A security start-up has revealed a group of hackers won its $1m (£650,000) bounty for discovering a way to remotely take over the latest version of iOS – and confirmed it plans to sell the details to its corporate and government clients.
The positive result to start-up Zerodium’s iOS 9 exploit competition is likely to raise concerns in light of the controversial nature of its business – like a few other vendors of zero-day, or previously unknown, software bugs, Zerodium doesn’t disclose flaws to software makers, but sells them to its own clients, something that has been likened to “selling burglary tools”.
Zerodium, which announced the bounty in September, said it was in the process of verifying a winning bid. It said an effort by Chinese white-hat hacking group Pangu had been disqualified for using an already-known exploit, and because the technique didn’t work remotely.
“Our iOS #0day bounty has expired & we have one winning team who made a remote browser-based iOS 9.1/9.2b #jailbreak (untethered),” Zerodium said via Twitter late on Monday.
The competition’s deadline was 31 October, and Zerodium said the winning bid was submitted a few hours before the cut-off time. The start-up didn’t disclose the identity of the winning group.
The bounty programme called for an attack that could be carried out “remotely, reliably, silently, and without requiring any user interaction except visiting a web page” or reading a text message, and which could allow an attacker to take over an iOS 9.1 or 9.2b device, installing any software on it.
Google’s Chrome or Apple’s Safari could be used, but Zerodium didn’t specify which browser the winning group had chosen.
Such an exploit would be ideal for organisations looking to secretly break into iOS devices for espionage or surveillance purposes, and in fact selling such exploits to government spy agencies was the business of Vupen Security, the controversial France-based company previously run by Zerodium founder Chaouki Bekrar.
Vupen, which focused on discovering the exploits it sold itself, shuttered its operations at the end of April, in part because of changes to the laws governing the international arms trade, and Bekrar launched Zerodium in July.
Zerodium didn’t give details on who it plans to sell the exploit to and for what purposes. However, the company’s website confirms that its customers include “government organisations in need of specific and tailored cybersecurity capabilities”, as well as corporate customers looking to protect themselves from zero-day bugs.
Zerodium confirmed it doesn’t plan to provide details of the exploit to Apple, but said it expects Apple to independently discover and patch the bugs involved in the attack within weeks or months. Zerodium said it will probably only sell the details to US organisations.
Companies such as Zerodium, along with others including Netragard and Errata Security, are controversial because they work only with their own clients, and don’t provide information to software vendors for patching bugs – a business Professor Ross Anderson of the University of Cambridge has likened to “selling burglary tools”.
Vupen, in particular, attracted negative publicity in 2012 for deciding not to disclose to Google a zero-day flaw in Chrome that had won Vupen a $60,000 prize at the CanSecWest security conference.
Vupen also reported discovering flaws in Windows 8, but said it didn’t plan to disclose the details to Microsoft.
Apple did not respond to a request for comment.