Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Iphone Security The Almighty Buck

iPhone Bugs Are Too Valuable To Report To Apple (vice.com) 96

An anonymous reader writes: Last year, Apple launched a long-awaited bug bounty program to reward friendly hackers who report flaws in the iPhone to the company. Despite inviting some of the best hackers in the world to join, it's a bit of a flop so far. The iPhone's security is so tight that it's hard to find any flaws at all, which leads to sky-high prices for bugs on the grey market. Researchers I spoke to are reluctant to report bugs both because they are so valuable and because reporting some bugs may actually prevent them from doing more research. "People can get more cash if they sell their bugs to others," said Nikias Bassen, a security researcher for the company Zimperium, and who joined Apple's program last year. "If you're just doing it for the money, you're not going to give [bugs] to Apple directly." Patrick Wardle, a former NSA hacker who now specializes in MacOS research and was invited to the Apple bug bounty program, agreed. He said that iOS bugs are "too valuable to report to Apple."
This discussion has been archived. No new comments can be posted.

iPhone Bugs Are Too Valuable To Report To Apple

Comments Filter:
  • by Anonymous Coward on Thursday July 06, 2017 @11:12AM (#54757191)

    Apple's pockets are a little deeper than most.

    They could surely increase the bounty to a point where no one could possibly compete with them.

    • by Kergan ( 780543 ) on Thursday July 06, 2017 @11:24AM (#54757319)

      They might, but someone at Apple might also be thinking "no, they're actually full of shit and haven't found critical issues yet" until a zero day rears its ugly head. It's not like Apple could buy the stuff at an auction or something - or could they?

      • where the bug-exploit reveal is "cleaner" if it comes from a volunteer donor rather from a humanities grad student or homeless person who gets money from Plasma-R-Us?

      • They might, but someone at Apple might also be thinking "no, they're actually full of shit and haven't found critical issues yet"...

        Let's remember this is a reward program, not a ransomware scheme. Payment is rather dependent on disclosure and validation to vendor, so it's pretty easy to dismiss the full-of-shit concerns.

        And yes, Apple can easily afford to pay many times more than what they're offering. To your point, ignorance will likely ensure vendors find out the hard way what a proper reward should be.

      • It's not like Apple could buy the stuff at an auction or something - or could they?

        They indeed could buy them from the black market cyber-arms-dealers like anyone else, at highly inflated prices. Zerodium will sell to anyone.

      • They might, but someone at Apple might also be thinking "no, they're actually full of shit and haven't found critical issues yet" until a zero day rears its ugly head. It's not like Apple could buy the stuff at an auction or something - or could they?

        If there was an auction, the right thing to do would be to shoot all the other bidders.

      • Unlike Android, Microsoft etc.

        For other companies, security is about protecting their customers. For Apple, security is about protecting Apple's walled garden.

        • Unlike Android, Microsoft etc.

          For other companies, security is about protecting their customers. For Apple, security is about protecting Apple's walled garden.

          Explains perfectly why it's much easier to find security holes in Android and Microsoft products, Because they care so fucking much about their customers.

    • by Anonymous Coward

      Yes, except that corporations are allergic to giving away money, except to useless senior executives in the form of grotesque bonuses.

    • by jeremyp ( 130771 ) on Thursday July 06, 2017 @11:34AM (#54757395) Homepage Journal

      I don't think the economics will work.

      iOS bugs are presumably valuable because they allow you to exploit users for lots of $$$ and because they are rare. If Apple raises the bounty, then unfixed bugs will become even rarer and grey market prices will rise and you are back where you started.

      • by Anonymous Coward on Thursday July 06, 2017 @12:11PM (#54757741)

        You are not right back where you started. You just said by raising the price unfixed bugs will become even rarer, which is the goal of a bug bounty program.

        • OP used a bad term. Didn't mean rare as in fewer, but meant rare as in dearer. Kind of like "rare" diamonds... they're not really rare, just dear.

      • Amway lit a fire once why not bring the hackers in with some sort of public rankings (updated monthly), secret conclaves in HI for the best 25 and all that bull
      • The amount of money you can exploit the users for is a constant. Let's say you can milk users out of 10$ for a bug, apple wants to pay you 2$ and grey market wants to pay 5$ (they have to make a profit, just like everyone else. If apple raises their pay out to 10$, then they remove any incentive to sell to a grey market. The Grey market value will remain unchanged as it's price is set based on how much you can milk out of users based on a bug.
      • by gurps_npc ( 621217 ) on Thursday July 06, 2017 @12:33PM (#54757983) Homepage

        Not true.

        There are three markets for the bugs..

        1) Apple.
        2) Small time thieves (Mafia and their ilk)
        3) Big time thieves (NSA, Mossad, KGB, ISIS, etc.)

        The later two want the bugs to be cheap. But Apple should want the bugs to be expensive. And they can make it so.

        Apple can raise the price enough that thieves can't afford to outbid them. Granted, Apple can't outbid NSA and the other such global organizations. But they can outbid the small time thieves.

