We have all been waiting to find out if Pangu Team or other hackers would jailbreak iOS 9.1 or the first public beta of iOS 9.2, which was officially released by Apple last week. Now several news organizations are reporting that an untethered jailbreak of iOS 9.1 has in fact been achieved.
An anonymous group of hackers has completed a jailbreak of iOS 9.1 and the 9.2 beta. The team has received a $1 million-dollar reward from private zero-day buyer Zerodium by meeting Zerodium’s “9.1 Million Dollar iOS 9 Bug Bounty ” by October 31. Zerodium is a private subscription-based security firm. The company announced its bounty on September 21 in a press release:
The Million Dollar iOS 9 Bug Bounty is tailored for experienced security researchers, reverse engineers, and jailbreak developers, and is an offer made by ZERODIUM to pay out a total of three million U.S. dollars ($3,000,000.00) in rewards for iOS exploits/jailbreaks. ZERODIUM will pay out one million U.S. dollars ($1,000,000.00) to each individual or team who creates and submits to ZERODIUM an exclusive, browser-based, and untethered jailbreak for the latest Apple iOS 9 operating system and devices.
The guidelines required the exploit to work through a browser like Safari or Google Chrome, a text message, or a multimedia message. This effectively meant that the hackers would need to find a chain of bugs, rather than a single vulnerability. The key was their ability to jailbreak an iPhone from afar.
Zerodium founder Chaouki Bekrar announced that the company has indeed paid out a $1 million-dollar bounty under the program. Although two teams submitted entries, only one was selected as a full and remote jailbreak. Zerodium is a start-up firm whose clients include major multinational corporations and the government. Bekrar revealed that the jailbreak will be shopped to those clients, such as defense contractors, who need top-level cybersecurity. Although the jailbreak will not immediately be disclosed to Cupertino, Bekrar said the company may inform Apple of the source of its vulnerabilities at a later date.
According to Zerodium, the untethered browser-based jailbreak exploits vulnerabilities across the entire Apple device spectrum, including iPhone 6 and 6 Plus, all iPhone 5 lines, iPad Air 2, iPad 3 and iPad 4, as well as iPad mini 4 and iPad mini 2. The jailbreak apparently includes vulnerabilities in the Google Chrome browser and iOS and successfully bypassed nearly all mitigations in place.
The jailbreak is unsettling because of the way Bekrar explains its potential impact:
But there’s no doubt that for some, this exploit is extremely valuable. …This exploit would allow [law enforcement and spy agencies] to get around any security measures and get into the target’s iPhone to intercept calls, messages, and access data stored in the phone.
Traditional hacker teams look at firms like Zerodium with considerable disapproval since their results are sold to customers who may use the security flaws for nefarious purposes, like surveillance of private citizens. Selling jailbreaks secretly to big entities also goes against the ethics of the hacker community, which typically release their work for free to the general public.
Groups like Pangu Team forgo financial rewards and focus on areas of iOS that could lead to improvements for everyday consumers. Pangu told El Reg it does not target Apple’s Safari browser because it could make the browser vulnerable to attackers.