that.

ConfusedNovember 3, 2015 4:26 PM

Am I missing something obvious here?

Why don't the 3/4 letter agencies (through a suitably non-connected government department) purchase the vulnerabilities directly from security researchers? The added benefit is that they could request the researcher to sign an NDA thereby preventing it being sold to others.

There was an advert from the US Government (I think) a while ago, promptly removed when made public, offering to pay for such vulnerabilities.

$1M seems inconsequential considering the benefit the 'agencies' will gain from it.

Clive RobinsonNovember 3, 2015 4:52 PM

Ask yourself the question of "How much bad publicity this is for Apple and those of their customers with secrets to be kept?"

I can think of several people who would happily pay $1M to damage customer confidence in Apple's security. It's cheap for the level of negative publicity Apple's getting by the supposed payout.

However it raises an interesting thought Apple are currently fighting a court case Launched by the DOJ's Federal Prosecuters in NY to force Apple to "provide assistance" to unlock an iPhone belonging to a person who has pleaded guilty on drugs charges.

Apple is fighting the case, and the judge appears none to impresed with the DOJ Federal prosecuters in NY.

If there realy is a break then it leaves Apple in an awkward position with some of their customer base. However if it's said their is a break, Apple can say they have no knowledge of what it is, which is probably true and ask that perhaps the DOJ should go to this company to get the assistance they require...

All in all the timing of things whilst not beyond the bounds of coincidence, it does look a little odd...

Sancho_PNovember 3, 2015 5:10 PM


”... They offer higher rewards than what tech companies usually pay out, and keep the vulnerabilities secret, revealing them only to certain government customers, such as the NSA.”

Nowadays capitalism only exists in the shade of law.

Unfortunately monopolies lead to system collapse.
But it’s too late to restore capitalism in business, the cat is out of the bag.

DavidNovember 3, 2015 7:24 PM

Assume its correct even if hard to believe up front.

Apple software can be exploited remotely on iPhone.

http://appleinsider.com/articles/15/11/03/team-claims-1-million-bounty-for-remotely-jailbreaking-ios-91-92

Jail-broken, open to malicious installations, installations of many kinds that could take many forms.


Code than can be remotely loaded, perhaps as invisible root kits designed to do the following silently after creating a hidden partition for storage, something that doesn't at all interact with the application layer iOS :


https://www.youtube.com/embed/xfVOjxQzoGs?autoplay=1&FORM=VIRE1&MID=2500&PC=APPL


http://www.idownloadblog.com/2012/06/18/display-recorded-app-store/


Creating compressed files that can be harvested later via cellular network, wireless, Blue-tooth, even via iTunes.


Every password and username on an iOS device typed character by character and saved in a nice easy to watch movie. (Android isn't that much more secure, I'd say less - but I am not enough of an expert to say that without proof.)


Banking passwords, check.


Cloud storage passwords, check.


Email passwords, check. (Now I can change your other passwords and confirm them all. I even know all of your other on-line sites if you store them in your email).


You have been pwned.


But I won't do anything with it until I can make the biggest financial or malicious strike.


Its time to rethink single factor username and password combinations on devices where keyboards are displayed. All C-ear ID has a good system of two factor authentication. It's time for the rest of the world to catch on. You actually have to have your cell phone and your computer together to authenticate to this site. Much harder to break.


https://www.allclearid.com/

Note: I am not affiliated with All Clear ID.

SasparillaNovember 3, 2015 8:02 PM

@David
"(Android isn't that much more secure, I'd say less - but I am not enough of an expert to say that without proof.)"

They're all going to be open somewhere, although Apple has certainly been working to lock things down since Snowden brought so much into the light (this was a big change from the iOS6 & earlier days where multiple companies existed that sold methods to remotely compromise iOS devices). Apple making encryption on by default in iOS 8 / 9 has really torqued off the world that assumed they could just look (& copy) at everyone's iOS smartphone details whenever they wanted.

