Last week, Apple lost control of its iPhone Secure Enclave Processor encryption key when a hacker, “xerub”, released the key. According to analysts, the release of the encryption key isn’t going to effect user data but it does bring into question one of Apple’s main selling points – security.
This may help to boost the needs for Apple’s Bug Bounty Program. To review, BlackHat 2017 marked the one-year anniversary of Apple’s Bug Bounty Program. At BlackHat 2016, Apple’s Head of Security, Ivan Krstic, announced that Apple will join all the large publishers like Microsoft, Google, and Facebook by offering a bug bounty program. Krstic detailed five broad categories of Apple’s bugs and their exploits.
1. Vulnerabilities in secure boot firmware components: up to $200,000.
2. Vulnerabilities that allow extraction of confidential material from Secure Enclave: up to $100,000.
3. Executions of arbitrary or malicious code with kernel privileges: up to $50,000.
4. Access to iCloud account data on Apple servers: up to $50,000.
5. Access from a sandboxed process to user data outside the sandbox: up to $25,000.
The program was an initiative by Apple to shed some of the secrecy around its security architecture and open up to the community of hackers, researchers, and cryptographers who want to help improve the company’s security. As security is the main selling point of Apple products, discovering vulnerabilities and creating a more secure OS has become more difficult for in-house testers and external researchers alike, so incentives for bug reports was thought to be another avenue for better security.
However, Apple’s invitation-only bug bounty program hasn’t worked very well. A Motherboard research study found that Apple bugs are rare and difficult to find. Therefore, any bugs are considered so valuable that no one who is looking for a pay day will turn a high-quality uncovered exploit over to Apple.
The going rate in the grey market for a multi-exploit iOS jail break is $1.5 million. Even second-tier purchasers will pay $500,000 for similar exploits. For example, companies like Exodus Intelligence who came out with a competing bug bounty program last year pay more than double Apple’s maximum payout. For example, Exodus Intelligence RSP program’s zero-day hit list includes a maximum reward of $500,000 for iOS exploits. While this is substantially higher than the list above, Exodus resells the information to its subscribers.
Apple will need to either offer a larger payout or come up with stronger security architecture, as the number of cases of malware targeting Macs is continuing to surge. Malware targeting Macs grew by 53% in just the first quarter of 2017, according to an analysis from the security firm McAfee. And in 2016, it grew by a massive 744%.
Apple historically has not had a good relationship with researchers, but this has changed over the last 10 years. The bug bounty program is a step in the right direction.
Unfortunately, due to the closed nature and security of iOS, companies such as Exodus Intelligence are simply willing to pay more for exploits than Apple. Therefore, Apple’s program cannot truly shine the way it could. While Apple is known for being perfectionistic in production, it may be that the economics of this program are too enticing to hackers who are looking to bring chaos to such beauty.