iPhones have faced a number of serious threats recently, but more concerning is that Apple is arguably responsible for not preventing an increasing number of them. And it has happened again.
Apple’s iPhones are increasingly at risk from the company’s “deeply broken” relationship with … [+]
Apple
Last month, a shocking blog post from security researcher Denis Tokarev revealed that he had been unable to get Apple to act on multiple iPhone and iPad zero-day hacks (the most dangerous category of hack), despite more than six months having passed since he submitted them. In desperation, Tokarev made the hacks public and Apple promised to act. Instead, what happened should signal serious warning alarms.
On Monday, Apple released iOS 15.0.2 — the second iOS update since Apple promised to act and the eighth release since Tokarev originally notified Apple of the security threats. Digging into the release Tokarev was stunned to discover two things. First, Apple had again failed to fix two of his zero-day vulnerabilities. Second, the company had “quietly fixed [the] gamed vulnerability in iOS 15.0.2 without giving me credit.”
While the ongoing zero-days mean iPhone and iPad owners have again been left at risk, Tokarev’s latter observation is also critically important. Security researchers work hard to discover and report vulnerabilities in iOS and macOS because Apple runs an official Security Bounty program. The program credits researchers for their discoveries and offers payouts ranging from $25,000 up to $1M… or it should because there have been increasing examples of this not happening (1,2,3,4,5,6,7,8,9,10,11 etc).
And when it doesn’t happen, the temptation is for researchers to sell their exploits to hackers instead. Just look at some of the responses to Tokarev’s thread:
“We seriously have to stop giving Apple this opportunity. Let’s hurt their brand a bit and make them see this is not how things are done. Drop the 0-days” – source
“As a long-time cybersecurity professional, my best suggestion is: don’t drown in ethics when it’s about Apple. drop it next time and make money on that, you know there are agencies that legally buy 0-days.” – source
“I think you should sell it..” – source
“next time teach them a lesson” – source
“Next time just disclose the vulnerability to the public. F**k Apple” – source
All of which shows the danger ahead. Apple is doing excellent work (as ZecOps notes, the zero day hack patched in iOS 15.0.2 was incredibly dangerous), but there is a pattern emerging where discoveries by security researchers are either ignored without persistent pressure or belatedly patched without credit or reward.
iOS 15 still contains zero-day vulnerabilities that were disclosed to Apple back in April.
Apple
As Marco Arment, creator of Instapaper and Overcast and former CTO of Tumbler, commented last month: “Security relations are developer relations. What will it take for Apple to change their entire CULTURE of how they treat outside developers? [It’s] so deeply broken, yet nothing changes. What will it take?”
The risk is it will take Apple’s greatest allies turning into their biggest threat, by which time it will be too late. After all, the recent discovery of the so-called Pegasus hack shows what can happen when researchers work against Apple: this critical flaw was sold to the highest bidders and used by foreign governments for spying. It went undetected for five years.
Apple continues to market itself as the champion of privacy and security. With the former brutally dismantled over the CSAM debacle, Apple now needs to work doubly hard to save its reputation with the latter.
I have reached out to Apple and will update this post when/if I get a response.
___
Follow Gordon on Facebook
More On Forbes
Snowden Slams Apple CSAM: Warns iPad, iPhone, Mac Users Worldwide
