Apple announces its first protection bounty plan at Black-Hat 2016 with as much as $200K payouts

Apple hasn’t made an appearance at Black Hat hacker conference in its history but this year Cupertino is Thinking Different™ about security.  Head of Apple security, Ivan Krstic, today said the company would pay huge (up to $200K) bug bounties to researchers who find and report vulnerabilities in certain Apple software.

Screenshot 2016-08-04 21.04.28A quick breakdown of max. payments::

  • Secure Boot firmware: $200,00
  • Extraction of confidential material protected by the Secure Enclave Processor: $100,000
  • Execution of arbitrary code w/kernel privs: $50,000
  • Unauthorized access to iCloud account data on Apple Servers: $50,000
  • Access from a sandboxed process to user data outside of that sandbox: $25,000

Earlier this year, the FBI paid out under $1M to extract the data from the San Bernadino terrorist’s iPhone. Perhaps Apple is trying to eliminate these lucritive back doors into its crown jewel software. 

According to that report, the tool the FBI used could be used on any iPhone running iOS 9.

Jailbreakers have also used Apple vulnerabilities to allow access to the iPhone. Today Apple issued an update – iOS 9.3.4 software specifically designed to block the latest Pangu jailbreak access.

The talk today is called: BEHIND THE SCENES OF IOS SECURITY  by Ivan Krstic

With over a billion active devices and in-depth security protections spanning every layer from silicon to software, Apple works to advance the state of the art in mobile security with every release of iOS. We will discuss three iOS security mechanisms in unprecedented technical detail, offering the first public discussion of one of them new to iOS 10.

HomeKit, Auto Unlock and iCloud Keychain are three Apple technologies that handle exceptionally sensitive user data – controlling devices (including locks) in the user’s home, the ability to unlock a user’s Mac from an Apple Watch, and the user’s passwords and credit card information, respectively. We will discuss the cryptographic design and implementation of our novel secure synchronization fabric which moves confidential data between devices without exposing it to Apple, while affording the user the ability to recover data in case of device loss.

Data Protection is the cryptographic system protecting user data on all iOS devices. We will discuss the Secure Enclave Processor present in iPhone 5S and later devices and explain how it enabled a new approach to Data Protection key derivation and brute force rate limiting within a small TCB, making no intermediate or derived keys available to the normal Application Processor.

Traditional browser-based vulnerabilities are becoming harder to exploit due to increasingly sophisticated mitigation techniques. We will discuss a unique JIT hardening mechanism in iOS 10 that makes the iOS Safari JIT a more difficult target.

There are some caveats to the program according to CNET:

Maybe if Apple had been paying bounties for major flaws, it could have avoided that scenario, said Rich Mogull, CEO of cybersecurity research company Securosis. But when it comes to really valuable tools for hacking the company’s products, he said, “Apple’s not going to be able to out pay the government or some Russian mafioso who can pay $1 million.”

What the program will do is encourage researchers to go the distance with their findings, Mogull said. Rather than finding a flaw and moving on with their lives, experts will have a reason to prove the flaw could really let hackers in the door. That proof is required before Apple will pay up.

Apple said the bug bounty is meant to acknowledge how difficult it is to find a weakness in its systems. As the company has tightened the security around its products with encryption, which scrambles up user data, and continues to tightly control its software in general, the challenge of breaking that security has become greater.

The payouts will depend on where the flaw is found, and the program won’t initially be open to just any old hacker, Apple said. When it launches in September, the program will include a few dozen security researchers the iPhone maker has previously worked with. But if a researcher outside that group finds a high-value flaw, Apple said, it will consider paying him or her as well.

“It’s not meant to be any kind of exclusive club,” Krstic said.

You can follow on Twitter or join our Facebook page to keep yourself updated on all the latest from Apple and the Web.