25th - 26th SEPTEMBER 2019  |  OLYMPIA

Apple Gives Hackers a Special iPhone—And a Bigger Bug Bounty

Wired 08 Aug 2019 09:57

For more than a decade, Apple has built a fortress around the iPhone, making iOS devices arguably the most locked-down computers accessible to hundreds of millions of people. They're so locked down, in fact, that even well-intentioned security researchers have trouble getting the access necessary to dig into their internals. Now Apple is taking an unprecedented step: distributing a more hacker-friendly iPhone to its favorite researchers, letting them hack the phone on "easy mode" in the interests of making it harder for everyone else.

The company is also offering bigger rewards than ever before for hackers who who can find and report those vulnerabilities. Its iOS bug bounty will pay out up to $1.5 million for a single attack technique that a researcher discovers and shares discreetly with Apple.

An iPhone for Hackers

At the Black Hat security conference Thursday, Ivan Krstić, Apple's head of security engineering and architecture, announced a broad revamping of the company's bug bounty program. It's now open to all researchers, rather than the current invite-only eligibility; includes not just iOS but macOS and other Apple operating systems; and vastly increases the rewards for certain rare forms of attack, from $100,000 for physical access attacks to bypass an iPhone's lock screen to an unprecedented $1 million for a remote attack that can gain total, persistent control of a user's computer without any interaction on the victim's part.

"People who sell zero days already have what they need. It's the good guys who want to report bugs to Apple that don't."

Will Strafach, Sudo Security Group

But the most unusual aspect of Apple's approach is that it will now give a custom-made version of the iPhone to certain chosen researchers. These devices will lack some layers of security protections so that their recipients may dig into the deeper, less examined core of the phone. "We want to attract some of the exceptional researchers who have thus far been focusing their time on other platforms. Today many of them tell us they look at our platform and they want to do research but the bar is just too high," Krstić told the Black Hat audience.

The security research devices, which Apple says it will start distributing next year, will offer users a "root" shell by default, letting researchers run commands on the phone with the highest privileges. They'll also have debugging abilities that will allow researchers to easily scour the phone's code for flaws. "We have by far the highest maximum payouts in the industry, and we have the iOS security research device program for exceptional researchers that are new to our platform," Krstić added.

On top of its $1 million top reward, Apple will also give a 50 percent bonus to researchers who identify flaws in its code when it's still in beta, before being released to a wider audience beyond developers—bringing its maximum reward for a single attack method to $1.5 million. "The second-best reason to have a bug bounty is to find out about a vulnerability that’s already in the users’ hands and fix it quickly," Krstić said. "The number one best reason is to find a vulnerability before it ever hits a customer’s hands."

All of those moves will be a welcome shift for security researchers who have previously been locked out of Apple's bounty program, or even denied bounties for serious vulnerabilities in Apple software other than iOS. "I think this is great. The bounties are open to everyone, and the prices are way more than I expected," said Linus Henze, an Apple-focused security researcher who had previously criticized the company for failing to offer a bounty for a macOS password-stealing attack known as Keysteal that Henze revealed earlier this year. Will Strafach, another longtime iOS-focused security researcher, added that it may even incentivize hackers to report bugs to Apple that they might have otherwise sold on the black market, where iOS attacks can often earn seven-figure payouts. "Apple is going to see a surge in new reports," Strafach said. "Even people who looked at other markets will think 'Maybe I should just report this to Apple."

Rocky Road

Apple's new bounty offerings represent the culmination of a long transformation in the company's relationship with security researchers. For years, as practically every other major tech firm from Google to Microsoft introduced hefty bug bounties to incentivize friendly security research, Apple remained a stubborn holdout. Only three years ago did it suddenly shift its attitude toward security researchers, offering bounties as high as $200,000 to researchers who revealed some types of vulnerabilities in the iPhone.

Continue reading original article...