        Right now Apple is being cheap and letting common thieves outbid them. That is stupid. They should at least up the ante to the point that only the big time thieves, including terrorists and spy agencies to purchase the bugs.

        • by swb ( 14022 )

          Even the global security organizations have budgets and raising the prices high enough might make them less interested in high priced bugs unless they were well developed and high value. AFAIK, some of these exploits are theoretical and require a lot work to make them useful.

          I think I've also read there's kind of a supply chain for some of these bugs, from hackers to private security organizations that buy them and then resell them to state security agencies. I don't know, but I suspect that a lot of the

        • Apple can raise the price enough that thieves can't afford to outbid them. Granted, Apple can't outbid NSA and the other such global organizations. But they can outbid the small time thieves.

          Actually Apple can out bid NSA if they want to. By a lot. The entire Intelligence budget for the USA [wikipedia.org] is somewhere around $80 billion per year. This includes CIA, NSA, FBI, DIA, and the rest. Apple's profits last year were about $45 billion. So yeah, NSA isn't going to be able to outbid Apple unless Apple doesn't care.

        • Apple can at least outbid KGB, ISIS and etc.,

          People at the Kremlin are embezzling and hiding too much of their government's money to have more than petty cash left for buying hacking tools.

          You can add China to the list of groups that Apple can't outbid because they've got a lot more money than Russia.

        • by guises ( 2423402 )
          You're missing the most important market: Chinese third-party app stores. That's where the money is actually coming from, jailbreaking is big business in China.
      • Yes, but Apple's goal is not to accumulate bugs, it's for there to be as few bugs as possible. Increasing the rarity of unreported bugs is their goal.
    • If the price increases then eventually, employees will start introducing bugs for their friends to find. A large payout for bugs can have unforeseen drawbacks.
  • by Anonymous Coward on Thursday July 06, 2017 @11:12AM (#54757193)

    Then Apple is not paying well enough if the grey* market pays better.

    * NSA, FAPSI, 3PLA, etc

    • If they are rare then Apple will not have to pay for many of them, so the cost will not be huge. They ought to publicise when they have paid a bounty (and fixed the problem). Apple should then pay these bounties out of the marketing department budget, not software development. Their marketing department probably has a larger budget than development.

    • by Anonymous Coward

      The point of a bounty is to get whitehats to find bugs for you. People who are willing to sell on the black market may very well sell zero days to hacker groups and then also collect the bounty before it goes "public."
      It's hard to outbid a blackhat group for an exploit that could make them millions.

  • by Anonymous Coward

    If you sell it to Apple, you are a white hat hacker and helping make the product better.
    But it cost's you 7 figures per bug to be a good guy or gal.

    If you sell at market rate, it isn't a grey market, it's a black market.
    You are not only preventing something from getting fixed, you are helping folks do bad things.
    But you get a bunch of cash.
    It ought to be illegal except that is is funded by the FBI etc.

    I don't see how it would hurt Apple to pay market rates, but folks should not get away with clean cash for

    • by Anonymous Coward

      Please don't do that causality bullshit. We have enough already. Walmart is being sued (attempted anyway) for "facilitating" a machete that was used as a murder weapon.

      You probably yell at the delivery boy for the cook's mistake. Because he's there and the cook isn't. It's not about justice, or even the food anymore, you just want to yell. Like a child throwing a tantrum, and you don't even remember why.

      Use whatever words you want to distinguish the intermediates from the buyers (including gov agencies) but

    • Saying that it *ought* to be illegal and that it *is* a black market is mutually contradictory. Pick one.
    • by PPH ( 736903 )

      Sell it twice. Once on the black market. For the big bucks. Then sell it to Apple for the bounty.

  • by Hentes ( 2461350 ) on Thursday July 06, 2017 @11:47AM (#54757545)

    Someone willing to sell bugs to criminals if they pay better is greyhat at best.

    • by Stan92057 ( 737634 ) on Thursday July 06, 2017 @12:01PM (#54757677)
      Wouldn't call them gray either, they are black-hats 100% why call them gray? What good have they done? the bug they found will be exploited criminally. Now lol if they sold the bug to a criminals then turn around and sell it to apple then i would tag them gray.
      • by phayes ( 202222 )

        Indeed. if those who discover iOS flaws refuse to give/sell them to Apple then there is _no_ white in their hats and they are blackhats with no redeemable features.

    • Blackhats do research, too.
      Researchers are sometimes unethical.
  • The iPhone's security is so tight that it's hard to find any flaws at all

    Really? This sounds like corporate PR to me.

    I'd guess that it's more that there aren't as many skilled hackers trying to break iOS, than some intrinsic superiority of the OS.

    • by mbkennel ( 97636 )
      There are plenty of iOS users who have money, there's plenty of motivation. There aren't as many hackers because it's not very rewarding. The OS and app infrastructure is more secure, and it limits application developers in cases.
    • You seem not to lnow much how an OS works, how its security works and particularily why iOs is that secure.
      Your post is pointless.

      It starts with 'skiled hackers trying to break', you watch to many bad movies about 'hacking'.

