Apple's New iPhone Rewards Hackers for Bugs
At last year's Black Hat hacker conference in Las Vegas, Apple announced that it would be releasing hackable iPhones to help security researchers investigate the smartphones for vulnerabilities.
Almost exactly a year later, the hackable iPhone has been released by Apple's Security Research Device (SRD) program. While some have lauded Apple for their commitment to the security of their devices, others aren't quite so happy.
What is Apple's 'Security Research Device'?
Apple has long been known for keeping its devices secure and refusing to even open them up to the FBI. While that is great for consumers, because it means they have a very secure phone, it has made it difficult for security researchers to analyze the iconic smartphone for vulnerabilities.
Now, for a lucky few, they will be able to get an in-depth look into iOS at a code level. With the July 22 launch of Apple's SRD program, Forbes reports, Apple will launch what they have dubbed "security research devices" (SRD). These will come "with unique code execution and containment policies," the company says.
In order to gain access to one of these devices, an applicant has to be enrolled in the Apple Developer Program and be able to prove a track record of security issue discovery.
Anyone who is accepted will essentially be loaned an SRD for 12 months, which will only be for use within a strictly controlled security setting.
While allowing researchers to delve into iOS code in search of vulnerabilities like never before, Apple's SRD program has unfortunately courted controversy due to restrictions the company has imposed on any researchers that find said vulnerabilities.
"If you use the SRD to find, test, validate, verify, or confirm a vulnerability, you must promptly report it to Apple and, if the bug is in third-party code, to the appropriate third party," the requirements state.
That's not the issue though. The problem, according to several commenters, is what follows:
Once the vulnerability is reported, "Apple will provide you with a publication date (usually the date on which Apple releases the update to resolve the issue)" and will "work in good faith" to resolve flagged vulnerability as soon as possible. The restrictions prevent researchers from talking to the press before the publication date.
This restriction seems to have been tailored so as to exclude some well-known security researchers who use a 90-day policy for their announcements. Ben Hawkes, Google's Project Zero technical lead, took to Twitter to say the following:
It looks like we won't be able to use the Apple "Security Research Device" due to the vulnerability disclosure restrictions, which seem specifically designed to exclude Project Zero and other researchers who use a 90 day policy.— Ben Hawkes (@benhawkes) July 22, 2020
While Apple is allowing unprecedented access to its iOS system with its hackable iPhones, some argue that their SRD program won't be beneficial due to overly tight restrictions on security researchers that are part of the program.