“While millions of iPhone users have eagerly upgraded to iOS 9, a new race is on among researchers to find critical flaws in Apple’s software, and they’re throwing around more cash than ever to get hackers to find the holes,” Buster Hein reports for Cult of Mac.
“A new security industry firm called Zerodium announced today that it will pay hackers $1 million for a single exploit that allows attackers to break into an iPhone or iPad running iOS 9,” Hein reports. “The company says its even willing to pay the bounty multiple times, as long as the exploits break through iOS 9’s security flaws a certain way.”
“Thanks to a number of security improvements, iOS is currently the most secure mobile OS, according to Zerodium,” Hein reports. “The terms for Zerodium’s contest state that the exploit must allow attackers to remotely and silently install an arbitrary app like Cydia on a iOS 9 device via a webpage attack or text message. ”
More info in the full article here.
MacDailyNews Take: Good luck, hackers. You’re gonna need it.
SEE ALSO:
New Android malware strains to top 2 million by end of 2015 – July 1, 2015
Symantec: 1 in 5 Android apps is malware – April 25, 2015
Kaspersky Lab Director: Over 98% of mobile malware targets Android because it’s much, much easier to exploit than iOS – January 15, 2015
Security experts: Malware spreading to millions on Android phones – November 21, 2014
There’s practically no iOS malware, thanks to Apple’s smart control over app distribution – June 13, 2014
F-Secure: Android accounted for 99% of new mobile malware in Q1 2014 – April 30, 2014
Google’s Sundar Pichai: Android not designed to be safe; if I wrote malware, I’d target Android, too – February 27, 2014
Cisco: Android the target of 99 percent of world’s mobile malware – January 17, 2014
U.S. DHS, FBI warn of malware threats to Android mobile devices – August 27, 2013
[Thanks to MacDailyNews Reader “Dan K.” for the heads up.]
I just gotta ask, “what’s in it for them?”
Bringing awareness to qualified people. This means more money spent investing in their products/services/careers/events, networking, etc. They’re being active in the community that matters to their field.
But probably the most obvious reason is that hackers don’t typically make money doing things that are not malicious, so offering these guys $1,000,000 up front for exposing an exploit would be more interesting to a would be malicious hacker than taking the risks associated with a malicious use of the same exploit which would not be likely to yield such a payout, and definitely not one that could be deposited into a bank account no questions asked.
i think this is Apple outsourcing its software security effort. The $1M bounty for every bug reported is too much for a single company to fund if it has no previous business. Looking up its official website, it is marked Untrustworthy by Web of Trust is anyone is discouraged to look at their business.
https://www.mywot.com/en/scorecard/zerodium.com?utm_source=addon&utm_content=popup.
I thought the same thing.
I thought the same thing too, but with MSFT or Google financing the effort.
Where do they get the money to award that kind of cash?
Apple.
China, North Korea, Russia, ISIS?
What do they pay for Android exploits, 50¢?
A dime a dozen.
They will only be able to do it through physical means. It should be interesting to see how many claim they can and how many can actually prove they can.
“The TERMS for Zerodium’s contest state that the exploit must allow attackers to remotely and silently install an arbitrary app like Cydia on a iOS 9 device via a webpage attack or text message. ”
Samsung has deep pockets too…
Samsung are matching this by offering $1 for any such bugs on Android ( Note, only the first million respondents can claim a dollar ).
…the exploit must allow attackers to remotely and silently install an arbitrary app like Cydia on a iOS 9 device via a webpage attack or text message.
Does that include installing on jailbroken iOS devices? Does that include malware that uses stolen enterprise security certificates? (The Wirelurker/MacHook attack the Apple refuses to block).
@ derek currie: jailbroken phones not allowed according to the article. exploit must be on stock apple computer without physical access.
Thanks!