Apple Confirms $1 Million Reward For Anyone Who Can Hack An iPhone (forbes.com) 65
Apple says it will offer up to $1 million for hackers who can find vulnerabilities in iPhones and Macs. "That's up from $200,000, and in the fall the program will be open to all researchers," reports Forbes. "Previously only those on the company's invite-only bug bounty program were eligible to receive rewards." From the report: As Forbes reported on Monday, Apple is also launching a Mac bug bounty, which was confirmed Thursday, but it's also extending it to watchOS and its Apple TV operating system. The announcements came in Las Vegas at the Black Hat conference, where Apple's head of security engineering Ivan Krstic gave a talk on iOS and macOS security. Forbes also revealed on Monday that Apple was to give bug bounty participants "developer devices" -- iPhones that let hackers dive further into iOS. They can, for instance, pause the processor to look at what's happening with data in memory. Krstic confirmed the iOS Security Research Device program would be by application only. It will arrive next year.
The full $1 million will go to researchers who can find a hack of the kernel -- the core of iOS -- with zero clicks required by the iPhone owner. Another $500,000 will be given to those who can find a "network attack requiring no user interaction." There's also a 50% bonus for hackers who can find weaknesses in software before it's released. Apple is increasing those rewards in the face of an increasingly profitable private market where hackers sell the same information to governments for vast sums.
The full $1 million will go to researchers who can find a hack of the kernel -- the core of iOS -- with zero clicks required by the iPhone owner. Another $500,000 will be given to those who can find a "network attack requiring no user interaction." There's also a 50% bonus for hackers who can find weaknesses in software before it's released. Apple is increasing those rewards in the face of an increasingly profitable private market where hackers sell the same information to governments for vast sums.
Shows the priorities of Apple (Score:1, Redundant)
A million for those that can prevent someone holding a phone gaining full access to it, but half a million for those that can exploit it remotely. In other words, the threat from the user buying the device is considered higher (to Apple) than some hacker in Generistan getting access to your pho... a phone that you think is yours, just because you paid over a thousand bucks for it.
Re:No they aren't. Best for mentally disabled, yes (Score:5, Funny)
It's already in the bible, blessed is the geek, for they shall inherit the earth.
(yeah, I know, in most bibles there's a typo)
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
I think executable is an odd term. Actually, an oxymoron. I mean, think about it. If you execute a program, it starts running. If you execute a person, it stops running.
Re: No they aren't. Best for mentally disabled, ye (Score:1)
Re: Shows the priorities of Apple (Score:1)
Youâ(TM)re not wrong, and at this point theyâ(TM)re basically competing with dumb phones. I feel baited and switched by the iPhone. At the time I bought my first iPhone, I was reluctant to use a soft keyboard. I was won over by the high quality, particularly of the basic functionality and especially the soft keyboard. Now the phones are trash. Quality is terrible. They donâ(TM)t last. Bugs everywhere. Privacy nightmare with face tracking. My $1000 would be better spent on a cheap brick phone,
Re: (Score:3)
the threat from the user buying the device is considered higher (to Apple)
Not some user buying, but rather the continued stand-off between law enforcement and the tech community. The $1m sum is interesting, certainly companies like Cellebrite have shown you can make a lucrative business model out of selling an unlock service on a per device basis to governments around the world.
Re: (Score:3)
Well, all things considered, it's probably more likely someone who has access to your phone will be doing something with it than
But would hackers (or governments) pay more? (Score:5, Interesting)
All this does is raise the level.
Incentive. (Score:5, Interesting)
A suspicious person might think that the "prize" had been raised from $200k because people who find such bugs can make more from them on the open market.
"Suspicious", why "suspicious" ?
If Apple wants to attract hackers, they need to make it more attractive to help them fix their shit rather than selling exploit on the black market. Thus of course, it's absolutely obvious that they are going to raise their bounty above the market value of the hacks.
It's not a mystery, it's plain obvious market/economics reasoning.
If they don't throw enough monetary incentive in their bug hunting program, nobody is going to help them.
Specially given that Apple, for purpose of distinguishing their brand, makes a show of publicly resisting FBI's request for backdroos/to unencrypt/to eavesdrop/to collaborate/etc.
