For many years, Apple practiced “security by obscurity” for its products and operating systems, following the somewhat outdated belief that keeping as many technical details as it can close to the vest was the best way to ensure the security of its products. In more recent years, however, Apple has been slowly embracing the hacker community, joining other tech giants in offering a bug bounty program, and encouraging elite hackers to track down — and disclose — security flaws in its desktop and mobile operating systems.
While there’s no doubt that Apple’s been late to the game here compared to many other tech companies, and also still seems to insist on doing things in a less open manner, the argument can be made that any move toward greater transparency is a positive one for improving security. Now it appears that Apple is going even further to empower hackers to help stress-test its security by providing them with specialized tools.
A new report in Forbes reveals that Apple is planning to announce a new program at this week’s Black Hat security conference in Las Vegas where it will give select security researchers special “pre-jailbroken” iPhones to make it easier for them to find weaknesses in the iPhone hardware and iOS operating system.
As we explained earlier this year, security researchers have actually been using special “dev-fused” iPhones for a while now. An in-depth investigative report by Motherboard revealed a thriving black market for these specialized iPhones that are normally only used internally by Apple’s engineering and security teams. The iPhones are essentially “pre-jailbroken,” meaning that they don’t have many of the security features enabled that typically lock down iPhones, making it easier for hackers and researchers to poke around and discover vulnerabilities.
Up until now, however, it’s been hard for a researcher to get their hands on one of these “dev-fused” iPhones, since they’re not legitimately released by Apple, but rather stolen and smuggled out of Apple’s supply chain, along with other specialized cables that are needed to hook them up. However, according to Motherboard, they’re widely used by both malicious hackers and legitimate security researchers.
Apple obviously isn’t going to want to legitimize the theft of pre-production devices — in fact it works very hard to close these kinds of holes — but it also has to acknowledge that many of the security vulnerabilities that have been discovered recently have come from those with access to these kinds of tools, and that if it wants to continue leading the pack as the most secure mobile operating system available, it’s going to have to continue to embrace and empower the hacker community.
Of course, on the flip side, this will also help to dry up some of the demand for black market sales of dev devices, although since Apple only plans to provide these special iPhones to those elite hackers who have been invited into its program, it will probably only have a minimal impact, at best. However, it will also allow Apple to more effectively crack down on that underground pipeline, blocking access to these devices to malicious hackers without crippling legitimate researchers.
A Mac Bounty
When Apple unveiled its first bug bounty program three years ago, it was limited solely to bugs found in Apple’s mobile iOS operating system. According to the Forbes report, however, Apple has now decided that it’s time to open this up to macOS as well — an odd omission that security researchers have been calling on Apple to address for a while now.
If you’re a large, well-resourced company such as Apple, who claims to place a premium on security, having a bug-bounty program is a no brainer.Patrick Wardle, principal security researcher at Jamf
The lack of a bug bounty program has probably cost Apple some of the Mac security it could have otherwise been enjoying, since researchers have less of an incentive to disclose security flaws found in the macOS operating system. For example, earlier this year, an 18-year-old hacker found a serious macOS Keychain bug, but declined to provide information about the exploit to Apple since there was no financial benefit to doing so.
A Mac bug bounty should help Apple to make all of its products more secure, which is especially critical considering the many points of intersection between macOS and iOS — things like Handoff, iCloud Keychain, Apple Pay, and Apple Watch authentication, to name a few.
Apple has not commented on these reports, although its head of security and engineering, Ivan Krstić, is scheduled to once again take the stage at the Black Hat conference on Thursday to give a talk titled Behind the Scenes of iOS and Mac Security, where he’s promising “unprecedented technical details” so it seems that we won’t have to wait long to hear an official announcement of Apple’s latest security initiatives.