A computer security firm that sells exploits to government agencies claims to have acquired a method for remotely compromising an iPhone running iOS 9. The firm, Zerodium, put out a bounty of $1 million for the hack last month, and earlier this week tweeted that one "winning team" had come forward to collect the money. The identity of the team and any details of the hack are still unknown, which casts some doubt on Zerodium's claim, but the idea that iOS 9 could be compromised to this degree is believable and Zerodium's founder, Chaouki Bekrar, has a history of selling such exploits.
The bounty in question was for a very specific and extensive hack, one that would allow attackers to remotely jailbreak a target iPhone and install any app of their choosing. "The whole exploitation/jailbreak process should be achievable remotely, reliably, silently, and without requiring any user interaction except visiting a web page or reading a SMS/MMS," wrote Zerodium on their bounty page. Apple, of course, could not be aware of the hack, making it what is known as a "zero day" exploit. (So called because the company has known about it for zero days.)
Our iOS #0day bounty has expired & we have one winning team who made a remote browser-based iOS 9.1/9.2b #jailbreak (untethered). Congrats!— Zerodium (@Zerodium) November 2, 2015
Apple's mobile operating system is known for its security, but even iOS can be vulnerable, as was shown in September when malware known as XcodeGhost appeared on the App Store. The difficulty of the hack explains in part Zerodium's unusually large bounty (it's the highest publicly reported for a single exploit), but the firm's business model also plays a part. Government agencies of various kinds pay far more than tech companies for exploits and bugs, and Bekrar (under his previous company Vupen) is known for doing business with the likes of the NSA. At one point, he even taunted Google by posting a video of a Chrome hack that "owned" the browser without telling the tech company how to fix it.
However, this theatrical streak also suggests it's possible Zerodium is simply trying to attract attention. Up until a few hours before the bounty was set to end, no one had come forward to claim the money, and as security researcher Jonathan Zdziarski noted on Twitter: "Unless the name gets publicly disclosed, it's no more provable than a PR stunt." Zerodium did not respond to The Verge's request for comment or clarification, although Bekrar has tweeted since the announcement: "Despite [the] iOS remote jailbreak I still feel safe using my iPhone, knowing how hard it is."