Apart from unveiling a dedicated macOS bounty program at this week’s Black Hat security conference, Apple is expected to hand researchers special pre-jailbroken iPhone devices that will make it easier for them to detect security vulnerabilities in the iOS operating system.
Special iPhone hardware will be limited to participants in the iOS bug bounty program. Forbes cited one source with knowledge of the Apple announcement who explained what makes these iPhones, also referred to as “dev devices”, special:
Think of them as iPhones that allow the user to do a lot more than they could on a traditionally locked-down iPhone. For instance, it should be possible to probe pieces of the Apple operating system that aren’t easily accessible on a commercial iPhone. In particular, the special devices could allow hackers to stop the processor and inspect memory for vulnerabilities. This would allow them to see what happens at the code level when they attempt an attack on iOS code.
It’s like any jailbroken iPhone, only with more restrictions.
Outside of trying to boost iPhone security, the move could also be a reaction to leaks of dev devices, which have subsequently been sold on the black market. They’ve proven useful to hackers over recent years, according to a Vice Motherboard report. Though the possibility for iPhone device leaks could increase with this latest strategy, Apple vets the people on its bounty program and will likely still maintain some control over the dev phones. The announcement could equally be seen as the tech giant trying to counter those underground sales.
Apple also has special iPhone hardware for its security team that provide additional levels of openness for internal use—for instance, employees using these devices can decrypt iPhone firmware—but those devices won’t be available to the iOS bug bounty program members.
Very excited to return to the Black Hat stage this year to talk about some world-class Apple security features! iOS code integrity and Pointer Authentication Codes, Mac secure boot with the T2 Security Chip, the crypto behind the Find My feature, and more: https://t.co/ftnHs3iBO5 https://t.co/SzkzTt354z
— Ivan Krstić (@radian) June 26, 2019
Announced during the the 2016 Black Hat conference, the invitation-only iOS bug bounty program rewards security researchers who would disclose bugs in the company’s products with up to $200,000.