Published: Sun, August 11, 2019
IT | By Jonathon Greene

Apple offers record 'bounty' to researchers who find iPhone security flaws


Apple has enabled a feature on its new iPhones that blocks users from accessing their battery health information if the battery was replaced by a third party.

Apple will offer a modified version of the iPhone to security researchers as part of its bug-bounty program, the company announced at the Black Hat cybersecurity conference on Thursday.

There are different tiers or levels depending on what type of vulnerability a hacker finds.

The special phones will disable some security features and enable deeper access for researchers, Krstic told Bloomberg News after the announcement. Apple's limiting of bounties to iOS bugs had been criticized by the security community. They are easier to hack than traditional iPhones, meant for developers to find security flaws so Apple can fix them before a new product launch. The program paid a cash bounty to security researchers who found security vulnerabilities and disclosed them to Apple. Meanwhile, the company will give $500,000 to anyone who can find a "network attack requiring no user interaction". It will include all of Apple's platforms, including iCloud, iOS, tvOS, iPadOS, watchOS, and macOS.

For obvious reasons, these specialized iPhones will only be given to trusted security researchers that have been vetted by Apple, although it won't be an invitation-only program - anyone is welcome to apply, but Apple will be looking for those with a "track record of high-quality systems security research on any platform".

Krstić also unveiled Apple's new iOS Security Research Device program, which will be out next year. A $1 million reward will be at stake for researchers who will discover a more severe attack that leads to gaining total, persistent control of a user's computer. The exclusive handsets will come with ssh, a root shell, and advanced debug capabilities.

Battery replacements carried out by someone other than an Apple Genius or Apple Authorized Service Provider will no not clear the ominous "Service" warning message in the iPhone's Settings Battery Battery Health menu.

However, the release notes for iOS 12.1, released on Tuesday, revealed Apple has brought the controversial feature to the iPhone X, iPhone 8 and iPhone 8 Plus - which were released just a year ago. Hackers search for security flaws missed by internal teams, and instead of exploiting the bugs, they submit them back to the programs for financial rewards.

Like this: