Apple Will Pay Hackers for Security Vulnerabilities
The tech giant to offer up to $200,000 for developers who find flaws in its mobile operating system.
LAS VEGAS — Every day, cyber criminals and security firms buy and sell exploits to gain illicit access to computer systems. Now Apple is getting into the game.
Speaking at the annual Black Hat security conference, Ivan Krstic, head of security engineering and architecture for Apple, announced that the company will launch a so-called “bug bounty” program that will pay developers who discover flaws in the company’s mobile operating system. In a departure from its previous practice, Apple will now offer up to $200,000 for the most critical flaws. The program will launch in September and will initially be invitation-only to a select group of researchers.
But even that figure falls short of what researchers can get paid by other players in the marketplace for security vulnerabilities. Last year, the start-up Zerodium offered a $1 million bounty to the first hacker to remotely install an app on an iPhone and offer the solution to the firm. The reward was claimed in a few weeks.
And when the FBI wanted to gain access to the encrypted contents of an iPhone belonging to one of the gunmen who killed 14 people in San Bernardino in December, the bureau reportedly paid at least $1.3 million to a mysterious hacker or firm to break into the phone.
The prized nature of the data stored on phones, and Apple’s increasingly sophisticated security measures to keep hackers out, has made security vulnerabilities in its iOS operating system among the most prized material on the black market.
Krstic’s presentation at the tail end of Black Hat conference — billed as an inside look at the security features of the company’s new mobile operating system — focused on the byzantine measures the company has put in place to keep out hackers and keep its customers’ data secure. The company has implemented advanced encryption schemes to lock down phones, Krstic said, and has built in structures designed to thwart sophisticated attacks.
Asked whether the bug bounty was a response to the very public fight Apple waged with the FBI over accessing the locked contents of an encrypted phone, Krstic refused to answer. But that conflict clearly hangs over the policy.
Matt Tait, a former security specialist at GCHQ, the British equivalent of the NSA, wrote on Twitter that the structure of the Apple Bug bounty appears specifically geared toward blocking FBI access to its products. The company is offering its largest bounties for vulnerabilities of particular interest to the FBI and is offering smaller sums for vulnerabilities typically of interest to criminal hackers working for financial gain.
The fight with the FBI presented enormous reputational risks to Apple, and its resolution — the FBI paid an unnamed entity to hack into the phone — left a stain on Apple’s claims to have instituted ironclad security measures.
As the FBI sought to secure the company’s help in breaking into San Bernardino shooter Syed Rizwan Farook’s iPhone, Apple executives told reporters during regular conference calls that the company was playing a cat-and-mouse game with hackers trying to break into its products. As soon as the company patched its products, new vulnerabilities emerged, executives said.
That argument doesn’t quite square with the justification offered by Krstic on Thursday for launching a bounty, which are used by many of Apple’s competitors but which the company has long resisted. Krstic said it has become increasingly hard for researchers to find the most critical security flaws in the company’s products. As a result, the company has concluded that it makes sense to offer a monetary incentive to researchers trying to break into its products, Krstic said.
The new policy will certainly funnel some cash to well-intentioned security researchers looking to inform Apple of its security flaws and protect user privacy. Less scrupulous hackers, however, will be able to get far more for selling the fruits of their work on the black market or to security companies.
Photo credit: KENA BETANCUR/Getty Images