Apple has devoted hundreds of millions of dollars and hours to making its devices some of the most secure on the market. The iPhone is arguably the safest smartphone in the world. While locking down the iPhone keeps more than 100 million U.S. users safe, it also makes it nearly impossible for security researchers to detect and address potential vulnerabilities.
To fix this issue, Apple is planning to give said researchers special iPhones that are hacker-friendly. An unprecedented level of access will make it easier for them to examine the inner workings of the iPhone to find and report security vulnerabilities.
Ready to Go
Apple’s head of security, Ivan Krstic, first teased the possibility of giving cybersecurity researchers special iPhones last year at the Black Hat security conference. Now, the so-called iOS Security Research Device program is finally in operation.
As of Wednesday, Apple began loaning special iPhones to its most-trusted researchers that meet certain eligibility requirements.
The phones come with custom-built iOS software and a myriad of features that standard iPhones don’t have. For instance, they’ll include SSH access and a root shell to run custom commands with top-level access to the software. There will also be debugging tools that make it easier for researchers to execute their code and figure out what’s going on below the surface.
Rather than sending out its devices and calling it a day, Apple wants the program to be a collaboration. Researchers will have access to extensive documentation as well as a dedicated forum with Apple engineers. This will allow them to ask questions and get feedback on their code.
To be clear, these hacker-friendly devices aren’t exactly new. Some so-called “dev-fused” devices have appeared in underground marketplaces for dedicated researchers. Those who didn’t find one could always “jailbreak” an ordinary iPhone to gain more access to its internal software. However, reliable jailbreaking tools typically aren’t available for the most recent iPhones, leading to a delay in finding vulnerabilities.
Apple’s latest plan ensures that researchers will have an easier time finding vulnerabilities so that they can be fixed before they are exploited.
Meanwhile, Apple says that the special devices don’t pose a risk to the security of regular iPhones—even if they are lost or stolen. How exactly that works remains unclear.
Partnering at Last
Compared to many other tech companies, Apple is late to the game when it comes to working with non-malicious hackers. Things like bug bounty programs are a common way for companies to find new vulnerabilities in their software before they can be exploited by a bad actor. In return, hackers get a payday, typically determined by the severity of the vulnerability they identify.
Unfortunately for cybersecurity researchers, identifying flaws in the iPhone is a difficult task—and not just because the device features layer upon layer of security protections. That is, until now.
Apple says that its new research device program will run in conjunction with its existing bug bounty program. This allows researchers to submit research device bugs and get a financial reward just as if they were using a regular iPhone.