I for one actually feel much more secure knowing that iOS is so secure that $1 million is considered the public value of an exploit. Vupen bought flash zero days for $30,000 in the past so knowing that iOS exploits are now valued enough to attract this kind of bounty makes me much more confident script kiddies and scammers will not be able afford to attack me. And lets face it, we were never secure from the NSA in the first place...
This is purely market value. If iOS simply had less users, the price would be lower. So I think your conclusion of it being more secure because of this is incorrect.
About less people being able to afford it - this again depends on what ZERODIUM intends to do with it. They may sell it for cheap and count on a large number of sales because, again, iOS is so popular.
I disagree. Less users also mean low price for bounty since the media is not paying attention. It is a fair conclusion that a reward as big as $1M is imposed since it has been proven (so far) that iOS platform is quite secure.
Yeah I was suggesting this may even be below market value as selling to Vupen is probably considered more acceptable than selling on the black market for a likely even higher price.
With regards to users flash player has more users than iOS but the exploit was cheaper, while these users might not be as valuable as iOS users neither market is what you would consider small.
And finally it's unlikely they would sell it to mass users for extremely cheap and risk it leaking. It's probably more out of desperation, Vupen has heaps of long term customers who they have promised the ability to hack phones to, it's probably embarrassing to them if they can't hack them most popular phone model out there.
Hacking Team: a zero-day market case study [1] seems to support the idea that iOS exploits are scarce. Especially compared to Android (when using your "less users" perspective).
"Mobile: VUPEN offered several different remote code execution and local privilege escalation exploits for Android; however, not all of them were 0day and Hacking Team deemed that the prices were too high to purchase. Though there was interest in purchasing exploits for iOS, VUPEN said they were limited to certain customers, presumably high-paying government agencies." [1]
"iOS exploit pricing: Adriel stated he was supply-constrained for iOS RCE exploits because exploit developers frequently had their own connections to sell them, and that he believed that such exploits were overpriced. An exclusive exploit sale could cost over a million dollars, [...]." [1]
> Apple iOS, like all operating system, is often affected by critical security vulnerabilities, however due to the increasing number of security improvements and the effectiveness of exploit mitigations in place, Apple's iOS is currently the most secure mobile OS. But don't be fooled, secure does not mean unbreakable, it just means that iOS has currently the highest cost and complexity of vulnerability exploitation and here's where the Million Dollar iOS 9 Bug Bounty comes into play.
BTW, I guess Flash is as popular as iOS9 (the Steam hardware survey used to show that 99.9% of the Steam users had Flash installed), yet, as stirlo says, they only paid up to $30k for Flash exploits.
The exploit/jailbreak must support and work reliably on the following devices (32-bit and 64-bit when applicable):
- iPhone 6s / iPhone 6s Plus / iPhone 6 / iPhone 6 Plus
- iPhone 5 / iPhone 5c / iPhone 5s
- iPad Air 2 / iPad Air / iPad (4rd generation) / iPad (3th generation) / iPad mini 4 / iPad mini 2
So did i read this correct and the exploit must be backwards compatible in order to get the full bounty?
If the last 8 versions were jailbreakable I think this one will be too - eventually - but it is certainly the case that devices are becoming more secure both for and against their owners. The tension between freedom and security is definitely increasing.
You can only get a million for a really impressive jailbreak. If it involves plugging the phone into your computer and downloading something, or even just pushing a button, it doesn't qualify for this bounty.
I wonder if we will now see more hardware-based jailbreaks.
It's a bit like with oil drilling. Once the easily accessible options are gone, people reconsider options that used to be considered too expensive to exploit or too damaging for the environment. Like fracking, oil sands, oil wells that are very deep or far up in the arctic, ...
In the case of iOS explots, maybe you'll be able to jailbreak it over the lightning connector. Maybe you'll have to open the phone and hook up the circuit board to a device. Maybe someone in china will build a robot for phone shops that'll disassemble, jailbreak, and reassemble a phone in seconds (and replace a cracked screen while it is at it). Heck, maybe it'll become economic for criminals to bribe and/or blackmail Apple engineers to put a backdoor into iOS, or to leak keys?
Heck, maybe it'll become economic for criminals to bribe and/or blackmail Apple engineers to put a backdoor into iOS, or to leak keys?
Or just become Apple engineers... I'm sure there's people out there who would be absolutely thrilled at the idea of working for Apple and writing code for iDevices while at the same time secretly subverting them.
