LAS VEGAS—Apple (AAPL) prides itself on the security of its mobile devices, but a presentation Wednesday at the Black Hat security conference revealed that critical vulnerabilities in the iPhone’s iOS operating system had left it open to remote attacks that did not require a single tap or swipe by the targeted user.
A “zero-day” vulnerability, which is a flaw that a company has no idea existed, that requires zero interaction by the target is nightmare fuel in information-security circles. And Apple only learned of this issue—reportedly already exploited by such state actors as the United Arab Emirates—because of research by one of its biggest rivals: Google (GOOG, GOOGL).
A day later at Black Hat, Apple announced a major expansion of the bug bounty program through which it pays rewards to researchers who disclose unfixed vulnerabilities. That one of the most closed tech giants in America is opening its doors to outside security help is a major advance, and something Apple’s customers should welcome.
In Wednesday’s presentation, Natalie Silvanovich, a researcher with the Project Zero bug-hunting effort Google launched in 2014, explained how she and colleagues sought to confirm persistent rumors of serious iOS vulnerabilities.
The subsequent work unearthed 10 flaws, some allowing remote access without interaction by the user, in such messaging components as visual voicemail and iMessage.
"These are basically bugs that anyone can use from anywhere to attack anyone,” Silvanovich said.
She demoed two during her presentation, one that allowed an attacker to copy an image from the target iPhone and another that resulted in the attacker opening the Calculator app on the attacked iPhone.
The Calculator’s display showed 1,337—hacker shorthand for “elite”--as the audience applauded in appreciation.
Right after the talk, Project Zero’s blog added a detailed report from Silvanovich breaking down these findings. The good news: Apple has already fixed all 10, with credit given to Project Zero in the security release notes for the iOS 12.4 update that should already have reached your iPhone. The bad: Many of these bugs resulted from iOS features that didn’t benefit customers.
“The majority of vulnerabilities occurred in iMessage due to its broad and difficult to enumerate attack surface,” the post read. “Most of this attack surface is not part of normal use, and does not have any benefit to users.”
In fewer words: Complexity kills.
Bug bounty 2.0
A talk Thursday by an Apple security expert did not address Silvanovich’s findings but did show Apple dramatically expand its bug-bounty program. Security-engineering head Ivan Krstić told a packed auditorium: “We'd like to take this further.”
Unlike the vulnerability-reporting rewards Apple announced at this event three years ago, the program coming this fall covers all of Apple’s operating systems and is open to all security researchers, not just a subset of Apple-anointed experts. And its payouts for documented vulnerabilities in shipping software will ascend as high as $1 million.
Apple’s expanded regime will pay for Mac bugs as well as iPhone and iPad vulnerabilities and will also cover the Apple TV’s tvOS and the Apple Watch’s watchOS.
That million-dollar reward will require documentation of a remote attack that requires zero user interaction and gains persistent, system-wide control. Less dangerous vulnerabilities will earn less; for example, the peak payout for a lock-screen bypass is $100,000.
Krstić said Apple will offer 50% more for vulnerabilities found in test versions of unreleased software. “The number one reason to have a bounty is to find a vulnerability before it ever hits customers' hands,” he said.
Krstić also announced that Apple will provide “research platform” iPhones for security researchers starting next year that will allow closer inspection of Apple’s software and hardware.
Bug bounties aren’t magic dust
Kurt Opsahl, deputy executive director and general counsel of the Electronic Frontier Foundation, said after Krstić’s talk that Apple had been “late to the party” with its earlier, cautious program and commended this expansion of it.
He added that Apple’s rewards now approach what the worst vulnerabilities command on bug black markets.
Another security expert, however, worried about possible unintended consequences of such a generous lure.
“For one, the offense prices will simply increase as a direct result,” emailed Katie Moussouris, CEO of Luta Security who earlier created the first vulnerability-disclosure program for Microsoft (MSFT). “For another, this may be enough of an incentive for insiders to collude with outsiders.”
But in an effort that fundamentally lacks an end, more eyes on the problem can only help. As the EFF’s Opsahl put it, “I believe that Apple has a very good security team, but any complex system is extremely hard to secure.”