Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Iphone Security The Almighty Buck Apple Technology

Apple Confirms $1 Million Reward For Anyone Who Can Hack An iPhone (forbes.com) 65

Apple says it will offer up to $1 million for hackers who can find vulnerabilities in iPhones and Macs. "That's up from $200,000, and in the fall the program will be open to all researchers," reports Forbes. "Previously only those on the company's invite-only bug bounty program were eligible to receive rewards." From the report: As Forbes reported on Monday, Apple is also launching a Mac bug bounty, which was confirmed Thursday, but it's also extending it to watchOS and its Apple TV operating system. The announcements came in Las Vegas at the Black Hat conference, where Apple's head of security engineering Ivan Krstic gave a talk on iOS and macOS security. Forbes also revealed on Monday that Apple was to give bug bounty participants "developer devices" -- iPhones that let hackers dive further into iOS. They can, for instance, pause the processor to look at what's happening with data in memory. Krstic confirmed the iOS Security Research Device program would be by application only. It will arrive next year.

The full $1 million will go to researchers who can find a hack of the kernel -- the core of iOS -- with zero clicks required by the iPhone owner. Another $500,000 will be given to those who can find a "network attack requiring no user interaction." There's also a 50% bonus for hackers who can find weaknesses in software before it's released. Apple is increasing those rewards in the face of an increasingly profitable private market where hackers sell the same information to governments for vast sums.

This discussion has been archived. No new comments can be posted.

Apple Confirms $1 Million Reward For Anyone Who Can Hack An iPhone

Comments Filter:
  • A million for those that can prevent someone holding a phone gaining full access to it, but half a million for those that can exploit it remotely. In other words, the threat from the user buying the device is considered higher (to Apple) than some hacker in Generistan getting access to your pho... a phone that you think is yours, just because you paid over a thousand bucks for it.

    • the threat from the user buying the device is considered higher (to Apple)

      Not some user buying, but rather the continued stand-off between law enforcement and the tech community. The $1m sum is interesting, certainly companies like Cellebrite have shown you can make a lucrative business model out of selling an unlock service on a per device basis to governments around the world.

    • by tlhIngan ( 30335 )

      A million for those that can prevent someone holding a phone gaining full access to it, but half a million for those that can exploit it remotely. In other words, the threat from the user buying the device is considered higher (to Apple) than some hacker in Generistan getting access to your pho... a phone that you think is yours, just because you paid over a thousand bucks for it.

      Well, all things considered, it's probably more likely someone who has access to your phone will be doing something with it than

  • by petes_PoV ( 912422 ) on Friday August 09, 2019 @02:26AM (#59067020)
    A suspicious person might think that the "prize" had been raised from $200k because people who find such bugs can make more from them on the open market.

    All this does is raise the level.

    • Incentive. (Score:5, Interesting)

      by DrYak ( 748999 ) on Friday August 09, 2019 @03:25AM (#59067184) Homepage

      A suspicious person might think that the "prize" had been raised from $200k because people who find such bugs can make more from them on the open market.

      "Suspicious", why "suspicious" ?

      If Apple wants to attract hackers, they need to make it more attractive to help them fix their shit rather than selling exploit on the black market. Thus of course, it's absolutely obvious that they are going to raise their bounty above the market value of the hacks.

      It's not a mystery, it's plain obvious market/economics reasoning.
      If they don't throw enough monetary incentive in their bug hunting program, nobody is going to help them.

      Specially given that Apple, for purpose of distinguishing their brand, makes a show of publicly resisting FBI's request for backdroos/to unencrypt/to eavesdrop/to collaborate/etc.
      Which means that three-letter-agencies are needing to get exploits to achieve what they want. Those agencies have deep pockets. So the asking price for good exploit can go rather high. Apple needs to beat that to have any chance of hackers working on their side.

      • Re:Incentive. (Score:4, Interesting)

        by AmiMoJo ( 196126 ) on Friday August 09, 2019 @04:47AM (#59067408) Homepage Journal

        $1M isn't nearly enough though.

        Cellebrite, the company that produces a lot of these exploits, is worth over $1B. They have people working on finding exploits full time, 8 hours a day, 5 days a week. The market for their products is worth way more than $1M.

        I'm sure if someone did discover an exploit then Cellebrite would pay much more than $1M for it.

