Team discovers iOS 9 vulnerability, wins $1 million

Premium exploit acquisition platform Zerodium has announced that the bounty hunt for an iOS 9 zero-day vulnerability has expired, and that it has one winning team who managed to hack into Apple's mobile operating system.

The winning team has thus won the main prize of $1 million.

"Our iOS #0day bounty has expired & we have one winning team who made a remote browser-based iOS 9.1/9.2b #jailbreak (untethered). Congrats!” the company wrote in a Twitter post.

https://twitter.com/zerodium/status/661240316331069443

The hack needed to fill certain criteria: it had to be untethered (remote), and exclusive, meaning not publically available.

The platform also required the exploit to led to "a remote, privileged, and persistent installation of an arbitrary app" on a fully updated iOS 9 device after the victim visited a compromised web page through the Safari or Chrome browsers, or alternatively a text or multimedia text message.

Speaking to Motherboard, Zerodium CEO Chaouki Bekrar said "making the jailbreak remotely triggerable via Safari or Chrome requires at least two to three additional exploits," and so creating a viable exploit was no easy task.

It was only a few hours before the competition's deadline that one team found a way thanks to a "number of vulnerabilities" in Chrome and iOS 9, leading to the bypass of "almost all mitigations" and a full, untethered jailbreak.

Zerodium earns its keep by selling these vulnerabilities and exploits to “major corporations in defence, technology and finance, in need of advanced zero-day protection, as well as government organisations in need of specific and tailored cybersecurity capabilities”.