New iPhone is hacked: Anonymous researchers win $1 million challenge [trunc]

UK Daily Mail ^ | 03/11/2015 | Sarah Griffith

[Moltke]

Apple products are commonly considered to be relatively secure, but researchers claim to have found a way of remotely controlling a new iPhone running the latest operating system.

Before you panic that your handset may be infiltrated, however, the hack was part of a challenge set to demonstrate it is possible to remotely jailbreak an iPhone or iPad running iOS 9.1, rather than a criminal activity.

An anonymous hacker or team of hackers, has been rewarded with $1 million by security start-up Zerodium for their efforts.

[Moltke]

I thought this was supposed to take trillions and trillions of years, not 4 weeks.

[MarchonDC09122009]

Apple iPhone superiority PING ;n)

[i_robot73]

It appears, the Sony PS3 has been the longest hack hold-out, in my recollection. That took ~2 yrs. before being broken.

I’m sure, with the NSA back-door, the iPhone was child’s play compared /s

[PA-RIVER]

Gay phone has Back door.

[Scrambler Bob]

Now, now. Tolerance, remember.

[Flick Lives]

42 paragraphs into the article...

Bekrar said Zerodium is testing the vulnerabilities to make sure the exploit meets the competition rules, meaning the prize money has yet to be paid.

So it's a million dollar prize, but it's not been paid, and likely never will.

[Paco]

Imagine that. Came in through the browser or text message. What a surprise /s.

[ctdonath2]

Well, you might expect that a 7-digit reward would be subject to appropriate validation of the submission.
Considering the effort that likely went into the attempt, and the motivation to ensure it’s paid, I expect it will be paid. (If YOU worked hard to win a million-dollar prize, I’m sure you’d see to it you were paid.) Kneecaps come to mind as a motivational subject.

[Swordmaker]

Someone is claiming to have found a way to remotely jailbreak an iOS 9.1 device. . . however, since this exploit requires browsing to a specific website, downloading a specific file, or triggering a specific WEB BASED event, it still requires user involvement. At most, this is merely a means of jailbreaking iOS 9.

What this is NOT, is that it is NOT a way of breaking into an iOS device without cooperation of the user or socially engineering the user into navigating to a malicious website.

It does NOT break into an iPhone or iPad without the cooperation of the user, nor can a person without the passcode get into the iPhone or iPad get into someone's data by stealing their device and somehow using this exploit to break into it after the theft. It does NOT get around the encryption of the device. That would not work.

This reward from Zerodium is NOT the reward that is still being offered by The Hacker Team, which is the professional organization that sells tools to law enforcement organizations including the NSA, CIA, FBI, etc, to allow them to break into mobile devices, to also allow them to break into an iOS device in hand to access a locked iOS device, which is something they currently do not have the capability to accomplish. — PING!

Apple iOS Security
Ping!

The Latest Apple/Mac/iOS Pings can be found by searching Keyword “ApplePingList” on Freerepublic’s Search.

If you want on or off the Mac Ping List, Freepmail me.

[Swordmaker]

I thought this was supposed to take trillions and trillions of years, not 4 weeks.

This is not the same thing at all, Moltke. This does not crack the encryption of iOS devices or iCloud files. This is merely a jailbreaking of iOS devices that still requires the cooperation of a user who already has access to the device to either do it deliberately, or to be tricked into navigating to a malicious website which includes malicious code which will be executed in the browser. This will be blocked fairly quickly from working. It does NOT, in any way, decrypt the 256 bit AES encrypted files, because it cannot. If the user either deliberately or through trickery allows the bad guys access, does not mean they've broken the encryption.

[Swordmaker]

I’m sure, with the NSA back-door, the iPhone was child’s play compared /s

There is no back door. . . even this requires cooperation of the user, either deliberately or through social engineering. At best it will be a Trojan. . . and the vulnerability in both Chrome and Safari will be closed quickly.

[Moltke]

Duly noted!

[Swordmaker]

Imagine that. Came in through the browser or text message. What a surprise /s.

No, it is ONLY a browser exploit in Chrome and/or Safari. There was nothing said about any "text message" in the article. Sorry, please try to be accurate, Paco. This is also not an actual security hole that allows someone to break into the iOS device without some cooperation or involvement by the user, whether voluntarily or involuntarily. In other words, no one could walk up, pick up someone's iPhone or iPad and use this vulnerability to break into it from scratch. They would STILL need to know the user's passcode to first get into the device. . . which is the first line of defense and the most difficult to overcome.

That being said, if the attacker could somehow influence the user to navigate to a malicious website with this exploit on it, the attacker can remotely jailbreak the iOS device using either Chrome or Safari browsers, at which point The Hacker Team DOES sell the a tool to the NSA, CIA, FBI, and other professional law enforcement agencies, that WILL break into a jailbroken iOS device. However, Paco, it will NOT decrypt any files on that device, because it still will not have the key to do so. That still requires the user's passcode. . . and that is not kept on the device at all. All that gets them is into the iPhone or iPad with the ability to use the apps, but no access to data. Whoop-de-do.

[dayglored]

Ah, Swordmaker, Swordmaker...

It's not about FACTS, those silly, pesky TRUE things....

It's about WEB PAGE HITS and the HEADLINES with "APPLE" and "IPHONE" and "HACK" in them.

What is pale, thin TRUTH compared to a HEADLINE that brings in PAGE HITS???

I applaud your brave efforts to bring understanding and truth to this fray.

[Swordmaker]

What is pale, thin TRUTH compared to a HEADLINE that brings in PAGE HITS???

I applaud your brave efforts to bring understanding and truth to this fray.

So true. Thanks for the applause in what is more and more seeming like an empty auditorium. . .