Is Apple opening up?
From a cybersecurity perspective, it appears so. Later this week, at the Black Hat security conference in Las Vegas, Apple is to announce plans to give security researchers special iPhones that will make it easier for them to find weaknesses in the smartphone, Forbes has learned. It'll also be announcing an Apple Mac bounty, so anyone who can find security issues in macOS will get rewarded, sources claimed. Apple declined to comment.
The iPhones will be given to the rock star hackers that participate in the Cupertino company's invitation-only bug bounty program, where participants disclose bugs in Apple products in return for monetary rewards. The payments can go as high as $200,000, as announced at the 2016 Black Hat conference.
What makes these iPhones special? One source with knowledge of the Apple announcement said they would essentially be "dev devices." Think of them as iPhones that allow the user to do a lot more than they could on a traditionally locked-down iPhone. For instance, it should be possible to probe pieces of the Apple operating system that aren't easily accessible on a commercial iPhone. In particular, the special devices could allow hackers to stop the processor and inspect memory for vulnerabilities. This would allow them to see what happens at the code level when they attempt an attack on iOS code.
But they won't be the exact same as the iPhones Apple's internal staff use. They're going to be "lite" versions, without the same level of openness as enjoyed by Apple's security team, one source said. For instance, it's unlikely Apple will let the hackers decrypt the iPhone firmware, the software that underpins much of the device's functionality.
Outside of trying to boost iPhone security, the move could also be a reaction to leaks of dev devices, which have subsequently been sold on the black market. They’ve proven useful to hackers over recent years, according to a Vice Motherboard report. Though the possibility for iPhone device leaks could increase with this latest strategy, Apple vets the people on its bounty program and will likely still maintain some control over the dev phones. The announcement could equally be seen as the tech giant trying to counter those underground sales.
Apple Mac bug bounty 'a no brainer'
As for the Apple Mac bug bounty, it's not known whether similar prizes will be on offer, but it's something security researchers have been calling on the Cupertino giant to deliver. In February, 18-year-old Linus Henze found a bug in macOS that allowed him to spy on passwords in the Keychain, but declined to provide Apple with details due to the lack of payment.
"If you're a large, well-resourced company such as Apple, who claims to place a premium on security, having a bug-bounty program is a no brainer," said Patrick Wardle, principal security researcher at Jamf, who has found numerous issues in macOS.
"Such a program highly encourages talented external security researchers to audit Apple's hardware and software products, which will result in many vulnerabilities being uncovered and reported to Apple.
"End result: Apple's products will become largely more secure. Sure this is a win for Apple, but ultimately this a huge win for Apple's end users."
No more detail on the new security programs was forthcoming and Apple didn't respond to multiple requests for comment.
More information is likely to land on Thursday, when Apple's head of security and engineering, Ivan Krstić, gives his Black Hat talk entitled "Behind the Scenes of iOS and Mac Security." He's promising "unprecedented technical detail" on iPhone and Apple Mac security.