Apple’s $1 million bug bounty makes a lot more sense after that iOS hacking spree
Say what you will about Apple, but the company certainly knows how to get the security community fired up.
Ivan Kristic, Apple’s head of security engineering, announced Aug. 8 at the Black Hat security conference that the company would offer up to $1 million, or $1.5 million under specific conditions, to hackers who disclosed new ways of infiltrating the iPhone’s operating system.
That million-dollar promise instantly earned praise as the highest bug bounty offer from a technology firm, and seemed to indicate the notoriously inaccessible company was becoming more transparent. The weeks since, though, have demonstrated that the stakes are higher for Apple than initially understood. Apple’s stellar security reputation took a hit when Google’s Project Zero announced that hackers had spent two years targeting thousands of iPhones by combining 14 vulnerabilities into five exploit chains that allowed them to spy on victims with few limitations.
Now, researchers and bug bounty participants are divided over whether Apple’s $1 million bounty will actually convince the small pool of researchers with the skills to crack iOS to report the issues they find to Apple, rather than a zero-day broker or a government buyer. The top prize is available to outsiders who demonstrate techniques to reach an iOS “kernel,” the core of the operating system, without physical access to the device, a skill that fewer than 5,000 people in the world might have, one iOS researcher suggested.
Just 3.5% of bug bounty entrants probe for vulnerabilities in operating systems, according to Hacker One’s 2019 Hacker Report examining the market. It’s much easier to probe web applications, earn a quick payout and move on, as CyberScoop previously reported.
“Folks at this technical level are easily employable practically anywhere,” said Adam Rudderman, director of bug bounty services at NCC Group North America, and a former Facebook technical program manager. “Apple is acknowledging the value of these peoples’ time. You’ll see a larger pool of folks who have this talent maybe start to think about engaging in bug bounties where in the past it may not have been worth their time.”
Exploit market trends
Apple’s offer is roughly in line with what’s publicly known about black and gray exploit economy, which is in constant fluctuation. Zerodium, a firm known for reselling hacking tools to government and corporate clients, said Tuesday it would pay $1 million for a one-click full chain iOS exploit, down from a previous reward of $1.5 million. Zerodium founder Chaouki Bekrar told Bleeping Computer the price change is a reaction to a zero-day market that’s become “so flooded with iOS exploits that [Zerodium] recently started refusing” to purchase some, though he didn’t offer specifics.
Apple previously had offered up to $200,000 to people who participated in its invite-only bounty program, which began in 2016, resulting in the disclosure of 50 “serious” bugs, Kristic said. The new program also covers macOS, watchOS, tvOS, iPadOS and iCloud.
By increasing its reward so significantly, Apple provides researchers — especially those who previously would have sold their discoveries to brokers like Zerodium or to international governments — with an opportunity to make a buck without violating their conscience, said Casey Ellis, chief technology officer at bug bounty platform Bugcrowd.
It’s almost a certainty that international governments already possess an array of iOS hacking techniques, if Project Zero’s recent disclosure is any indication. Numerous outlets including TechCrunch and Forbes have attributed the attack to the Chinese government. It leveraged vulnerabilities against iOS versions 10 through 12.4 to walk off with data from iPhones that did nothing more than visit the wrong website.
Apple patched some of the vulnerabilities after hearing from Google in February. To what extent this two-year hacking campaign played into the decision to increase bounty rewards by $800,000 is not clear, if it did at all. Whatever the case, Apple essentially is expanding the current pool of people auditing its technology. For now, Project Zero security practitioners and their counterparts are Chinese security companies like Tencent and Qihoo 360 are behind much of the research examining Apple technology.
“Apple is making the return for selling your work to them more attractive and, in doing so, creating an incentive for offensive exploit engineers and organizations to consider selling their output for the purpose of defense,” Ellis said.
Far from settled
But increasing the reward so dramatically also could result in very serious unintended consequences.
Apple’s offer of $1 million “won’t make a dent in the offense market at all,”predicted Katie Moussouris, founder of the vulnerability disclosure firm Luta Security and creator of Microsoft’s bug bounty program. Buyers that want those exploits will respond by raising their own prices, and thus won’t feel any pinch at all, she said. Organizations in this category could include anyone from Zerodium and its competitor Crowdfense to governments of Saudi Arabia and the United Arab Emirates, which reportedly have paid firms like the spyware vendor NSO Group to spy on journalists and human rights activists.
“Adversaries will continue to target the most popular operating systems, and whatever is in the hands of high value targets,” Moussouris said.
“[R]aising prices in the offense market is like a rounding error to them,” she added.
Instead, she said, bounty researchers may hold off on reporting more subtle, fixable bugs that warrant lower rewards. Sitting on those vulnerabilities, and finding more, could lead to the kind of exploit chain that would arrant higher rewards from Apple, even if the lower severity issues remain unpatched in the meantime, Moussouris explained.
The other effect could be to lure hard-to-find OS security specialists away from their full-time roles in other companies to chase Apple’s bounty, she said. While others, including Ellis, have argued that hiring is “not a zero-sum game,” and that full-timers might keep their job while moonlighting as Apple hackers, Moussouris posited that the big money could complicate an already tight labor market.
“Why take a corporate job if you can make a cool million without ever attending a single meeting or sitting through an annual review?” she asked.
