Apple announced a new program for security researchers, with modified iPhones giving privileged access.
Apple
Apple unveiled a new kind of iPhone on Wednesday, but it’s not one that just anybody can get ahold of. The new batch of modified iPhones are tweaked specifically for security researchers as part of the tech giant’s new Security Research Device program.
At last year’s Black Hat cybersecurity conference, Apple first said it would be providing modified iPhones for security researchers. It launched the program Wednesday, saying it would be accepting applications immediately and that researchers who apply should expect to get their devices very soon.
The iPhones will be the latest models available, but they come with specific hardware fusing that accommodates programs used by security researchers. You wouldn’t be able to run the same tests on a store-bought iPhone, unless you had the gadget jailbroken.
Apple has different hardware for different tiers of its iPhones, like hardware fusing that lets Apple’s own developers test software internally. These dev-fused iPhones are highly coveted in the security research market because of that access, but they’re hard to find.
Discover the latest news and best reviews in smartphones and carriers from CNET’s mobile experts.
The Security Research Device program offers a middle ground, with researchers now able to get iPhones with privileged access directly from Apple. Compared with a normal iPhone, where you’re limited to software from the App Store, these devices allow for researchers to run security testing software right out the box.
Typically, security researchers looking to find vulnerabilities on an iPhone would first need to break out of the App Store limitations — which can be a challenging obstacle if you’re not an expert on iOS security. In some cases, researchers would also jailbreak iPhones, but that comes with limits too, since jailbreaks are often running on older versions of iOS with vulnerabilities that’re patched in later versions.
Apple said it launched this program to make it easier for security researchers to get started on finding vulnerabilities with its iPhones.
The phones will be provided on a yearly basis, requiring researchers to renew with Apple every 12 months, and they aren’t meant for personal use, according to the company. There’s a limited supply of these security-research focused iPhones, but Apple said it would be keeping in touch with the researchers for feedback on how to expand the program.
Participants will also be a part of a dedicated forum to talk with one another as well as with Apple security engineers about discoveries with the program, the company said.
To be eligible, you have to be part of Apple’s Developer program and demonstrate a track record of finding security issues with Apple’s devices.
The program also comes with restrictions. Security vulnerabilities discovered on the platform must be reported to Apple and can’t be discussed with the public until a date determined by the company, ideally when Apple resolves the flaw.
That restriction creates a concern if the flaw is never fixed, said Will Strafach, CEO of mobile security company Guardian and an iOS security researcher. He said he wouldn’t be applying to the program because of that restriction.
Strafach said that in his work, he’s found that public disclosures of security vulnerabilities often pressure companies to fix issues that otherwise never would’ve been addressed.
“It’s a good first step, I doubt this is very easy to make happen,” Strafach said. “But there should be a lot more. The two big things I think are really needed are wider availability with less restrictions on how you can use it, and making it closer to the developer-fused iPhones that make the rounds on the gray market.”
Ben Hawkes, a team lead for Google’s security research team Project Zero, said in a tweet that the restrictions also prevent them from participating in Apple’s program. Project Zero had discovered major vulnerabilities for iOS that targeted Muslims in China last September.
“We’ll continue to research Apple platforms and provide Apple with all of our findings, because we think that’s the right thing to do for user security. But I’ll confess, I’m pretty disappointed,” Hawkes said on Twitter.
ZecOps, another cybersecurity firm, which in April discovered iOS vulnerabilities with Apple Mail, also said it wouldn’t be participating in the program because of the restrictions.
ZecOps will not use the “dedicated research device” released by @Apple due to the program’s restrictions and minimal benefits. We will continue to report bugs to Apple because it’s the right thing to do.
Instead of releasing dedicated research device we encourage Apple to …
— ZecOps (@ZecOps) July 22, 2020
