MacRumors

macrumors bot
Original poster
Apr 12, 2001
54,095
15,880


Apple in July announced the launch of a new Apple Security Research Device Program, which is designed to provide researchers with specially-configured iPhones that are equipped with unique code execution and containment policies to support security research.

applesecuritydevice.jpg

Apple is notifying the first researchers who will be receiving these special iPhones as of today, and the Cupertino company says that the devices will be sent out right away. Under the terms of the program, participating security researchers will be provided with iPhones that are on loan for one year, though it will be possible to extend the loan period.

The goal of the Security Research Device Program is to further improve the security of iOS, and Apple believes that the contributions of security researchers will assist the company in achieving its goal of increasing safety for consumers. Apple says that it values collaborating with independent researchers and appreciates the work they do on Apple platforms.

The iPhones Apple will provide are less locked down than consumer devices, which will make it easier for researchers to locate serious security vulnerabilities. These devices are as close as possible to production phones with the latest version of iOS and modern hardware. Researchers will not need to jailbreak the phones to do research, which will enable them to investigate platform security features, and they can run whatever tools they want to test the OS.

Program participants have access to extensive documentation and a dedicated forum with Apple engineers for collaborative purposes. The Security Research Device Program runs alongside the bug bounty program, so researchers who locate vulnerabilities can receive payouts of up to $1.5 million.

Article Link: Apple Sending Special iPhones to First Participants in Security Research Device Program
 

Robert.Walter

macrumors 68010
Jul 10, 2012
2,000
2,485
How does Apple ensure that they are not making the research to find exploits easier but that the researcher doesn’t sell a found exploit to a 3rd party for more than Apple offers?

Is Apple monitoring and recording the nature and content of the researcher’s work, so they know who to go after should a bad faith researcher go rogue?
 
Comment

Makosuke

macrumors 603
Aug 15, 2001
6,375
671
The Cool Part of CA, USA
This is great news--the better the tools security researchers have, the safer the world is for all of us.

How many copies you think the NSA is getting?
If the security researchers actually sharing bugs are good enough at what they do, it won't matter.

Also, in the past the NSA has certainly kept holes to themselves instead of reporting them, but this has demonstrably caused a lot of damage, so a change in the cost-benefit analysis of hoping you're the only one who knows about it might explain why they seem to have changed their strategy in the last year or so and have actually reported major exploits instead of abusing them. The number of US CEOs and high-ranking government employees who use iPhones versus the number of adversarial targets who do would also, presumably, affect that calculation.
 
Comment

Makosuke

macrumors 603
Aug 15, 2001
6,375
671
The Cool Part of CA, USA
How does Apple ensure that they are not making the research to find exploits easier but that the researcher doesn’t sell a found exploit to a 3rd party for more than Apple offers?

Is Apple monitoring and recording the nature and content of the researcher’s work, so they know who to go after should a bad faith researcher go rogue?
I don't know any details, but in general terms I think this is a situation where giving the same tools to multiple researchers, in addition to good bounties for finding a bug, is a pretty solid way to get good-faith participation.

Generally I tend to trust public security researchers like this, since if they were interested in selling exploits to criminals... they wouldn't be public security researchers. They'd just do it quietly as a blackhat and not risk the exposure if someone they sell to gets caught or whatnot. Why make a big deal out of being a researcher then do something flagrantly illegal?

But even if you don't trust them, each one has to do the calculus: Other people have the same device I have. I find a bug that Apple is willing to pay $500,000 for and can get the payout for immediately, legally, no questions asked.

Or I can try to find some very wealthy criminal or state actor who is willing to pay $2,000,000 for it, launder the money, probably quit my job because people are probably going to ask questions if I flaunt it, and my buyer is going to have to be okay with the risk that one of the other researchers isn't going to find the same bug tomorrow.

All of which is to say that an illegal buyer is going to have to be either extremely rich or extremely confident that you're better than the other researchers working on the same problem to be willing to pay big for it, and you're going to be under a lot more scrutiny if you suddenly get rich.
 
Last edited:
Comment

amartinez1660

macrumors 65816
Sep 22, 2014
1,043
938
Apple has the obligation under the law to provide any data the NSA request, that includes all of the customer's data.

I thought only Chinese companies are required to do that! /s
Any data they have which is why all the “please make a backdoor access or else” threats and pushes have been a thing. Since Apple DOES NOT have access to the data, the best they can do is give a handful of an encrypted soup... and then good luck with that.

See, Apple has protected the consumer and themselves, rippling into protecting privacy at large, by making sure that they don’t at all cost collect any sensitive or identifying information. I understand that one of the weakest links was iCloud but two factor authentication has increased security there... in other countries not having the information ready when asked could at best mean being displaced by a new puppet that would or even execution for treason at worst.

I come from Venezuela, in 2001 a petition was signed to let the president be let go, call it an impeachment of sorts... but that ended up in 20K+ workers getting axed from their positions, especially if linked to public sector or a private company with public sector contracts and ties, because the government basically used it as a trap to see who was on their side... I left a long time ago, but that happens often. From getting fired to kidnapped to never seen ever again.
Trust me when I say that no, the US is nowhere near close what happens in other countries, by far, I get the sentiment that it seems to steer in the wrong direction badly but it’s for sure on time for the proper corrections.
 
Comment

DummyFool

macrumors regular
Jan 15, 2020
181
259
Any data they have which is why all the “please make a backdoor access or else” threats and pushes have been a thing. Since Apple DOES NOT have access to the data, the best they can do is give a handful of an encrypted soup... and then good luck with that.

