Apple’s new security program puts special iPhone hardware into researchers’ hands


Apple announced a new program for security researchers, with modified iPhones giving privileged access. 


Apple unveiled a new kind of iPhone on Wednesday, but it’s not one that just anybody can get ahold of. The new batch of modified iPhones are tweaked specifically for security researchers as part of the tech giant’s new Security Research Device program. 

At last year’s Black Hat cybersecurity conference, Apple first said it would be providing modified iPhones for security researchers, and it launched the program Wednesday. The company said it would be accepting applications starting today, and researchers who apply should expect to get their devices very soon.

The iPhones will be the latest models available, but come with specific hardware fusing that allow for software for security researchers to use on the devices. You wouldn’t be able to run the same tests on a store-bought iPhone unless you had the devices jailbroken. 

Apple has different hardware for different tiers of its iPhones, like hardware fusing specifically for its own engineers to test software internally, for example. These engineer-fusing iPhones are highly coveted in the security research market because of that access, but are much rarer to find.  

The Security Research Device program offers a middle ground there — as researchers can now get iPhones with privileged access directly from Apple. Compared to a normal iPhone where you’re limited to software from the App Store, these devices allow for researchers to run security testing software right out the box. 

Typically, security researchers looking to find vulnerabilities on an iPhone would first need to break out of the App Store limitations — which can be a challenging obstacle if you’re not an expert on iOS security. In some cases, researchers would also jailbreak iPhones, but that comes with limits too since jailbreaks are often running on older versions of iOS with vulnerabilities that are patched in later versions. 

Apple said it launched this program to make it easier for security researchers to get started on finding vulnerabilities with its iPhones.

They will be provided on a yearly basis, requiring researchers to renew with Apple every 12 months, and are not meant for personal use, according to the company. There’s a limited supply of these security-research focused iPhones, but Apple said it would be keeping in touch with the researchers for feedback on how to expand the program. 

Participants will also be a part of a dedicated forum to talk with each other as well as Apple security engineers about discoveries with the program, the company said. 

To be eligible, you have to be a part of Apple’s Developer program and demonstrate a track record of finding security issues with Apple’s devices. 

The program also comes with restrictions — security vulnerabilities discovered on the platform must be reported to Apple, and cannot be discussed with the public until a date determined by the company — ideally when Apple resolves the flaw. 

That restriction comes as a concern if the flaw is never fixed, Will Strafach, an iOS security researcher and CEO of mobile security company Guardian, said. He said he would not be applying to the program because of that restriction. 

In his work, he’s found that public disclosures of security vulnerabilities often pressure companies to fix these issues that otherwise never would have been addressed. 

“It’s a good first step, I doubt this is very easy to make happen,” Strafach said. “But there should be a lot more. The two big things I think are really needed are wider availability with less restrictions on how you can use it, and making it closer to the developer-fused iPhones that make the rounds on the gray market.” 

Source Article