As millions of jailbreak enthusiasts wait expectantly for Team Pangu to release the iOS 10.3.1 jailbreak that it teased at the end of April, it appears that nothing is going to come after all. This despite the fact that Pangu actually did get through the hardware-level Kernel Patch Protection on iPhone 7, and did have a proof of concept of the exploit, which it showcased at the Janus Mobile Security Threat Data Conference. Hence the name “Janus” adopted by the JB itself.
However, a strong rumor reared its ugly head earlier this month that Pangu had sold the exploit to Apple for a whopping $1.25 million. Could it be true? What are the implications for jailbreaking if it is true?
Let’s try to break it down to see what might have happened.
First of all, it’s true that Pangu did showcase the exploit at the conference. We know that from the images posted on a Weibo account of a well-known security expert by the name of Min Zheng. So an iOS 10.3.1 jailbreak on an iPhone 7 was showcased. Let’s take that as a given, so we have a starting point.
The problem is, Pangu never actually mentioned – nor did anyone actually related to the event – that an iOS 10.3 – iOS 10.3.1 jailbreak tool would be released to the public. That appears to have been spread by another Weibo user, who said this (translated by Google Translate):
“@ PanguTeam is planning to release iOS 10.3.1 jailbreak tool (named Janus), personal guess will 10.3.2 release after the official release.”
And it was accompanied by this image:
There was also this video that made its rounds:
But that brings us to the second point, and the all-important question: if Pangu did have a working iOS 10.3.1 jailbreak that included iPhone 7, why didn’t they release it? In fact, it’s three days since iOS 10.3.2 came out and they are still silent.
This is where the bounty rumor comes into the picture. But $1.25 million? That’s a little hard to believe. Security researcher and (former) jailbreak expert Luca Todesco, who developed and released the Yalu102 jailbreak, had something to say about that as well.
If Apple was buying jailbreaks at 1.25m$ I’d be a very rich man
— qwertyoruiop (@qwertyoruiopz) May 1, 2017
In the ensuing comment thread, Todesco repeatedly emphasizes the fact that Apple wouldn’t pay that kind of money for an exploit.
Another point that goes against the argument of the $1.25 million “jailbreak sale” to Apple is the fact that the company capped its payout at $200,000. While companies like Zerodium are advertising to pay up to $1.5 million for zero-day exploits for iOS, it would have to be an extremely critical vulnerability for Apple to be willing to go anywhere near that figure. In fact, Zerodium has been offering this amount for a while, but Apple still chose to cap their bounty payout at $200,000.
But if Pangu was, in fact, paid that much by Apple Inc., that can only mean one thing: there’s more here than meets the eye.
if Apple did pay that much, then Pangu could actually be bound by contract for a much longer term – to reveal any and all future iOS vulnerabilities to Apple, and NOT release any exploits based on those flaws as jailbreaks. Apple would be willing to pay far more than $1.25 million if they could get Pangu to retire from the jailbreaking game.
Such an offer might have persuaded Pangu to take a serious look. We have to realize the fact that Pangu is a lot more mature than when it first started out:
“Pangu Lab’s current research focuses on mobile security. Team Pangu is known for its multiple releases of untethered jailbreak tools for iOS 7, iOS 8, and iOS 9. Team Pangu was also the first to jailbreak iOS 8 and iOS 9 in the world. Besides iOS, Pangu Lab also made great progress in Android security research, and developed various products for discovering vulnerabilities in Android apps, detecting malicious Android apps, and mining mobile threat information.” – MOSEC 2017 Home Page (MOSEC is the mobile security conference that Pangu and PoC for the past two years, since 2015)
Pangu is big, and it’s an organization now rather than a team of maverick security researchers who broke into iOS 7, iOS 8, iOS 9 several times. Now they’ve done it with iOS 10, and they want to make a future of it rather than releasing it to the jailbreak community.
The entire “Pangu will release its iOS 10.3.1 jailbreak the week after iOS 10.3.2 is released to the public” story might well have been a massive hoax, like we covered in a recent article. But, perhaps, it was never Pangu’s intention to fool the public.
They’re still committed to jailbreaking, that’s a given. But moving forward, it looks like they’re going to do it to sustain their business and their security research efforts rather than release it for free to the jailbreak community.
There’s absolutely nothing wrong with that. The only problem is, it is likely to slowly kill off mainstream jailbreaking.
None of the older hackers and hacker teams for iOS jailbreaks are actively pursuing 0-Day exploits for the purpose of releasing a jailbreak, and Pangu was the last hope for the jailbreaking community. Now that they appear to have switched sides and gone over to Apple’s walled garden, we aren’t likely to see any more jailbreaks from them.
For a company like Apple, $1.25 million is “chump change” if they can secure iOS from at least one direction of attack – and Pangu has been a force to reckon with during the past several years. In fact, it’s an extremely good bargain even if they’ve agreed to pay $1.25 million for every future exploit that Pangu comes up with for iOS. Apple already spends millions on security and privacy, and jailbreaking has been a thorn in its side for the longest time. Paying that much for a hardware-level exploit is hardly going to dent their books, if what they got in return was a permanent fix for one particularly painful hacker team.
As for Pangu, rather than look at it from the “sell out” angle, we need to respect their decision not to release any more jailbreaks, if that’s their choice. They’re not obligated to anyone to do that. But they could now be obligated to Apple to not release any more, contractually speaking.
That said, there’s still one unanswered question: if it’s about the money, then why didn’t they just sell it to Zerodium, collect the higher amount of $1.5 million?
That’s where we think the $1.25 million is inaccurate. It’s quite possible that this is merely the first “tranche” of payments for a series of future zero-day exploits to come.
Here’s a loose analogy that might help explain this:
Imagine that a bank robber has been repeatedly successful in breaking into a particular bank’s vault. Now, another bank robber comes to him and says “hey, I’ll pay you X dollars if you show me the next vulnerability you find.”
At the same time, the bank itself approaches the first bank robber and says “Hey, you’re managing to break into our vault every time we upgrade it with new security features, so why don’t you come work for us and help us fix those flaws rather than putting them out for free or selling it to someone else? We’ll pay you a little less than what that other bank robber is offering you, but we’ll pay you more each time you find a flaw in our latest vault. Do we have a deal?”
If you were the head of Pangu and you had a business to sustain, which option would you pick – free jailbreaks for all, sell to the bank robber for a one-time fee, or go work for the bank and secure your company’s future?
And that’s why, if all of this is true, you have to respect Pangu’s position. They’re not doing Internet hoaxes just to get publicity – they don’t need it. What they need is a business model that brings in money to feed those highly experienced security professionals that they’ve painstakingly put together over several years.
And when the dust settles, this is what the jailbreaking community is left with: a jailbreak for iOS 10.3 or iOS 10.3.1 may never come from Team Pangu, another jailbreak coming from anywhere else is an extremely slim possibility, and Apple could have effectively choked off the oxygen supply to jailbreaking efforts from all the top hackers, Pangu possibly being the last team they had to deal with for now.
That seems to be the hard reality of things as they stand. No more jailbreaks, certainly not from Team Pangu, and an extremely slim – almost negligible – chance that we’ll ever see a jailbreak for iOS 10.3 or any future iOS version.
Will we be proved wrong and see an iOS 10.3.1 jailbreak from Pangu, after all?