Which means that three-letter-agencies are needing to get exploits to achieve what they want. Those agencies have deep pockets. So the asking price for good exploit can go rather high. Apple needs to beat that to have any chance of hackers working on their side.
Re:Incentive. (Score:4, Interesting)
$1M isn't nearly enough though.
Cellebrite, the company that produces a lot of these exploits, is worth over $1B. They have people working on finding exploits full time, 8 hours a day, 5 days a week. The market for their products is worth way more than $1M.
I'm sure if someone did discover an exploit then Cellebrite would pay much more than $1M for it.
Apple patching those exploits doesn't really hurt Cellebrite or devalue the exploits either, because law enforcement and spooks have stacks of old phones waiting to be unlocked that will never get updated.
Re: (Score:2)
Re: (Score:2)
$1 million from Cellebrite, $1 million from Apple, $1 million each from a few other shady buyers, soon you're talking about real money.
Good thing is, if you make sure to sell it to Apple, they fix it, ensuring the market remains intact.
Re: (Score:2)
> I'm sure if someone did discover an exploit then Cellebrite would pay much more than $1M for it.
If I had an exploit I would sell it to Apple for $1M rather than Cellebrite for $1.5M because Cellebrite will turn around and sell its service to repressive regimes. Roll the dice to see if Saudi Arabia will execute somebody based on the bypass you discovered.
There are amoral hackers out there who only care about themselves and money, but Apple is doing the right thing by setting up incentives for normal pe
Re: (Score:2)
I'm sure if someone did discover an exploit then Cellebrite would pay much more than $1M for it.
They won't. Apple wants to know about _vulnerabilities_. If you know about a vulnerability, you can fix it. But there is a long long way from vulnerability to actual exploit.
Re:Incentive? - perverse incentive. (Score:3)
If Apple wants to attract hackers, they need to make it more attractive to help them fix their shit rather than selling exploit on the black market
You have entirely missed the point.
Apple raise their bounty to $1m. So the baddies raise their prices by more!
The perverse incentive is that all this makes it more profitable for hackers to look for vulnerabilities and then sell them. Whether to Apple or a third party. More people looking means more problems found - and exploited.
Re: Trivial. Just "be" Apple. (Score:3)
Re: (Score:2)
"Ten minutes and no skills required."
Ok, go grab some random guy off the street and see if he can do it then?
Oh wait, you were bullshitting, I do apologise.
Re: (Score:2)
So one hack would be to do a heist at Apple and get hold of the master keys.
great idea (Score:2)
Re: (Score:2)
well invested. It is in everybodys in terest to have secure phones. One should also restart programs like RSA factoring challenges to make sure that encryption stays safe. Embracing black hat hacking can serve as the analogue immunisation alloing to build up of a strong immune system. Secure phones is in everybodies interest.
This move is interesting in that it shows what the open market considers the entry point for sale of a hack. I suspect, as Forbes pointed out, that this will have little impact on government's ability to buy the information they find valuable. What it will do is raise the bar for non-government actors as well as reward a hacker who is interested in improving security over making a buck and finds selling to the highest bidder unethical.
Next Story Headlines... (Score:1)
Next Story Headlines:
"Apple goes bankrupt due to payments for bug hunting."
Do they REALLY think any app is bug-free to avoid hacking?
No, but a $1million... (Score:2)
... is probably a lot less than it would cost for them to hire enough prop[er security types for long enough to do it properly. Get the kids out there to do the work for free and hope they don't find one, but if they do, well , drop in the ocean for a company that has 10^11 dollars in the bank. Plus its good PR.
Cellebrite confirms $1m a drop in a bucket... (Score:4)
compared to the business case of selling one-off unlock services to law enforcement departments around the world.
Hackers, just wait for a few more weeks... (Score:3)
Kids will crack it (Score:1)
Re: Kids will crack it (Score:1)
To be fair, a verifiable 0day hack on iOS could probably already fetch $500,000 on the black and grey markets if you sell to multiple parties.
You can do so on very underground IRC networks that make 8chan look like Sesame Street.
Apple will give 1 million who can hack an iphone (Score:1)
Weasel words: "up to" (Score:1)
Hacked before the ownerâ(TM)s touched it? (Score:1)