        Apple patching those exploits doesn't really hurt Cellebrite or devalue the exploits either, because law enforcement and spooks have stacks of old phones waiting to be unlocked that will never get updated.

        • Cellebrite doesn't have to offer much more than a million for the exploit. All they have to do is offer $1,000,001.
          • by ceoyoyo ( 59147 )

            $1 million from Cellebrite, $1 million from Apple, $1 million each from a few other shady buyers, soon you're talking about real money.

            Good thing is, if you make sure to sell it to Apple, they fix it, ensuring the market remains intact.

        • > I'm sure if someone did discover an exploit then Cellebrite would pay much more than $1M for it.

          If I had an exploit I would sell it to Apple for $1M rather than Cellebrite for $1.5M because Cellebrite will turn around and sell its service to repressive regimes. Roll the dice to see if Saudi Arabia will execute somebody based on the bypass you discovered.

          There are amoral hackers out there who only care about themselves and money, but Apple is doing the right thing by setting up incentives for normal pe

        • I'm sure if someone did discover an exploit then Cellebrite would pay much more than $1M for it.

          They won't. Apple wants to know about _vulnerabilities_. If you know about a vulnerability, you can fix it. But there is a long long way from vulnerability to actual exploit.

      • If Apple wants to attract hackers, they need to make it more attractive to help them fix their shit rather than selling exploit on the black market

        You have entirely missed the point.

        Apple raise their bounty to $1m. So the baddies raise their prices by more!

        The perverse incentive is that all this makes it more profitable for hackers to look for vulnerabilities and then sell them. Whether to Apple or a third party. More people looking means more problems found - and exploited.

  • well invested. It is in everybodys in terest to have secure phones. One should also restart programs like RSA factoring challenges to make sure that encryption stays safe. Embracing black hat hacking can serve as the analogue immunisation alloing to build up of a strong immune system. Secure phones is in everybodies interest.
    • well invested. It is in everybodys in terest to have secure phones. One should also restart programs like RSA factoring challenges to make sure that encryption stays safe. Embracing black hat hacking can serve as the analogue immunisation alloing to build up of a strong immune system. Secure phones is in everybodies interest.

      This move is interesting in that it shows what the open market considers the entry point for sale of a hack. I suspect, as Forbes pointed out, that this will have little impact on government's ability to buy the information they find valuable. What it will do is raise the bar for non-government actors as well as reward a hacker who is interested in improving security over making a buck and finds selling to the highest bidder unethical.

  • Next Story Headlines:

    "Apple goes bankrupt due to payments for bug hunting."

    Do they REALLY think any app is bug-free to avoid hacking?

    • ... is probably a lot less than it would cost for them to hire enough prop[er security types for long enough to do it properly. Get the kids out there to do the work for free and hope they don't find one, but if they do, well , drop in the ocean for a company that has 10^11 dollars in the bank. Plus its good PR.

  • by thegarbz ( 1787294 ) on Friday August 09, 2019 @03:32AM (#59067196)

    compared to the business case of selling one-off unlock services to law enforcement departments around the world.

  • by hcs_$reboot ( 1536101 ) on Friday August 09, 2019 @03:36AM (#59067206)
    As usual, Apple will release the new iOS (13) in September. And, as usual, it'll be a huge bug nest. That will be the right time.
  • I know a couple of teenagers with time on their hand who will be all over this.
    • by Anonymous Coward

      To be fair, a verifiable 0day hack on iOS could probably already fetch $500,000 on the black and grey markets if you sell to multiple parties.

      You can do so on very underground IRC networks that make 8chan look like Sesame Street.

  • Apple has massively increased the amount it’s offering hackers for finding vulnerabilities in iPhones and Macs, up to $1 million. It’s by far the highest bug bounty on offer from any major tech company. Blogger at https://radiobox.net/ [radiobox.net]
  • Hurray! You cracked our iPhone, and showed us a big glaring hole! We'll pay you up to $1,000,000 - and for you, that'll be $3.98. Here's your Big Mac money - go and enjoy!
  • â...take full control of an Apple device remotely, without the owner of the device ever interacting with it.âoe Does this mean as itâ(TM)s being carried to the customer in the store, or while itâ(TM)s in the UPS truck?

The 11 is for people with the pride of a 10 and the pocketbook of an 8. -- R.B. Greenberg [referring to PDPs?]

Working...