An anonymous team has claimed a $1 million bounty for zero-day exploits in iOS 9.1 and the 9.2 beta, potentially allowing someone to jailbreak an Apple device over the Internet.
The bounty was offered by Zerodium, a startup marketing itself as the "premium zero-day vulnerability and exploit acquisition program." It was first announced on Sept. 21, but only claimed this weekend — hours before it was set to expire, Zerodium founder Chaouki Bekrar told Motherboard.
Rules stated that the hack had to come through Safari, Chrome, or an SMS or MMS message. This is said to have made the bounty particularly complex, demanding a string of undiscovered bugs, and as late as mid-October two teams were blocked by the same problem.
The winning team used a combination of Chrome and iOS vulnerabilities to create a browser-based jailbreak, which is still being double-checked make sure it meets the bounty's terms. Bekrar declined to offer any details about the technique, or whom he intends to sell it to.
Zerodium is reportedly geared toward selling to government customers however, and its predecessor, VUPEN, previously counted the U.S. National Security Agency as a client.
That could mean the NSA and/or other government organizations will be able to circumvent iOS 9's security safeguards, such as full-disk encryption, and install eavesdropping apps or simply sabotage a device.
Bekrar suggested however that Apple will likely patch the related iOS holes in "a few weeks to a few months," and that the bounty is actually a credit to Apple's work.
"This challenge is one of the best advertisements for Apple as it has confirmed once again that iOS security is real and not just about marketing," he said. "No software other than iOS really deserves such a high bug bounty."
Remote jailbreaks have become a rarity with iOS, the last known technique being available for iOS 7.