James Martin/CNET
The iPhone, with its iOS operating system, is known for its closed ecosystem — an advantage that provides security for the 2 billion people using it. But for security researchers looking for vulnerabilities, it’s a curse. Apple is now embracing hackers by offering special iPhones specifically for security researchers.
Apple’s head of security, Ivan Krstic, unveiled the new program at Black Hat, a cybersecurity conference in Las Vegas. These iPhones aren’t the same as the ones you can buy in a store. They’re specifically coded for developers who want to poke around iOS and Apple’s hardware to find security flaws.
Apple calls the special iPhone effort the iOS Security Research Device Program, and it’ll be available next year.
“This is an unprecedented fully Apple supported iOS security research platform,” Krstic said at the conference.
The devices will come with advanced debug capabilities, Krstic added. Think of these iPhones as a step below jailbroken iOS devices — they won’t be as open, but they’ll provide enough details for security researchers to hunt for vulnerabilities.
The program was earlier reported by Forbes.
Companies often open up to hackers, with bug bounty programs, finding that outside security researchers can find vulnerabilities that their internal security teams might’ve missed. Security researchers find the bugs, and instead of selling them to hackers or using them for malicious purposes, they submit them to the bug bounty programs and earn cash rewards.
In July, Google announced it was offering $30,000 to people who could find flaws in its Chrome browser. Apple also has a bug bounty program, through which it started offering $200,000 for security flaws at Black Hat in 2016.
On Thursday, Apple announced changes to that program, now offering up to $1 million for a vulnerability that’s persistent, could get kernel code execution, and didn’t require victims to click on anything.
“It is important for companies, especially those dealing with mounds of sensitive personal data, to have a public-facing way to report bugs and vulnerabilities,” Marten Mickos, CEO of the bug bounty platform HackerOne, said in a statement.
These vulnerabilities are highly valuable because of how closed Apple’s ecosystem is. After Apple announced its bug bounty in 2016, an outside group upped the ante and offered $500,000 for the flaws instead.
It’s why the hacker-friendly iPhone will be limited. Apple is giving this iPhone only to invited researchers in its bug bounty program. This is meant to help prevent hackers from turning around and selling any vulnerabilities to hackers offering a higher price than Apple.
“We want to attract exceptional researchers who have been focused on other platforms,” Krstic said.