At the recently concluded BlackHat conference in Las Vegas, Apple announced that it was finally launching its own bug bounty program. The program will initially cover five categories.
According to Apple’s head of security engineering and architecture, Ivan Krstic, the bounty program will initially consist of the following five categories:
- Vulnerabilities and proof-of-concept code in secure boot firmware components.
Maximum payout = $200,000
- Extraction of confidential material protected by the Secure Enclave Processor.
Maximum payout = $100,000
- Execution of arbitrary code with kernel privileges.
Maximum payout = $50,000
- Unauthorized access to iCloud account data on Apple servers.
Maximum payout = $50,000
- Access from a sandboxed process to user data outside that sandbox.
Maximum payout = $25,000
Clearly, Apple sees these 5 as critical areas and hence has given them top priority. Let’s take a closer look to understand why.
Vulnerabilities and proof-of-concept code in secure boot firmware components
iOS security starts the moment the device is switched on. In what is known as the secure boot chain or chain of trust, key components involved in the start-up process (which include bootloaders, kernel, kernel extensions, and baseband firmware) undergo a series of verification steps. Each step can only proceed to the next if certain components have been verified as having been digitally signed by Apple. The components involved, arranged in the order they are loaded, are: the BootROM → LLB (Low Level Boot) Loader → iBoot → Kernel.
This secure boot chain is supposed to ensure that iOS can only run on a valid “iDevice” and, conversely, an Apple mobile device can only boot into iOS. It also helps ensure that only trusted code and apps can run on an Apple device. However, as with all chains, if one link is broken, the rest of the chain will give way. Being the device’s first line of defense, it’s imperative that any vulnerabilities in it are be identified.
Extraction of confidential material protected by its Secure Enclave Processor
Secure Enclave is a coprocessor that’s been fabricated into Apple’s A-series processors since Apple A7. It’s best known as the place in an Apple device where Touch ID fingerprint information is processed and stored in encrypted form. In fact, it’s where all cryptographic operations for Data Protection key management take place.
Data Protection is a proprietary Apple technology responsible for encrypting user data for system apps like Messages, Mail, Contacts, Photos, and Health, as well as in third-party apps installed on the device. If confidential material protected by Secure Enclave can be extracted, the data in these apps can be compromised.
Execution of arbitrary code with kernel privileges
Arbitrary code execution refers to an attacker’s ability to execute commands in a computer system by exploiting vulnerabilities. Since the kernel is the heart of iOS (or any OS for that matter), any arbitrary code execution vulnerability in it can have serious repercussions. Some iOS kernel vulnerabilities that have been exploited in the past include arbitrary memory overwrites, uninitialized kernel variables, stack-based buffer overflows, and heap-based buffer overflows, to mention a few.
Unauthorized access to iCloud account data on Apple servers
I imagine you recall “Celebgate” or “The Fappening” iCloud photos leak involving celebrities like Jennifer Lawrence, Kate Upton, Kirsten Dunst, and many others. No further explanation needed.
Access from a sandboxed process to user data outside that sandbox
In iOS, all third-party apps are placed in a “sandbox” environment, which prevents them from gaining access to files stored by other apps or even making changes to the device. They’re also restricted from system files and resources. And although they are granted access to user information as well as to features like iCloud, their access privileges are highly controlled.
Unfortunately, like its other security features, iOS’ sandbox mechanism can still have vulnerabilities. Last year, for example, a vulnerability involving MDM (mobile device management) solutions put enterprise credentials at risk.
Security experts have long been urging Apple to offer a bug bounty program and Apple has long been ignoring them. The tech giant prides itself on having top notch security, and are well known for doing things their own way. It speaks to the general state of security and the sheer volume of threats that Apple has finally made this step.
If an organization with Apple’s expertise and resources needs help finding vulnerabilities, do you? Contact us to find what your other security tools may have missed.