Making headlines is Zerodium’s $1 million bounty for “jailbreaking” iOS9.1, Apple’s latest mobile operating system.
Zerodium is a computer exploit merchant, meaning it buys and sells knowledge of how to tamper with software. It describes itself as “a privately held and venture backed startup, founded by cybersecurity veterans with unparalleled experience in advanced vulnerability research and exploitation.
It offers a service called the “Zerodium Security Research Feed” (Z-SRF) through which Zerodium pays independent researchers for their zero-day discoveries and then “analyzes, documents, and reports all acquired security information, along with protective measures and security recommendations, to its clients”.
“Zero-day discoveries” refers to vulnerabilities that the software manufacturer both doesn’t know about and hasn’t fixed. These discoveries are worth a lot of money to professional hackers.
You may be asking yourself, how can this line of work possibly be legal? After all, Zerodium is publically paying people $1 million to figure out how to remove security protections built into Apple products with iOS9.1. From that point, hackers could potentially monitor the device, install malware, or otherwise use the device in ways it was never meant to be used. Furthermore, Zerodium is only accepting applicants who manage to do this from a separate web browser and in such a way that if their work remains effective regardless of whether the phone is connected to a computer or restarted completely.
It turns out that in the United States, jailbreaking a new iPhone is completely legal and has been since 2010. Federal regulators believed that it fell within consumers’ rights to manipulate iPhones so that they could, for example, download apps from outside Apple’s very closed business model.
Unlocking, the process that enables an phone to be used with any wireless carrier despite whatever carrier with which it was sold, remained illegal until early August of last year.
What’s worrying is that the jailbreaking method is not meant for consumers to use on their own phones; it is clearly meant to be used by a third party, unbeknownst to the owner of the device.
According to Zerodium, one hacking team successfully created the jailbreak and that the information will be sold to “major corporations in defense, technology, and finance” seeking to protect themselves from a potential zero-day attack. Zerodium also admitted that it would be selling the hack to “government organizations in need of specific and tailored cybersecurity capabilities.”
Apple will not be listed in the variety of companies to which Zerodium plans to sell the jailbreak. It also obviously does not plan to release the information to the general public. That said, the entire process is pretty damaging to Apple’s reputation and disconcerting to most Apple users; companies are publically selling information about how to hack into their devices.
That said, Zerodium maintains that the ability to hack into Apple’s devices does not imply that the company is an unsafe option:
“Due to the increasing number of security improvements and the effectiveness of exploit mitigations in place, Apple’s iOS is currently the most secure mobile OS,” Zerodium states on its website. “But don’t be fooled secure does not mean unbreakable.”