Apple Policy on Bugs May Explain Why Hackers Would Help F.B.I.

“Our team must work tirelessly to stay one step ahead of criminal attackers who seek to pry into personal information,” Mr. Federighi said. “Despite our best efforts, nothing is 100 percent secure.”

Apple has long been less visible in the security community compared with other tech companies. The company has shied away from bug bounty programs and instead relied on large testing programs and the work of its security team to spot vulnerabilities, partly because it is disinclined to keep up with a financial arms race of paying for bugs, according to three former and current employees, who spoke on the condition of anonymity because they were not authorized to speak publicly about security matters.

Apple has said it will fight to know more about the flaw in the software or hardware that the third party has presented to law enforcement. A senior executive said in a conference call with reporters Tuesday that if the government found the method did not work and tried to force Apple to help break into the phone, Apple would have questions about what was tried, in order to keep its products as secure as possible.

Continue reading the main story

If the third-party method does work, the government may dismiss a court order demanding that Apple weaken its security, but keep the process it used to break into the phone under seal. In that case, Apple would have no way of knowing how the government broke into its software or hardware.

Exploits in Apple’s code have become increasingly coveted over time, especially as its mobile devices have become ubiquitous, with an underground ecosystem of brokers and contractors willing to pay top dollar for them.

Flaws in Apple’s mobile devices can typically fetch $1 million. Last September, a boutique firm in Washington, called Zerodium, which sells flaws to governments and corporations, announced a $1 million bounty for anyone who would turn over an exploit in Apple’s iOS 9 mobile operating system — the same operating system used to power the iPhone used by the San Bernardino shooter. By November, Zerodium said a team of undisclosed hackers had successfully claimed the bounty.

Chaouki Bekrar, the founder of Zerodium, said his company was not the outside party referred to in the government’s court filing on Monday. But Mr. Bekrar added that even if Zerodium had helped the F.B.I., he would not disclose it.

“For every Zerodium, there are a thousand other organizations like Zerodium that are far less vocal about doing what they do and will pay researchers who find this stuff to keep it a secret,” said Casey Ellis, the founder of BugCrowd, a company in San Franciso that helps vendors manage bug bounty programs.

The heated battle between the United States government and Apple over breaking into the iPhone used by the San Bernardino gunman may have inadvertently catalyzed the underground market for Apple code flaws. With the F.B.I. pushing Apple to help unlock the device with a court order and publicizing that it has been unable to get into the iPhone, hackers realized there was a blank check for them if they could accomplish it, said Jon Oberheide, the chief technology officer of Duo Security, a cloud security company.

Some security researchers said no bounty Apple could offer now would match the reward they could expect from the underground market. Apple has waited so long that the black market for its flaws has become extremely lucrative, perhaps making any bug bounty program the company would create seem late to the game.

“Apple can embrace security researchers, or try to facilitate programs that will secure its operating system, but it’s never going to be able to compete with what is going on behind the scenes in the black market,” said Jay Kaplan, a former N.S.A. analyst and co-founder of Synack, a company that deploys hackers to weed out vulnerabilities in clients’ systems. “It’s just not going to happen.”

Continue reading the main story
Source link