It’s a bad day for Apple and iOS lovers across the globe, an unknown individual has identified a zero-day vulnerability in iOS that could allow an attacker to remotely hack any iPhone running the latest version of iOS 9, Apple’s newest version of their mobile operating system.
An unknown hacker or team of researchers have sold the undisclosed zero-day vulnerability to Zerodium, a French-based startup from Vupen that privately buys and sells zero-day vulnerabilities and exploits to governments and third-parties for the highest price.
Last month, the vulnerability firm issued a massive one million dollar bug bounty reward, challenging all hackers to find an exploit that allowed remote compromise on non-jailbroken Apple devices, with the potential to hack any phone at any time. One million dollars was the prize, however the device had to be remotely compromised via one of the following to be eligible:
- A web page in Safari or Google Chrome browser
- In-app action
- Text message or multimedia message
Zerofium’s founder, Chaouki Bekrar, confirmed early Tuesday morning on Twitter that an unknown team of hackers won the $1 million bounty for finding a remote browser-based untethered jailbreak affecting iOS 9.1/9.2b devices.
Our iOS #0day bounty has expired & we have one winning team who made a remote browser-based iOS 9.1/9.2b #jailbreak (untethered). Congrats!
— Zerodium (@Zerodium) November 2, 2015
The severity of this recent exploit is critical. Why? Because this puts all iPhone’s publicly at risk to high-level attack that could be used to exploit the device.
Traditionally, jailbreaking an iPhone is a willing action, which allows the end user to install cool tweaks and hacks on the phone through a modified app store, Cydia. However, in the hands of hackers or law enforcement agencies, the same jailbreak could allow them to install any apps with full privileges, potentially installing spyware or surveillance software.
What’s even more worrisome, we know that Zerodium’s parent company, Vupen, develops high-level hacking tools and sells them to multiple governments worldwide. Meaning, Zerodium’s clients are likely to follow.
Now that the firm has a severe flaw in iOS 9, they are likely to sell the undisclosed zero-day remote jailbreak to their clients, which include a handful of spy agencies, government entities and law enforcement agencies.
Now it may just be a matter of time before Apple’s security team patches this hole, however they will have to discover the flaw themselves as Zerodium will not publicly disclose the flaw.