I am under the impression that the large companies in China (the equivalents of Google, Microsoft, and Ebay/PayPal), who have essentially been funding the jailbreaks of iOS 7 and 8, have been paying quite hefty sums as well (if not a million dollars, then I would argue "close enough" that even people who only see "sort of a problem" with selling weaponized exploits to arms dealers might still value the ethical advantages of a public release at least highly enough to cover the marginal utility of the price difference), as they use them as part of a proxy war to "control mobile" by providing an alternative App Store (with actual "Apps", unlike Cydia) for Chinese users; so like, this might change the game slightly, and I do know people in our community whose hats are sufficiently dark that they would be swayed by this, but it isn't a done deal or anything.
(Further, I will point out that most jailbreaks don't even involve a remote and silent deployment: while there are tons of possible exploitable bugs found in WebKit all the time, Apple has sandboxed the living daylights out of that process, and a lot of the kernel bugs people find don't work even in processes that have the lightest of sandboxes. The standard stack for a jailbreak is usually something that requires the device to be pincode unlocked and plugged into a computer that the device has been told to "trust", in order to take advantage of the attack surface provided by the protocols iTunes and Xcode use to talk to the device over USB, which often will touch the filesystem in complex ways, at least indirectly if not directly as part of something like "restore a backup". If you find this kind of limited stack, you usually don't just "throw it back" and keep fishing ;P.)
Yeah, totally missed that they want silent deployment, and they lose the benefit of the owner unlocking the device. So this probably isn't actually a game changer at all.
If the objective is (and correct me if it isn't) to be able to install arbitrary software on iOS, isn't that possible now with Xcode 7 and free provisioning? Personally I am hoping Github will be the new way through which to install non-store apps.
Is this a Zerodium ad masquing the politically incorrect PR of "zerodium has 0day exploits available for sale"? I mean how else would anyone advertise availability of 0day without compromising their credibility? $1M per exploit would sure get you lots of press.
Considering the strictness of the requirements, I can think of two options:
- this is just a PR stunt, nobody will realistically deliver such a piece of code before oct. 31st.
- they know that someone in the jailbreak community is cooking something big like that and they're trying to tempt them and acquire a very interesting exploit before anybody else.
I have to wonder: what stops someone from selling the "exclusive" rights to an exploit, waiting for the check to clear, and then disclosing it privately to the vendor to get fixed?
Trust. That sounds funny, given that it's a grey market, but there were excerpts from the Hacking Team email dump where they talked extensively about which exploit providers were high quality, reliable, etc.
Someone absolutely can try and play games, but the people they sell to will do their best to determine whether that's happening and penalize them.
I might be missing something, but has there ever been any exploit (or string of simultaneous exploits) for iOS or android which meets all the criteria?
It must be through a text message or web page, it must be remote, reliable, silent, require no interaction, must be entirely comprised of 0-day exploits throughout the whole chain, must affect multiple architectures and all supported devices, and must bypass all security checks to allow full root access.
You used to be able to jailbreak one of the first iPhones and install Cydia just by visiting some page in Safari and clicking on a button, IIRC. I never did this myself, so my memories might be inaccurate though.
Right! One of the famous initial iPhone OS exploits involved a vulnerability in LibTiff. Decoding a crafted .tiff in Safari would grant the site's javascript root access.
The stagefright bugs gave control over the media-player daemon of Android. This daemon is not running as root, it's even jailed with SELinux, but it has some interesting permissions like microphone-access.
Despite the media hype you can't root your phone with the stagefright bugs and so it wouldn't qualify for the bounty.
Some of those other interesting permissions are the ability to open arbitrary network/bluetooth sockets, read/write to external storage, and access the camera[1].
Mediaserver is not full root but it is pretty privileged. Given all of this access it wouldn't take much work to incorporate another privilege escalation bug to get root on the phone anyway, and there is zero user interaction.
There isn't much in the list that applications like Hangout or Chrome don't have anyway. It's still a very serious vulnerability, but the overstating is just clever marketing by a security company.
> Despite the media hype you can't root your phone with the stagefright bugs and so it wouldn't qualify for the bounty.
Alone? No. As part of a "chain" of exploits, which is what this bounty is calling for, in concert with a privilege escalation? Yes. That bug allowed for remote and silent (due to executing in a way which would allow it to suppress notifications of the incoming message) arbitrary code execution as a user on the device, which, even as a user with minimal permissions or which has been sandboxed in some way, affords you the ability to do much much more on the device than you could before the exploit.
FWIW, the actual release included a demo of rooting a device on stage; they have a video with a similar demo. I presume the second bug they were using was an already-fixed kernel bug, but if you have something like stagefright your next step is to go hunting for such a bug. (Regardless, the question you were responding to was more about how most of the exploits people put together do not satisfy the "remote" and "silent" parts, as opposed to the "I got root" part; the latter is comparatively easy.)
