For more than a decade, Apple has built a fortress around the iPhone, making iOS devices arguably the most locked-down computers accessible to hundreds of millions of people. They’re so locked down, in fact, that even well-intentioned security researchers have trouble getting the access necessary to dig into their internals. Now Apple is taking an unprecedented step: distributing a more hacker-friendly iPhone to its favorite researchers, letting them hack the phone on “easy mode” in the interests of making it harder for everyone else.
The company is also offering bigger rewards than ever before for hackers who who can find and report those vulnerabilities. Its iOS bug bounty will pay out up to $1.5 million for a single attack technique that a researcher discovers and shares discreetly with Apple.
An iPhone for Hackers
At the Black Hat security conference Thursday, Ivan Krstić, Apple’s head of security engineering and architecture, announced a broad revamping of the company’s bug bounty program. It’s now open to all researchers, rather than the current invite-only eligibility; includes not just iOS but macOS and other Apple operating systems; and vastly increases the rewards for certain rare forms of attack, from $100,000 for physical access attacks to bypass an iPhone’s lock screen to an unprecedented $1 million for a remote attack that can gain total, persistent control of a user’s computer without any interaction on the victim’s part.
“People who sell zero days already have what they need. It’s the good guys who want to report bugs to Apple that don’t.”
Will Strafach, Sudo Security Group
But the most unusual aspect of Apple’s approach is that it will now give a custom-made version of the iPhone to certain chosen researchers. These devices will lack some layers of security protections so that their recipients may dig into the deeper, less examined core of the phone. “We want to attract some of the exceptional researchers who have thus far been focusing their time on other platforms. Today many of them tell us they look at our platform and they want to do research but the bar is just too high,” Krstić told the Black Hat audience.
The security research devices, which Apple says it will start distributing next year, will offer users a “root” shell by default, letting researchers run commands on the phone with the highest privileges. They’ll also have debugging abilities that will allow researchers to easily scour the phone’s code for flaws. “We have by far the highest maximum payouts in the industry, and we have the iOS security research device program for exceptional researchers that are new to our platform,” Krstić added.
On top of its $1 million top reward, Apple will also give a 50 percent bonus to researchers who identify flaws in its code when it’s still in beta, before being released to a wider audience beyond developers—bringing its maximum reward for a single attack method to $1.5 million. “The second-best reason to have a bug bounty is to find out about a vulnerability that’s already in the users’ hands and fix it quickly,” Krstić said. “The number one best reason is to find a vulnerability before it ever hits a customer’s hands.”
All of those moves will be a welcome shift for security researchers who have previously been locked out of Apple’s bounty program, or even denied bounties for serious vulnerabilities in Apple software other than iOS. “I think this is great. The bounties are open to everyone, and the prices are way more than I expected,” said Linus Henze, an Apple-focused security researcher who had previously criticized the company for failing to offer a bounty for a macOS password-stealing attack known as Keysteal that Henze revealed earlier this year. Will Strafach, another longtime iOS-focused security researcher, added that it may even incentivize hackers to report bugs to Apple that they might have otherwise sold on the black market, where iOS attacks can often earn seven-figure payouts. “Apple is going to see a surge in new reports,” Strafach said. “Even people who looked at other markets will think ‘Maybe I should just report this to Apple.”
Apple’s new bounty offerings represent the culmination of a long transformation in the company’s relationship with security researchers. For years, as practically every other major tech firm from Google to Microsoft introduced hefty bug bounties to incentivize friendly security research, Apple remained a stubborn holdout. Only three years ago did it suddenly shift its attitude toward security researchers, offering bounties as high as $200,000 to researchers who revealed some types of vulnerabilities in the iPhone.
But even then, Apple’s bug bounty program remained invite-only, open to researchers approved by Cupertino. As actual in-the-wild attacks on the iPhone have mounted, the security community has criticized Apple for not opening up further to researchers who might have helped fixed its bugs before they could be exploited.
Those friendly researchers have also been stymied by the iPhone’s protections themselves. Thanks to those security measures, any hacking technique that can take over an iPhone requires exploiting a long chain of security flaws. So hunting for those vulnerabilities in the deepest, most sensitive parts of the iPhone—components like its bootloader or kernel—requires that a researcher already have found multiple hackable flaws in other layers of the phone’s software.
As a result, many security researchers—and hackers with more malicious intentions—have sought out so-called “dev-fused” iPhones. Those devices have been stolen from Apple suppliers in China, where they’re intended for factory testing and quality assurance and thus lack many of the protections of a normal iPhone in the hands of consumers. Those black-market bootleg phones, sold for thousands of dollars, offer hackers far more visibility into the deeper guts of the phone without wasting time digging up flaws in its more superficial protections.
By offering its new security research devices, Apple has given security researchers—or at least those in its invite-only program—a legit device that lets them explore the iPhone’s recesses without resorting to the black market. “If I’m not currently interested in Safari but interested in the kernel, right now I need to find a Safari exploit first,” said Henze. “With these security research iPhones, I can skip those steps.”
Apple’s move to hand out hacker-friendly iPhones would be more effective if it expands the program beyond those invitees, argued iOS security researcher Will Strafach, who hasn’t been part of the company’s invite-only program. “It’s a huge step, but I do think it would be great if there were a bit more wide availability of the devices,” Strafach said. Apple may be concerned that the devices would fall into the wrong hands, resulting in more of its bugs being found by those would exploit rather than report them. But Strafach noted the market for dev-fused iPhones means those hackers already have access to more hackable phones. “People who sell zero days already have what they need. It’s the good guys who want to report bugs to Apple that don’t,” he said.
Apple’s expansion of its bug bounty to macOS, as well as tvOS and watchOS, represents an equally significant move for many security researchers. That expansion follows years of criticism from security researchers who have accused Apple of neglecting the bugs in its desktop operating system. Some researchers have gone so far as to publicly release attacks that exploit vulnerabilities in macOS—such as a Henze’s Keysteal attack capable of taking passwords from a Mac’s keychain and another attack that uses invisible clicks to bypass macOS security prompts—as a kind of protest of Apple’s refusal to pay for those desktop bugs.
But those embarrassments may have helped push the company to expand its bug bounty program. “If you say we’re not sending bugs to Apple anymore, it puts the company in a bad light. The more people who did that, the more Apple had to do something,” Henze said. “And I think that’s at least a part of why they’ve decided to open up.”