Apple’s head of security engineering and architecture, Ivan Krstic, told a rapt audience at the Black Hat security conference earlier this month that his notoriously secretive company was ready to open up its vulnerability reporting process to researchers.
Krstic announced that Apple was launching a bug bounty program, offering $50,000 for zero-day vulnerabilities that allow malicious code exploits in the kernel, among other rewards.
The thinking behind the bug bounty, according to Apple, is that discovering zero-day vulnerabilities — security problems that are unknown by a company but exploited by an attacker — has become more difficult as iOS security has advanced. Outside researchers could provide valuable assistance in discovering zero-days, and Apple wanted to start compensating them for their time.
On August 12, a week after Krstic’s announcement, Apple’s fears about an unknown vulnerability came true.
Ahmed Mansoor, an activist based in the United Arab Emirates, showed strange text messages he’d received to the human rights and technology organization Citizen Lab. The text messages contained a suspicious link, and analysis by Citizen Lab and the security firm Lookout determined that the link delivered a highly sophisticated packet of three zero-days that could take total control of Mansoor’s phone and spy on his calls, emails, text messages and contact lists.
The vulnerabilities show that hackers are increasingly turning their focus to mobile devices, and Apple’s increased focus on detecting zero-days shows that companies are striving to keep up. Mobile phones — particularly the iPhone — are often thought to be more secure than desktop computers and network infrastructure, so vulnerability research and hacking have been focused on those weaker devices. But the revelation of zero-days for Apple’s robust iOS security system marks a new era, in which the focus is heavily on mobile.
“To see three vulnerabilities, not just three vulnerabilities but three zero-days chained together to gain a one-click jailbreak is unprecedented,” Lookout’s vice president of security research and response Mike Murray told TechCrunch. – READ MORE
