Naked Security Naked Security

Apple will hand out unlocked iPhones to vetted researchers

It formalizes the reality: "pre-jailbroken" iPhones were already on the black market.

It’s been called an iPhone jailbreaker’s golden egg: a so-called “dev-fused” iPhone created for internal use at Apple in order to extract and study the Secure Enclave Processor (SEP).

That golden yolk of a processor handles data encryption on the device that oh so many law enforcement and hacker types spend so much time, respectively, complaining about or cracking for fun, fame and profit.

Those rare, developer-only, “pre-jailbroken” iPhones have many security features disabled – a convenient feature for researchers looking to see how they tick and to discover iPhone zero days, which can be worth millions of dollars.

Well, here’s some good news for a select group of researchers: at the Black Hat 2019 security conference on Thursday, Apple’s head of security, Ivan Krstic, unveiled a new program through which the company is offering some form of pre-dev iPhones, specifically for security researchers.

CNet quoted Krstic:

This is an unprecedented, fully Apple-supported iOS security research platform.

As CNet reports, Apple is calling it the iOS Security Research Device Program. The program will launch next year.

Apple’s only handing out a limited amount of the iPhones, and only to qualified researchers.

These are not exactly like the phones that Apple gives its own security researchers. They’re going to come with what Krstic said are advanced debugging capabilities, but they won’t be as wide open as the jailbroken phones Apple insiders use or which sometimes wind up on the black market, in the form of iPhones that either haven’t completed the production process or which have been reverted to a development state.

Krstic said that the iPhones, while not being that open, will still provide ample details that can be used to hunt for vulnerabilities.

Sources told Forbes that one of the things that may turn these iPhones into a “lite” version of the jailbroken pre-dev phones is that Apple’s not likely to let researchers decrypt the iPhone’s firmware.

The vetted researchers who wind up getting their hands on one of the phones will, however, be able to do a whole lot more than they could with the commercially available version of Apple’s famously locked-down operating system. Forbes’s sources told the publication that one possible feature would be the ability to stop the phone’s processor and inspect memory for vulnerabilities, enabling researchers to see what’s going on at the code level when they attempt an attack.

This might not just be about boosting iPhone security. This could be an attempt to stem the black market trade in dev-fused iPhones: a market that came to light after Motherboard conducted a months-long investigation into how security researcher Mathew Solnik (presumably) got his hands on a dev-fused phone. Motherboard’s curiosity had been piqued after Solnik teased his 2016 Black Hat talk by tweeting a screenshot of a terminal window that showed that he’d obtained the SEP firmware. Motherboard’s sources had said that Solnik must have gotten a dev-fused iPhone to get at the SEP.

In other bug-hunting news

Speaking of very valuable bugs, also on Thursday, Apple announced that it’s now offering up to $1 million for a vulnerability that’s persistent, can get kernel code execution, and doesn’t require victims to click on anything.

It’s about time.

For quite a while, Apple ran an invitation-only bug bounty program for iOS, but not for Mac OS. It was a baffling approach to bugs, and one that miffed German bug hunter Linus Henze: he whom Apple didn’t reward when he found, and published, a proof of concept he called KeySteal. KeySteal was a zero-day bug that could be exploited by attackers using a malicious app to drain passwords out of Apple’s Keychain password manager.

Henze initially refused to give Apple bug details, in protest of the company’s invite-only/iOS-only bounties. He eventually relented because, as he said, he cared about the security of macOS users.

This is a no-brainer. Mårten Mickos, CEO of bug bounty program platform HackerOne, says that it will garner attention and respect from ethical hackers:

Apple is known for its solid security practices. Increasing the bug bounties and broadening the scope is a natural step in strengthening their security posture and making it attractive for security researchers to spend time looking for vulnerabilities in Apple’s products (essentially their operating systems). Across the industry, we consistently see more engagement from ethical hackers when higher bounties are offered.

Getting on the million-dollar bandwagon

After all, when Apple isn’t handing out $1m bills, others step in to do the job and grab the goodies.

In 2015, a company called Zerodium offered up to $3,000,000 for iOS 9 jailbreak exploits. Within weeks, it reportedly paid $1,000,000 to a team that accomplished one of the remote browser-based iOS 9.1/9.2b jailbreaks that Zerodium wanted to buy.

Then, in August 2016, exploit broker Exodus Intelligence offered 2.5 times the bounty ($500,000 for major exploits in iOS 9.3 and above) that Apple was promising (up to $200,000) for serious iOS bugs.

Now, macOS bugs are up there in the seven-figure range for bug hunters. Good!

Kudos to Linus Henze for calling out this discrepancy: he made the right choice in the end by giving Apple details of his KeySteal attack, but at the same time, he managed to call attention to the puzzling lack of a bug bounty program for one of the world’s most ubiquitous operating systems.