Apple announces a new iPhone (and you can’t have it)

Apple has announced a new iPhone for 2020, but it will only be made available to a select group of security researchers – along with huge bounties to anyone alerting the company to a new OS vulnerability.

Probably the world’s most exclusive iPhone

Ivan Krstić, Apple’s head of security engineering, provided big insights into Apple’s platform security during his presentation at Black Hat U.S. 2019.

He promised much bigger bug bounties and an exclusive new ‘pre-jailbroken’ iPhone for selected security researchers that will be made available next year.

The Apple security chief explained that Apple is aware that lots of security professionals want to examine its devices, but that the high degree of protection makes it a time-consuming task.

The pre-jailbroken device lacks some of the layers of security Apple wraps around iPhones, so it is much easier for researchers to explore these systems for security weaknesses.

The iOS Security Research Device program

The device ships with ssh, a root shell and advanced debug capabilities and will be made available to invite-only members of Apple’s iOS Security Research Device program.

Anyone with a track record of high-quality systems security research on any platform can apply to join the program, though Apple will select who it invites.

Similar devices are widely used in Apple’s factories for testing and quality control, which has spawned a black market in them among security researchers, governments and others – they are often spirited out of factories for sale.

The idea is that by opening up the platform a little, security pros will find it worthwhile to probe it for vulnerabilities and the black market for such devices will erode.

Your security is their business

Apple understands the value of security on its platforms. It also recognizes that security research is a business.

As such, it makes sense to motivate researchers to disclose found flaws with the company, rather than competitors or cyber-criminals. With that in mind, Apple has raised its maximum bounty from $200,000 to $1 million, with an additional 50% paid to researchers who identify a flaw while an OS is still in beta. (The program begins this fall.)

The fee scale varies.

For example, a lock screen bypass will fetch $100,000, user data extraction $250,000 while a network attack with no user interaction that can access high-value user data will net a researcher $500,000.

While it is true that Apple’s platforms are highly secure, they are not invulnerable and those flaws that do exist command huge fees on the dark web. Criminals, governments and other dubious groups will spend millions on ways to break into iPhones, iPads and Macs.

The hope is that by offering more generous bounties, Apple will take some hitherto unknown flaws out of the market and more quickly learn of new ones.

Apple is offering bounties to researchers who can identify security flaws in Macs, iPads, Apple TV, Apple Watch, iOS and iCloud.

Why is this necessary?

Security researchers have been pressing Apple to widen its bug bounty scheme for some time. After all, Apple only began offering such a scheme in 2016 and even then only to selected researchers and only for iOS.

During his briefing at Black Hat, Kristic revealed that Apple has learned of 50 serious vulnerabilities during the three years it has offered a bug bounty.

Apple is now open to submissions from all researchers, not just its invited group.

It makes sense to see this as another big step on Apple’s part to kick back against those who use small exploits in its systems to track users, exfiltrate personal data and undermine security for other egregious ends.

A string of in-the-wild iPhone exploits were reported in recent months.

In July, six critical security vulnerabilities originally discovered by Google’s Project Zero team were patched in iOS 12.4; these included bugs that could be executed remotely on a device without user interaction.

Update your device today

As a general rule, it’s not hard to spot a pattern around security releases and major cybersecurity events like Black Hat. You almost always see platform security patches appear just before the event with another following a little later, patching any fresh vulnerabilities exposed at the show.

This is at least the case on responsible platforms.

Black Hat saw multiple iOS vulnerabilities discussed, many of which were previously disclosed to Apple and patched in iOS 12.4.

With 90% of current iOS devices now running iOS 12, I’d urge any iPhone, iPad or Mac user to upgrade their systems to the latest version of the OS as soon as they can.

Given the nature of this year’s crop of vulnerabilities, enterprise security chiefs should encourage their IT support teams to expedite approval of the latest software update for installation.

Please follow me on Twitter, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.