Its interesting to note that in the Hacking Team archive - Hacking Team had multiple remote options listed to compromise the (then latest) version of Android (devices), but iOS 8 devices required physical access to the hardware to compromise (surely there are vulnerabilities there but Hacking Team didn't have them and couldn't obtain them at that point).

Supposedly the British are writing a law to require back doors for smartphone vendors. Apple & Google should literally stop the sale of all handsets on the islands, eat the potential loss, then sit back enjoy the show as the British Surveillance Apparatus watches everyone go to the continent to get secure phones.

G is for GoodboyNovember 3, 2015 9:49 PM

"I can think of several people who would happily pay $1M to damage customer confidence in Apple's security. It's cheap for the level of negative publicity Apple's getting by the supposed payout."

I doubt they have to pay anything to accomplish that. I'm not a user of MacOS, but the quality of iOS has really gone down the can with every new generation. IMHO, this is mostly caused by the fact that they are adding nuts and bolts to make iphones feel like a computer instead of like a classic cellphone. The screens are getting wider and the phones are able to do more in the backgrounds.

If you're a cyber insurance corp, $1M seems like a cheap price to pay compared to potential payouts caused by compromised apple products caused by it.

AndrewNovember 3, 2015 11:36 PM

@Confused
Any sane, rational person in this world with a minimum at information at disposal cannot believe that big brands are separated from information services and want to keep them away.
How naive someone can be to believe any operating system, phone, or chip is built without backdoors?
Vulnerabilities market is for small private Italian companies, encryption masquerade is actually "lets forbid Chinese to spy upon us, so only we can do this", while they keep scanning and recording everything you say/do/search.

SamNovember 4, 2015 7:18 AM

@Sasparilla

> Supposedly the British are writing a law to require back doors for smartphone vendors.

This has apparently been dropped, and Ars speculates that it was known by all to be completely dumb and infeasible from the beginning but was just there to generate public outrage and get dropped. Then the bill could be seen as a "compromise", and merely force the collection, storage and eventually inspection of every user's web browsing history going back 12 months.

http://arstechnica.co.uk/tech-policy/2015/11/uk-government-apparently-backs-down-on-snoopers-charter-gracious-or-mendacious/

Dirk PraetNovember 4, 2015 9:00 AM

@ Sam, @ Sasparilla

Then the bill could be seen as a "compromise", and merely force the collection, storage and eventually inspection of every user's web browsing history going back 12 months.

I don't think you get it. It's much more than that. Not only does it officially legalise what GCHQ & co. have been up to for years, it also de facto bans end-to-end encryption. Time for Britain to leave the EU and join the US as its 51st state. But Scotland is still very welcome once they become an independent nation.

Who?November 4, 2015 10:57 AM

In case this startup wants to pay $1M USD for each unpublished big security flaw in the iOS operating system they will declare bankrupcy very soon. There is not enough money in the U.S. to support this deal.

Seriously, doing research on security flaws that will remain unpatched --ideally forever-- is not the right way to improve cybersecurity. This one is the very reason I do not trust on U.S. based corporations, nor on closed source "security tools" either: their idea of computer security is sickish.

Just passin' thruNovember 4, 2015 1:28 PM

So Zerodium paid someone for an iPhone zero-day?

Some above suggested that they would resell it to a 3 letter agency, but I don't think so.

I would suggest that:
(1) Zerodium was penetrated by the NSA (at least) a long time ago
(2) Even if zerodium wasn't penetrated, the recent revelations of ssh & https attacks suggest any communications with them were prioritized by the NSA and decrypted

Given this, the NSA won't have to pay for the zero-day, but maybe the FBI might.

Of course, sales to others (e.g. foreign countries) will be monitored by the NSA of course, and possibly monitoring who those countries are interested in penetrating.

TomTrottierNovember 4, 2015 5:29 PM

Steve Gibson on the podcast Security Now says that apps programmed in Objective C can't be vetted by Apple to ensure they do not access security (or any) related handles in the system, and that many apps already spy on users for commercial reasons, and that this has been true since the beginning of IOS.

AllenNovember 5, 2015 4:19 AM

@ Sancho_P "Nowadays capitalism only exists in the shade of law."

