Apple products have a reputation for having fewer security problems than just about any other consumer electronics. And that's a deserved reputation, although an increasing number of security holes have been found over the last few years, with five times as much Mac malware detected this year.
In fact, Apple's security is so tough that it can take hackers a long time to find bugs, so most of them concentrate elsewhere. That's why a new company called Zerodium offered a $1 million bounty payable to any hacker or security group that could remotely crack an iPhone running the newest versions of iOS. And someone did.
It was already known that iOS 9 was vulnerable to jailbreaking, which is taking full control of the operating system to run unapproved apps. Every version of iOS has been jailbroken at some point.
However, to do it, you have to have full access to the gadget. Doing a remote jailbreak so you can then install malicious viruses is a completely different story. It requires multiple security flaws to make it work.
In fact, speaking to Motherboard, Zerodium founder Chaouki Bekrar said that at least two teams were working on the problem for weeks and both got stuck at the same spot. However, one of them finally figured it out and submitted a hack just hours before the deadline.
Using the hack, a hacker could trigger a remote jailbreak, and then install spying apps. That would let a hacker pull phone records, text messages, location information, browsing history and just about anything else they wanted.
Zerodium still has to verify that the hack works before paying the $1 million, and some security experts are skeptical the payout is going to happen. Whether or not Zerodium pays the bounty is a problem for the team that submitted the bug, however. There's a bigger problem for everyone else.
Zerodium is one of the many companies that finds security flaws and sells them to the highest bidder or its regular customers. That means it isn't going to help Apple fix the flaw. Instead, it's going to sell the hack to a government that's going to use it for spying.
For a remote hack into any new iPhone or iPad, it can probably make millions, even if the hack is only good for "a few weeks to a few months." Bekrar says that Apple will probably end up patching some of the flaws the hack requires, just in the course of making the operating system more secure.
The only information Bekrar would reveal at this point is that the hack required the gadget user to be running the Chrome browser app. If you're really worried, you might use the default Safari app for browsing instead.
Of course, this is a very targeted hack, which means any government that does get it is going to use it against average citizens. It isn't anything like the StingRay, for example.