> I presume the second bug they were using was an already-fixed kernel bug
That's true, @jduck confirmed that on twitter. It's an old, fixed, bug that has nothing to do with stagefright and could be exploited by every app on the phone or every rce in any app on the phone.
> Regardless, the question you were responding to was more about how most of the exploits people put together do not satisfy the "remote" and "silent" parts, as opposed to the "I got root" part; the latter is comparatively easy
FWIW, "throughout the whole chain" was part of the question.
"The whole exploitation/jailbreak process should be achievable remotely, reliably, silently, and without requiring any user interaction except visiting a web page or reading a SMS/MMS (attack vectors such as physical access, bluetooth, NFC, or baseband are not eligible for the Million Dollar iOS 9 Bug Bounty. ZERODIUM may, at its sole discretion, make a distinct offer to acquire such attack vectors.)."
Can someone explain this part? Jailbreak from a website, sms, or mms seems ... impossible. Has this even been possible with older jailbreaks?
Not alone, but as part of a chain of exploits (which is what most jailbreaks are, and which is what this document expressly asks for), certainly it is: it allows you to get arbitrary code execution on the device, which can be paired with a kernel exploit (something that has been comparatively quite common) to get root. I mean, this same argument can be said about the individual components of JailbreakMe 2.0 and 3.0: the initial exploit in FreeType only just barely got you the ability to run code as Safari within its even-at-the-time relatively restricted sandbox: it was then paired with a kernel exploit to finish the jailbreak. Zimperium actually did a demo on stage at BlackHat of using Stagefright as the vector to push a privilege escalation (probably some old kernel exploit; I think they said, but I don't remember) to the device, and they have also posted a video of that process.
And all you have to do is sell your unicorn vulnerability to this company:
ZERODIUM customers are major corporations in defense, technology, and finance, in need of advanced zero-day protection, as well as government organizations in need of specific and tailored cybersecurity capabilities
The offer to buy RCE in PHPBB/vBulletin is a nice touch.
So, let me get this straight, this company is in the business of buying zero-day exploits and selling them to corporations and government organizations. How does this even exist? Is it legal? Can anyone buy and sell zero day exploits with total impunity?
It's a win-win for Zerodium. They are getting free publicity for having the biggest bug bounty ever, and if somebody actually does submit a working exploit, they sell it to their clients for a hefty profit. I'm sure there are government agencies that would pay well over a million for the ability to infect any IOS device silently and easily.
I don't see why someone wouldn't sell it to them, collect the bounty, and then either release/sell it themselves. It seems like Zerodium would have very little recourse.
A million bucks for a iOS 9 vulnerability sounds nice. But is that worth having the death, imprisonment, or torture of possibly innocent people on your conscience? If a government is buying these vulns, there is no telling what they will do with them.
If you live in the US or Canada and voted for a recent government, this is already on your conscience.
The realization that there's a dirty, dirty underside to our standard of living seems to polarize people. Some dedicate themselves to helping. Some conclude that the world is run by gangsters, so they might as well pick a gang and profit. Most, either never realize or just decide that the problem is too big and they should focus on their own little islands of comfort.
79 comments
[ 6.2 ms ] story [ 138 ms ] threadAbout less people being able to afford it - this again depends on what ZERODIUM intends to do with it. They may sell it for cheap and count on a large number of sales because, again, iOS is so popular.
With regards to users flash player has more users than iOS but the exploit was cheaper, while these users might not be as valuable as iOS users neither market is what you would consider small.
And finally it's unlikely they would sell it to mass users for extremely cheap and risk it leaking. It's probably more out of desperation, Vupen has heaps of long term customers who they have promised the ability to hack phones to, it's probably embarrassing to them if they can't hack them most popular phone model out there.
"Mobile: VUPEN offered several different remote code execution and local privilege escalation exploits for Android; however, not all of them were 0day and Hacking Team deemed that the prices were too high to purchase. Though there was interest in purchasing exploits for iOS, VUPEN said they were limited to certain customers, presumably high-paying government agencies." [1]
"iOS exploit pricing: Adriel stated he was supply-constrained for iOS RCE exploits because exploit developers frequently had their own connections to sell them, and that he believed that such exploits were overpriced. An exclusive exploit sale could cost over a million dollars, [...]." [1]
[1] https://news.ycombinator.com/item?id=9949818
> Apple iOS, like all operating system, is often affected by critical security vulnerabilities, however due to the increasing number of security improvements and the effectiveness of exploit mitigations in place, Apple's iOS is currently the most secure mobile OS. But don't be fooled, secure does not mean unbreakable, it just means that iOS has currently the highest cost and complexity of vulnerability exploitation and here's where the Million Dollar iOS 9 Bug Bounty comes into play.