      • So can you enlighten me?

        I've been writing Windows software since you had to write your own message handler loop, I've written video driver interceptors to pull text being sent to the screen. I've written windows message hooks and printer drivers. Before that, I wrote DOS TSRs in assembly. I've rooted my Android phone, I've installed BSD before Linux was a thing. I think I know a thing or two about hacking.

        Your rebuttal didn't actually say anything, except that you think I'm wrong. Why exactly, in a structur

        • iOS sandboxes each app.
          Consider it a glorified change root environment which is hardened against break outs.
          Basically every app is running with its own group and user id. They can not access each others data.

          https://www.apple.com/business... [apple.com]

          Yes, we need a new search engine, since google is 'tweaking' search results lots of stuff is hard to find.

  • by Anonymous Coward

    That's black market, not grey, I think.

  • If I'm good and work for bug bounties on other projects I can get a sort of steady pay. If I work on iOS bugs I might not find a valuable one with 6 months of effort. You could raise the payout to a million dollars a bug but I can't work on it full time because I will never no if and when I will get the pay.
  • There is no good or acceptable reason to do anything with a vulnerability other than to first report it to the developer, and then release it to the public if they fail to patch it within an acceptable timeframe.

    Make no mistake, that market is as black as the devil's heart.

    • There is no good or acceptable reason to do anything with a vulnerability other than to first report it to the developer, and then release it to the public if they fail to patch it within an acceptable timeframe.

      "Good" and "acceptable" are concepts very much in the eye of the beholder. For some the only "good" is how much money they can make and the rest of the world can burn as far as they care. The only thing "acceptable" to them is a large enough price. This is how much of Wall Street works so why should we expect the market for security flaws to be much different? The greater good is a concept as alien to such people as a Martian.

      Make no mistake, that market is as black as the devil's heart.

      Quite so.

    • Make no mistake, that market is as black as the devil's heart.

      But make no mistake, it is there and wishing it away won't make it so. You don't even have to go far: wait around here until a thread about the government arrives an the usual crowd will pop out of the woodwork trumpeting the free market over all else. If the free market really is the ultimate goal the the value of a bug is how much you can get for it.

      Personally I don't subscribe to that and like arguing with such people (hi, roman_mir and Archan

  • Let us say Apple creates a division that has access to all the security by obscurity things and even the source code. They don't report to any of the traditional marketing, sales, development hierarchy. They only report to the security chief, and their pay, bonus and career prospects depend on the bugs they find and fix. Sort of like the Military Police, or inspectorates. Would that work?
  • by Kernel Kurtz ( 182424 ) on Thursday July 06, 2017 @12:46PM (#54758119)

    I'd rather they be used for that first, then Apple can fix them later.

    • A remotely exploitable jailbreak is the worst security hole you could think of. you actually don't want this.

    • I'd rather they be used for that first, then Apple can fix them later.

      I'd rather guns only be used for self defense, and not be used to murder humans. Sometimes you can't have it both ways. Sorry.

      Then again, why am I apologizing? You want the freedom to do whatever you want with your smartphone? There's a simple solution for that. Don't buy a fucking iPhone.

  • by Tanman ( 90298 ) on Thursday July 06, 2017 @01:17PM (#54758401)

    One would be a fool to think that Apple does not also purchase bugs on the black market through intermediaries. Having an inexpensive bug bounty gives incentive to all the white hats out there to do their part to increase Apple security.

    For everyone else, Apple will buy exploits in the wild paying market value. If they increased their bug bounty program to this level, it would not increase their ability to get ahead of black hats since they would have to pay over market price to lure them over, but it would make all their other submitted bugs more expensive.

    • by sl3xd ( 111641 )

      Another thing to consider:

      Governments print their own money. In that situation, a monetary "reward" is utterly meaningless.

      As a result, government agencies are interested in the information on a device.

      On the "commercial" side, think about it for a second: There's no legal requirement I'm aware of that compels a hacker to tell Apple anything; so if Apple finds out you didn't share exploit information with them, what are they gonna do? Ask nicely the next time?

      In contrast, if a crime boss you've worked with

  • by jonwil ( 467024 ) on Thursday July 06, 2017 @04:20PM (#54759613)

    A.How is it not illegal to profit from the sale of vulnerabilities in software? (other than by reporting it to the vendor and collecting a bounty) and B.How come the software vendors (who presumably dont want vulnerabilities to be bought and sold on the open market) haven't been lobbying for laws to make these vulnerability marketplaces illegal?

    Are the software companies worried that if its illegal it will just disappear into the deep web and become even harder to track and deal with? Do the software companies know that such laws will never happen because the government needs these vulnerability marketplaces as a way to get bugs to use in the spying efforts? Do the software companies know that such laws would be pointless since the action happens outside jurisdictions that might actually implement such laws?

    • by Anonymous Coward

      What you are proposing would surely violate the 1st amendment. Why should it be illegal to sell matters of fact to anyone?

No spitting on the Bus! Thank you, The Mgt.

Working...