iOS Bounty - The illusion of security

November 24, 2015
Info notes


In early November 2015, an anonymous group of hackers were awarded a $1 million bounty after successfully hacking Apple's recently released mobile operating system IOS 9. The bounty was launched by Zerodium, a premium zero-day acquisition broker that buys and sells exploits, who offered to pay for the successful development of an "exclusive, browser-based, and untethered jailbreak" for iOS 9.

iOS bug


Jailbreaking is the process of removing restrictions in iOS, and allow root access to the iOS file system. As a result, a jailbroken device can run software that has not been approved by Apple. Several users choose to jailbreak their device in order to install jailbreak apps, apply tweaks and themes to customize the look and feel of their device, and enhance the device's functionality.

Prior to iOS version 9 every single major version of iOS had been jailbroken. With every new version of iOS, Apple often includes new measures to prevent jailbreaking. iOS Malware thrives on jail broken devices since jailbreaking has severe impact on a device's security and user's privacy. As the installed applications have not been reviewed and approved by Apple for security, there is little or no assurance and guarantee on the processes they execute and the data they access and potentially export.

Million Dollar iOS 9 Bug Bounty

iOS 9 officially launched on 15 September 2015. Before its release, several articles indicated that the new Operating System would be harder than ever to jailbreak, some even speculated that Apple had implemented measures that would make iOS 9 'nearly impossible to jailbreak'.  

On the 21 September 2015, only 6 days after the official launch of iOS 9, Zerodium announced the "world's biggest zero-day bug bounty program: The Million Dollar iOS 9 Bug Bounty", offering to pay out a total of $3 million in rewards for iOS exploits/jailbreaks. The company promised to give a maximum of $1 million reward to any individual or team who managed to come up with an "exclusive, browser-based, and untethered jailbreak" for iOS 9 by the 31st of October.

One anonymous team won the bounty by developing a chain of exploits taking advantage of a number of zero-day vulnerabilities leading to a remote and untethered jailbreak of iOS 9 (9.1 and 9.2). The biggest challenge in this program was that the exploit had to be triggered remotely via Chrome, Safari, or a text message.

Currently Apple does not offer rewards for bug reports, so why would Zerodium spend $1-3 million on this program? There are at least 2 answers to this question. Firstly, the program itself turned out to be a good PR stunt for the company. This generous bounty caught the attention of both the media and the hacker community. Secondly, this is not a typical corporate bug-bounty program that pays researchers to share exploits found in a product, with the intention of assisting vendors in providing patches for bugs. Zerodium never promised to disclose the exploit once purchased, at least not to the public. In fact, they explicitly warn hackers that any zero-day exploit Zerodium buys must be exclusively sold to them. Hackers selling the zero-days are not allowed to resell them to other buyers or disclose them to the vendors of the targeted software, since this would allow vendors (in this case Apple) to release a patches that protect users and render the attack useless.

Clearly, this business model is not very popular with software vendors. In one particular case, Zerodium Founder Chaouki Bekrar refused to share a Chrome hacking technique with Google. After this incident, Google security staffer Justin Schuh referred to Bekrar as an "ethically challenged opportunist".

The Wassenaar Arrangement (Link to Wassenaar infonote), which also aims at regulating the spread of zero-day exploits between countries, is often linked to this kind of activity. However, Zerodium do not see Wassenaar as a serious obstacle, and they pointed out that the arrangement has yet to be implemented in the United States. Bekrar said that "Wassenaar adds a layer of paperwork but does not aim to prevent companies from conducting their businesses".

'Secure' versions

We often see articles with titles such as: "Android is Hilariously Insecure – 87% of Phones are Vulnerable", which are usually linked with vulnerabilities found on specific OS versions. Sure, it is easy to argue that newer versions are usually more secure than older versions. However, this does not imply that the latest versions are completely secure. We must not assume that running the latest version will keep us safe from all vulnerabilities, but rather from KNOWN vulnerabilities. In fact, even the term 'known vulnerabilities' can be a bit misleading. To be more precise, running the latest version will help keep users safe from vulnerabilities that are known to, and patched by the software vendors.

The 'remote and untethered jailbreak of iOS 9' mentioned above is a good example. There currently exists a relatively severe vulnerability in the latest iOS version that may very well be known to individuals or organisations and not by the vendor (Apple).

Quoting Zerodium: "Apple's iOS is currently the most secure mobile OS. But don't be fooled, secure does not mean unbreakable, it just means that iOS has currently the highest cost and complexity of vulnerability exploitation".

Similarly, the recently discovered Android Stagefright bug had been around since 2012, but the vendor was only made aware of it in 2015. This means any newly released version between Android 2.2 and 5.1 was vulnerable to this bug upon its release. There is no telling whether anyone could have come across this bug sometime between 2012 and 2015, and had in fact been exploiting it for malicious purposes.

The question remains: How many 'unknown' Stagefrights or remote and untethered jailbreaks are running in the wild, on the latest, patched, and most up to date systems around?

Conclusion and recommendations


Even though there is always the possibility that there are vulnerabilities on latest software versions, it is still very important to update to the latest official version. Once a vulnerability becomes known to the public, cybercriminals take advantage of the situation and try to exploit them in the wild. It is always a good idea to have a system that is patched against these known vulnerabilities.

That being said, one must not assume that running the latest version would keep them safe from all vulnerabilities. This is why whenever possible, depending on the type of software in question, different layers of security such as AVs, NIDS, Encryption, etc. should be in place. This kind of implementation may never be 100% secure from all attacks, but a layered protection approach and constant monitoring can prove to be a lot harder to penetrate by cyber criminals.

At the end of the day, users must never assume that they are 100% safe, and act accordingly.

Software vendors

Software vendors should always ensure that the proper QA and testing was conducted before, and even after the launch of a new version. If implemented correctly, this step can significantly reduce the amount of vulnerabilities in a particular release.

The vendors should also provide incentives such as bounty programs that would encourage responsible vulnerability disclosure. This would help them to identify and patch vulnerabilities that managed to make their way through the QA and Testing. Finally, security specialists should always act ethically when handling vulnerabilities.

About “Info Notes” from ENISA

With the “Info Notes” series ENISA aims at giving the interested reader some background and recommendations about NIS related topics. The background and recommendations are derived from past experiences and common sense, and should be taken as starting points for discussions on possible course of action by relevant stakeholders. Feel free to get in touch with ENISA to discuss or inquire more information on the “Info Notes” series (

We use cookies on our website to support technical features that enhance your user experience.
We also use analytics. To opt-out from analytics, click for more information.

I've read it More information