#BHUSA: Apple To Pay Bug Bounties

Written by

In the wake of its legal battle with the FBI over security vulnerabilities and access, Apple is launching its first-ever bug bounty program with potential payouts as large as USD$200,000.

Speaking at the Black Hat conference in Las Vegas, Ivan Krstic, Apple’s head of security engineering and architecture, outlined the new security program, which launches in September. Citing “the increasing difficulty to find its most critical security issues,” Krstic says the added help from the white-hat hacking community is important to find flaws as Apple’s iOS security mechanisms are getting strong with the release of iOS 10.

“We have had great help from the researcher community in improving iOS security,” Krstic said at the event. “We want to reward the researchers who find a flaw and come to us.”

Initially, Apple will be inviting a few dozen select researchers to participate, but Krstic says the company would reward and welcome any hacker into the program who brings the company a found-vulnerability. Bug-bounty payments include: $25,000 for finding access from a sandboxed process to user data outside of that sandbox; $50,000 for unauthorized access to iCloud account data on Apple Servers or execution of arbitrary code with kernel privileges; $100,000 for extraction of confidential material protected by the Secure Enclave Processor; and $200,000 for vulnerabilities found in the secure boot firmware.

In April, the U.S. Federal Bureau of Investigation reportedly paid nearly $1 million to hackers to find vulnerabilities and extract information from the iPhone of a terrorist based in San Bernardino, California. Apple reportedly requested knowledge of that vulnerability, found in all iOS 9 phones, from the FBI.

In combination with the bug bounty program, Apple also released an update to its current software, iOS 9.3.4, aimed at blocking the latest Pangu jailbreak access.

The bulk of Krstic’s talk at Black Hat, an event at which Apple rarely presents, was dedicated to outlining the technical details of three distinct new security mechanisms in the forthcoming iOS 10 release for its products, including its new iCloud Keychain. The new cryptographic designs and architecture aim to make it easier and more secure to synchronize data between Apple devices, without potentially exposing information to Apple or any outside party, and also allowing for the recovery of data in case of loss.

Krstic also outlined the hardening of the company’s JIT (Just In Time) programming, where Apple will essentially take the JIT in memory and create two virtual mappings, one that is writable and one executable. The writable memory will be randomly located, making it more difficult for the computing device to be hacked and have code rewritten.

Ivan Krstic, head of security, Apple (Photo Credit: Richard C. Hoffman)
Ivan Krstic, head of security, Apple (Photo Credit: Richard C. Hoffman)

What’s hot on Infosecurity Magazine?