BTW, I guess Flash is as popular as iOS9 (the Steam hardware survey used to show that 99.9% of the Steam users had Flash installed), yet, as stirlo says, they only paid up to $30k for Flash exploits.
You do make a great point with that Flash comparison, though.
So did i read this correct and the exploit must be backwards compatible in order to get the full bounty?
iOS 9 has the same performance as iOS 8.4
they always give users the 'last' iOS version but I highly doubt any work will go into patching it in future.
It's a bit like with oil drilling. Once the easily accessible options are gone, people reconsider options that used to be considered too expensive to exploit or too damaging for the environment. Like fracking, oil sands, oil wells that are very deep or far up in the arctic, ...
In the case of iOS explots, maybe you'll be able to jailbreak it over the lightning connector. Maybe you'll have to open the phone and hook up the circuit board to a device. Maybe someone in china will build a robot for phone shops that'll disassemble, jailbreak, and reassemble a phone in seconds (and replace a cracked screen while it is at it). Heck, maybe it'll become economic for criminals to bribe and/or blackmail Apple engineers to put a backdoor into iOS, or to leak keys?
Or just become Apple engineers... I'm sure there's people out there who would be absolutely thrilled at the idea of working for Apple and writing code for iDevices while at the same time secretly subverting them.
(Further, I will point out that most jailbreaks don't even involve a remote and silent deployment: while there are tons of possible exploitable bugs found in WebKit all the time, Apple has sandboxed the living daylights out of that process, and a lot of the kernel bugs people find don't work even in processes that have the lightest of sandboxes. The standard stack for a jailbreak is usually something that requires the device to be pincode unlocked and plugged into a computer that the device has been told to "trust", in order to take advantage of the attack surface provided by the protocols iTunes and Xcode use to talk to the device over USB, which often will touch the filesystem in complex ways, at least indirectly if not directly as part of something like "restore a backup". If you find this kind of limited stack, you usually don't just "throw it back" and keep fishing ;P.)
- this is just a PR stunt, nobody will realistically deliver such a piece of code before oct. 31st.
- they know that someone in the jailbreak community is cooking something big like that and they're trying to tempt them and acquire a very interesting exploit before anybody else.
Someone absolutely can try and play games, but the people they sell to will do their best to determine whether that's happening and penalize them.
It must be through a text message or web page, it must be remote, reliable, silent, require no interaction, must be entirely comprised of 0-day exploits throughout the whole chain, must affect multiple architectures and all supported devices, and must bypass all security checks to allow full root access.
Read more: https://books.google.com/books?id=1kDcjKcz9GwC&pg=PA9&lpg=PA...
https://en.wikipedia.org/wiki/JailbreakMe
Despite the media hype you can't root your phone with the stagefright bugs and so it wouldn't qualify for the bounty.
Mediaserver is not full root but it is pretty privileged. Given all of this access it wouldn't take much work to incorporate another privilege escalation bug to get root on the phone anyway, and there is zero user interaction.
[1] https://www.blackhat.com/docs/us-15/materials/us-15-Drake-St...
Alone? No. As part of a "chain" of exploits, which is what this bounty is calling for, in concert with a privilege escalation? Yes. That bug allowed for remote and silent (due to executing in a way which would allow it to suppress notifications of the incoming message) arbitrary code execution as a user on the device, which, even as a user with minimal permissions or which has been sandboxed in some way, affords you the ability to do much much more on the device than you could before the exploit.
FWIW, the actual release included a demo of rooting a device on stage; they have a video with a similar demo. I presume the second bug they were using was an already-fixed kernel bug, but if you have something like stagefright your next step is to go hunting for such a bug. (Regardless, the question you were responding to was more about how most of the exploits people put together do not satisfy the "remote" and "silent" parts, as opposed to the "I got root" part; the latter is comparatively easy.)
https://www.youtube.com/watch?v=PxQc5gOHnKs
> Regardless, the question you were responding to was more about how most of the exploits people put together do not satisfy the "remote" and "silent" parts, as opposed to the "I got root" part; the latter is comparatively easy
FWIW, "throughout the whole chain" was part of the question.
Can someone explain this part? Jailbreak from a website, sms, or mms seems ... impossible. Has this even been possible with older jailbreaks?
https://www.youtube.com/watch?v=PxQc5gOHnKs
ZERODIUM customers are major corporations in defense, technology, and finance, in need of advanced zero-day protection, as well as government organizations in need of specific and tailored cybersecurity capabilities
The offer to buy RCE in PHPBB/vBulletin is a nice touch.
The realization that there's a dirty, dirty underside to our standard of living seems to polarize people. Some dedicate themselves to helping. Some conclude that the world is run by gangsters, so they might as well pick a gang and profit. Most, either never realize or just decide that the problem is too big and they should focus on their own little islands of comfort.