Apple hasn’t often made appearances at the Black Hat hacker conference, but this year Cupertino is Thinking Different™ about security. Head of Apple security, Ivan Krstic, today said the company would pay huge (up to $200K) bug bounties to invited researchers who find and report vulnerabilities in certain Apple software.
A quick breakdown of max. payments:
- Secure boot firmware: $200,000
- Extraction of confidential material protected by the Secure Enclave Processor: $100,000
- Execution of arbitrary code w/kernel privs: $50,000
- Unauthorized access to iCloud account data on Apple Servers: $50,000
- Access from a sandboxed process to user data outside of that sandbox: $25,000
Earlier this year, the FBI paid out under $1M to extract the data from the San Bernardino terrorist’s iPhone. Perhaps Apple is trying to eliminate these lucrative back doors into its crown jewel software.
According to that report, the tool the FBI leveraged could be used on any iPhone running iOS 9 and it could still be in the wild, though Apple is said to have requested the vulnerability from the FBI.
With over a billion active devices and in-depth security protections spanning every layer from silicon to software, Apple works to advance the state of the art in mobile security with every release of iOS. We will discuss three iOS security mechanisms in unprecedented technical detail, offering the first public discussion of one of them new to iOS 10.
HomeKit, Auto Unlock and iCloud Keychain are three Apple technologies that handle exceptionally sensitive user data – controlling devices (including locks) in the user’s home, the ability to unlock a user’s Mac from an Apple Watch, and the user’s passwords and credit card information, respectively. We will discuss the cryptographic design and implementation of our novel secure synchronization fabric which moves confidential data between devices without exposing it to Apple, while affording the user the ability to recover data in case of device loss.
Data Protection is the cryptographic system protecting user data on all iOS devices. We will discuss the Secure Enclave Processor present in iPhone 5S and later devices and explain how it enabled a new approach to Data Protection key derivation and brute force rate limiting within a small TCB, making no intermediate or derived keys available to the normal Application Processor.
Traditional browser-based vulnerabilities are becoming harder to exploit due to increasingly sophisticated mitigation techniques. We will discuss a unique JIT hardening mechanism in iOS 10 that makes the iOS Safari JIT a more difficult target.
There are, however, some caveats to the new Apple bounty program. More on the new program below (via CNET):
Maybe if Apple had been paying bounties for major flaws, it could have avoided that scenario, said Rich Mogull, CEO of cybersecurity research company Securosis. But when it comes to really valuable tools for hacking the company’s products, he said, “Apple’s not going to be able to out pay the government or some Russian mafioso who can pay $1 million.”
What the program will do is encourage researchers to go the distance with their findings, Mogull said. Rather than finding a flaw and moving on with their lives, experts will have a reason to prove the flaw could really let hackers in the door. That proof is required before Apple will pay up.
Apple said the bug bounty is meant to acknowledge how difficult it is to find a weakness in its systems. As the company has tightened the security around its products with encryption, which scrambles up user data, and continues to tightly control its software in general, the challenge of breaking that security has become greater.
The payouts will depend on where the flaw is found, and the program won’t initially be open to just any old hacker, Apple said. When it launches in September, the program will include a few dozen security researchers the iPhone maker has previously worked with. But if a researcher outside that group finds a high-value flaw, Apple said, it will consider paying him or her as well.
“It’s not meant to be any kind of exclusive club,” Krstic said.