See, Apple has protected the consumer and themselves, rippling into protecting privacy at large, by making sure that they don’t at all cost collect any sensitive or identifying information. I understand that one of the weakest links was iCloud but two factor authentication has increased security there... in other countries not having the information ready when asked could at best mean being displaced by a new puppet that would or even execution for treason at worst.

I come from Venezuela, in 2001 a petition was signed to let the president be let go, call it an impeachment of sorts... but that ended up in 20K+ workers getting axed from their positions, especially if linked to public sector or a private company with public sector contracts and ties, because the government basically used it as a trap to see who was on their side... I left a long time ago, but that happens often. From getting fired to kidnapped to never seen ever again.
Trust me when I say that no, the US is nowhere near close what happens in other countries, by far, I get the sentiment that it seems to steer in the wrong direction badly but it’s for sure on time for the proper corrections.
They probably have a little more than what they are advertising. For example on Big Sur the amount of data on what you are doing on your Mac that goes back to Apple is a lot.

Most people don't know but the PRISM surveillance program (you can find more info here: https://en.wikipedia.org/wiki/PRISM_(surveillance_program)) force US companies to deliver any data they have to the NSA (with a warrant but they are easy to obtain and it has been proven the system as been easily abused) and the said company as the legal obligation not to divulge they had to give it.

So Apple will never admit they gave away your data because it would be a federal offense for them to do so (plus bad publicity) but they are, they have been identified as one of the the company that had the most requests from the NSA since 2008. Sorry, rude awakening but it's not Apple's fault.
 
Last edited:
Comment

SAIRUS

macrumors 6502a
Aug 21, 2008
694
252
Tim: We don’t have to hire people any more, we can just pay them when they perform!
 
Comment

haruhiko

macrumors 603
Sep 29, 2009
5,664
4,092
Any data they have which is why all the “please make a backdoor access or else” threats and pushes have been a thing. Since Apple DOES NOT have access to the data, the best they can do is give a handful of an encrypted soup... and then good luck with that.

See, Apple has protected the consumer and themselves, rippling into protecting privacy at large, by making sure that they don’t at all cost collect any sensitive or identifying information. I understand that one of the weakest links was iCloud but two factor authentication has increased security there... in other countries not having the information ready when asked could at best mean being displaced by a new puppet that would or even execution for treason at worst.

I come from Venezuela, in 2001 a petition was signed to let the president be let go, call it an impeachment of sorts... but that ended up in 20K+ workers getting axed from their positions, especially if linked to public sector or a private company with public sector contracts and ties, because the government basically used it as a trap to see who was on their side... I left a long time ago, but that happens often. From getting fired to kidnapped to never seen ever again.
Trust me when I say that no, the US is nowhere near close what happens in other countries, by far, I get the sentiment that it seems to steer in the wrong direction badly but it’s for sure on time for the proper corrections.
As far as I know iCloud backups are either not encrypted, or Apple itself has the encryption keys. So the government can still have all your data if you use iCloud backup. Many countries in the world now require tech giants to store their users' data in their own country so if you do something against the law in your country, the government can well request Apple to provide your iCloud backup as evidence to prosecute you.
 
Comment
Oct 27, 2020
192
118
They could make iOS open source and then the community can improve upon it and also install it on non-Apple devices. :p
Bwahaha and then you Woke up. Apple will never make that mistake again. You can read up on the Clone Wars of the 1990s to see what happened when they went down that route before with an OS.

Apple will never let other OEM's have access to it's crown jewel. Next you will be saying they should let third parties have access to the Secure Enclave which will never happen either.
 
  • Like
Reactions: EmotionalSnow
Comment

rmariboe

macrumors regular
May 27, 2015
118
81
Copenhagen, Denmark
As far as I know iCloud backups are either not encrypted, or Apple itself has the encryption keys. So the government can still have all your data if you use iCloud backup. Many countries in the world now require tech giants to store their users' data in their own country so if you do something against the law in your country, the government can well request Apple to provide your iCloud backup as evidence to prosecute you.
Everything is end to end encrypted, meaning only you have access to data.


Governments require data to be stored locally because states are not obligated to conform to other states’ data protection laws.
 
  • Like
Reactions: SDJim
Comment

NT1440

Contributor
May 18, 2008
12,800
16,622
They probably have a little more than what they are advertising. For example on Big Sur the amount of data on what you are doing on your Mac that goes back to Apple is a lot.

Most people don't know but the PRISM surveillance program (you can find more info here: https://en.wikipedia.org/wiki/PRISM_(surveillance_program)) force US companies to deliver any data they have to the NSA (with a warrant but they are easy to obtain and it has been proven the system as been easily abused) and the said company as the legal obligation not to divulge they had to give it.

So Apple will never admit they gave away your data because it would be a federal offense for them to do so (plus bad publicity) but they are, they have been identified as one of the the company that had the most requests from the NSA since 2008. Sorry, rude awakening but it's not Apple's fault.
Are you familiar with warrant canaries?
 
Comment

haruhiko

macrumors 603
Sep 29, 2009
5,664
4,092
Everything is end to end encrypted, meaning only you have access to data.


Governments require data to be stored locally because states are not obligated to conform to other states’ data protection laws.
The very link that you quoted here does not list iCloud backups as end-to-end encrypted.
 
  • Like
Reactions: hobspain
Comment

adib

macrumors 6502
Jun 11, 2010
471
360
Singapore
Most all of the data you store with Apple is encrypted with a key that Apple doesn't have (iCloud based iOS backups excluded) so Apple can only hand over random noise to anyone with a court order.
That said, iMessage logs available unencrypted to the NSA would still include sender, receiver, timestamp, and the size of the message. Likewise with FaceTime – notably if you've done group FaceTime to a number of individuals under surveillance.
 
Comment
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.