As promised last year, Apple has released a hackable iPhone for use by elite security researchers only. These iPhones have had their standard iOS defenses disabled to make security vulnerabilities easier to find.
Apple Launches the Security Research Device Program
Apple’s iPhones have a long-standing reputation of being strongly locked down from a security perspective. This of course is not a bad thing, as it makes it difficult for malicious actors to hack consumers’ iPhones. However, this also makes it difficult for security researchers to explore iPhones for security vulnerabilities, as they have little visibility into the iOS. Researchers have had to resort to using jailbreak tools and third-party iOS emulators to get visibility into Apple’s iOS.
Consequently, the launch of Apple’s Security Research Device (SRD) program was much awaited by the research community. The SRD program was first announced by Apple at last year’s Black Hat hacker conference in Las Vegas. It finally became reality a couple of days ago, on July 22.
As part of the SRD program, security researchers will be loaned special iPhones called Security Research Devices (SRDs) by Apple. These devices are to be used by researchers exclusively for security research and will come “with unique code execution and containment policies”. This has been taken to mean that researchers will have access to the user-facing sections of the operating system only. Researchers fear that they will not have access to the iOS’s core functionality.
How Open will the Hackable iPhones be?
With the launch of the SRD program, researchers will have real access to the iOS for the first time rather than through iOS emulators. However, it is not yet known exactly what these devices will allow. An announcement from Apple stated that “Shell access is available, and you’ll be able to run any tools and choose your entitlements”. In other words, researchers will be able to run code on SRDs that would normally be blocked by the iOS. It will also permit them to analyze how third-party applications interact with the iOS.
Nonetheless, the SRDs are not likely to be much help when it comes to uncovering core iOs security problems. This is because researchers do not expect to get access, for example, to the iOS’s boot-up procedures. Nor do they expect to have access to the iPhone’s firmware or Apple’s custom security chip.
“The devices appear to give researchers unrestricted access only to a portion of iOS,” states Will Strafach, a long-time iOS researcher. “It’s a good start for vulnerabilities in user-facing apps and services, which can be easily fixed in an iOS update. But they appear to intentionally not allow poking at lower-level security mechanisms, which may be more difficult to fix.”
Who Will Get a Hackable iPhone?
Apple will only allow elite security researchers into their SRD program. These are researchers with a proven track record in finding security issues on Apple’s iOS platform and other platforms. Researchers must also already be in the Apple Developer Program and not have been employed by Apple in the last 12 months. Furthermore, there are limitations as to the country of origin and age of individuals accepted into the program. Individuals under the age of 18 are unlikely to be accepted.
Individuals that make it into the program, will be loaned an SRD from Apple for a year. However, the use of the loaned SRDs will be strictly controlled, with their use being limited to the program participant’s premises. Furthermore, the SRDs cannot be used in a personal capacity by the participants.
Under the loan agreement, participants are also provided access to new security forums focused on the SRDs. Moreover, under the agreement, if participants “find, test, validate, verify or confirm” a vulnerability using an SRD, they must immediately report this to Apple and any relevant third parties. Once reported, the agreement states that “Apple will provide you with a publication date (usually the date on which Apple releases the update to resolve the issue)” and will “work in good faith” to resolve the vulnerability as soon as possible. Participants are thus prohibited to disclose the vulnerability until the publication date provided by Apple. This in turn excludes researchers from participating in the program who use a 90-day policy for disclosing vulnerabilities.
Due to its restrictions, Apple’s new SRD program is not going to allow researchers to discover all iOS’s privacy and security issues. Nor is it going to allow them to help Apple eliminate these issues. However, given the constraints faced by researchers in the past, this program is seen as an important step forward. Anything that offers more insight into the workings of Apple’s iOS is seen as a step in the right direction by security researchers.