Another day, another mobile vulnerability to report. This time, a group of hackers have captured a $1 million bounty for their remote iOS hack. The compromised device was running the newest version of iOS, iOS 9, and the bounty wasn’t paid by Apple but instead by a French company that frequently buys and sells zero-day exploits.
Zerodium, a startup within the French company Vupen, opened a bug-bounty challenge a month ago in which they asked hackers to provide a completely un-tethered way in which to compromise the unsuspecting victim’s iPhone. The attack had to come from a specific point of entry:
- A web page on Safari or Chrome browser
- In-app browsing action
- Text message or MMS.
Zerodium took to Twitter to announce that the challenge was over.
— Zerodium (@Zerodium) November 2, 2015
They mention that the exploit was via a Jailbreak method, but what does that mean? When most people think of a Jailbreak in terms of their iPhone they think of installing a new version of the App Store that allows a user to sideload apps, games, and add new functionality and permissions.
In this instance the ramifications are much worse. Jailbreaking your iPhone is really simply making the device install software that it does not want to install. A user might do this for the reasons mentioned above, but a hacker could use the same methods to deliver malware, spyware, or destructive software to a user’s device. If that weren’t bad enough, Zerodium is known to develop ways to exploit these bugs and sell them to their clients, which according to The Hacker News include spy agencies, governments, and law enforcement agencies.
Apple has not released a response at this time, though they’ve been pretty good about releasing updates for known security issues in iOS recently. Hopefully for the sake of all of the iOS users out there we’ll see a security patch come through to plug this hole sooner rather than later.Source: The Hacker News