Apple is reportedly set to provide security researchers with unique iPhone models that would allow them to more easily find weaknesses in iOS. Forbes reports that Apple will make this announcement at the Black Hat security conference later this week.
Ecobee HomeKit Thermostat
According to the report, the iPhones will be given to security researchers that participate in Apple’s invite-only bug bounty program. Through this program, researchers are rewarded for the iOS bugs they disclose to Apple. Apple first promised the availability of such iPhones in 2016.
What would be different about these iPhones compared to consumer models?
One source with knowledge of the Apple announcement said they would essentially be “dev devices.” Think of them as iPhones that allow the user to do a lot more than they could on a traditionally locked-down iPhone. For instance, it should be possible to probe pieces of the Apple operating system that aren’t easily accessible on a commercial iPhone. In particular, the special devices could allow hackers to stop the processor and inspect memory for vulnerabilities.
Despite that level of openness, these iPhones will won’t be quite as unlocked as the devices seeded to internal Apple developers and members of its security team. For example, security researchers using these devices will likely not be able to decrypt iPhone firmware.
This program might also reduce the number of leaked developer devices, which have often been sold on the black market.
Elsewhere, the report claims that Apple is also set to launch a Mac bounty program. This would be similar to the iOS bug bounty, and reward security researchers for the vulnerabilities they discover in macOS.
Back in February, a security researcher detailed a macOS exploit to access Keychain passwords, but refused to share details with Apple due to its lack of a bug bounty program for macOS. Ultimately the researcher did share details of the vulnerability with Apple, despite the company not having publicly announcing a bug bounty program.
We’ll likely learn more about both Apple’s new pre-jailbroken device program, as well as the macOS bug bounty at the Black Hat conference this week. Apple’s head of security and engineering, Ivan Krstić, is set to give a talk on Thursday.