Interesting comment. When it comes to monetization of security, look no further than Fire Eyes, top company, top peoples, and the good scoop. However, as with every trade there's a buy and a sell side. Furthermore, monetization and securitization goes further into the equations as many more parties get involved in the overall scheme. It only takes so long for the sell side to make its mark.

@ Who? "In case this startup wants to pay $1M USD for each unpublished big security flaw in the iOS operating system they will declare bankrupcy very soon."

I suspect the dollar figure has more to do with buying the free press that comes along with it for the payer. The hack maybe worth 500K and the free press it attracts worth another 500K. Something like that?

Sancho_PNovember 5, 2015 5:42 PM

@Allen, re my ”Nowadays capitalism only exists in the shade of law.”

Um, not sure if we are thinking about the same issue?
For decades our “lawmakers” (what a funny term and profession) tweak the slowly evolved, existing rules (from morals, constitution, human “rights”, common sense, ethics, cultural / religious / historic influence, …) .
They do it on a daily basis, because it’s their job, thus producing more and more laws, similar to endless economic growth (a Ponzi scheme).

Now I’ll jump over everything that can be summarized by “bribery” to the reality that they (also) need factual input from reputable “experts” to do that daily work.
Often these experts are sent in by big business because they can promote experts to become reputable and widely recognized.
No surprise the law is in favor of big business (don’t try to develop a handheld with display + 4 rounded corners, or ask for open standards).

Remember the Mi$o - OS and “integrated” browser?
It was the last time for big business to be on the brink of destruction.

Today you buy a personal computer (hardware) and it has the software included. By our laws you are obliged to pay for it, even if you don’t use it. Nobody would question that. Forget Linux.

Fusion in media, banking, technology, …
Big and bigger business controls the market.

So my point is: Capitalism (the real one, not protectionism) is dead, you may find some traces in the dark, shady part of the world (e.g. when trading vulnerabilities), but barely within the law.


Capitalism is dead.
The name of our new era is monopolism.
However, the era won’t last long.

AllenNovember 5, 2015 9:14 PM

@ Sancho_P "Often these experts are sent in by big business because they can promote experts to become reputable and widely recognized."

On political landscape, they are commonly known as "think tanks" of nonprofitable motives. However, as the fox also guards the hen house, nonprofitable can be interpreted only on a legal basis. I'm not saying it isn't good to concentrate expertise on scarce resource (both human and data) in security like Fire Eyes does, but frequently it isn't a simple manner of who's done it or who did that. There are way more actors at play and the synergy of which may sometimes work detrimentally to its own good cause.

Marcos El MaloNovember 5, 2015 10:17 PM

@Clive

I wonder who are the VC backers of Zerodium? I doubt it's any of Apple's competitors, but you never know. But aapl (the stock symbol) has been volatile for a long time now, and there's always been complaints that it's being manipulated, stories planted in the news, etc., so I wouldn't be shocked if some Apple shorting hedge fund was behind this.

ArmelioNovember 6, 2015 1:01 AM

@ Allen "When it comes to monetization of security, look no further than Fire Eyes, top company, top peoples, and the good scoop."

I just read their low forecast was attributed to cyber truce with China. Realistically, we're in some serious deep shit if the financial wellness of our leading cyber security house rests on the shoulders of Chinese aggression. On one hand, I can think of how rediculous that statement was; on another thought how easily such a threat could be spoofed for the benefit of doubt.

It reminds me of how microsoft always predicted a short fall for its immediate next quarter during the good years of old.

AnyApril 15, 2016 8:22 AM

Where is the reward offer from the firm Apple??
Fact is the government went about this totally wrong leaving what appears to be fact the government wants to set precedence as if that is a proper approach. So I guess there was no precedence making hijacking illegal, nor crashing into buildings, nor drunk or prostitute seeking government people on the job, nor......

The precedence needed is the government held responsible for failure to weed out police officers not fit to represent society before they are sworn in and lie to get a suspect, kill to maintain their integrity (thank God for cheaper digital recording and free internet hosts the news folks pick from), lie to protect the pack, ......

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.