Google's Project Zero team will not apply for
Apple's SRD program
Other security researchers have
expressed similar intentions to skip the Apple SRD after the program rules give
Apple full control of the vulnerability disclosure process.
Some of the top names in the iPhone
Vulnerability Research field have announced plans to skip Apple's new Security
Research Device (SRD) program today due to Apple 's restrictive disclosure
rules that effectively muzzle security researchers.
The list includes Project Zero
(Google's elite bug-hunting team), Will Strafach (CEO of Guardian Mobile
Security), ZecOps (mobile security firm that has recently discovered a series
of iOS attacks) and Axi0mX (iOS vulnerability researcher and author of Checkm8
iOS exploit).
What's the Apple
SRD program?
The Security Research Device (SRD)
program is unique among smartphone manufacturers. Through the SRD program,
Apple has promised to provide security researchers with pre-sale iPhones.
These iPhones are modified to have
fewer restrictions and allow deeper access to the iOS operating system and
hardware of the device, so security researchers can search for bugs that they
would not normally be able to detect on standard iPhones where the phone's
default security features prevent security tools from looking deeper into the
phone.
Apple officially announced the SRD
program in December 2019, when it also extended its bug bounty program to
include more of its operating systems and platforms.
However, while the company tampered
with the program last year, it wasn't until today that Apple launched it by
publishing an official SRD website and emailing selected security researchers
and bug hunters to invite them to apply for the review process needed to
receive an untapped iPhone.
New Restrictive
Rule
This new website also included the
official rules of the SRD program, which security researchers have not had the
opportunity to review in detail.
But while Apple's SRD announcement
was welcomed by the security community with joy last year, considering it a
first step in the right direction, they weren't very happy with Apple today.
According to complaints shared by
social media, one specific clause was wrong for most security researchers:
"If you report a vulnerability
that affects Apple products, Apple will provide you with a release date
(usually the date on which Apple releases the update to resolve the issue).
Apple will work in good faith to resolve any vulnerabilities as soon as
possible. You can not discuss the vulnerability with others until the release
date."
The clause effectively makes it
possible for Apple to muzzle security researchers. The clause gives Apple full
control of the process of disclosure of vulnerabilities. It allows the iPhone
maker to set the release date when security researchers are allowed to talk or
publish anything about vulnerabilities found in iOS and iPhone while part of
the SRD program.
Many security researchers are now
afraid that Apple will abuse this clause to delay major patches and drag its feet
on delivering much-needed security updates by postponing the release date after
which they are allowed to talk about iOS bugs. Others fear that Apple will use
this clause to silence their work and prevent them from even publishing their
work.
Project Zero and others will decide
not to apply
The first to notice and understand
the implications of this clause was Ben Hawkers, leader of the Google Project
Zero team.
"It looks like we're not going
to be able to use the Apple 'Security Research Device' because of the
vulnerability restrictions that seem specifically designed to exclude Project
Zero and other researchers using a 90-day policy," Hawkes said on Twitter
today.
Hawkes' tweet received a lot of
attention from the infosec community, and other security researchers soon
followed the team's decision. Speaking to ZDNet's sister site, CNET, Will
Strafach also said that he was not going to join the program because of the
same clause.
On Twitter, the cybersecurity firm
ZecOps also announced that it would skip the SRD program and continue to hack
iPhones in the old fashion way.
In a conversation with ZDNet,
security researcher Axi0mX said they were thinking of not participating as
well.
"Disclosure time limits are
standard practice in the industry. They are necessary," said the
researcher.
"Apple requires researchers to
wait for an unlimited amount of time, at Apple's discretion, before any bugs
found in the Security Research Device Program can be revealed. There is no time
limit. This is a poison pill," he added.
Alex Stamos, Facebook's former
Chief Information Security Officer, also criticized Apple 's move, which was
part of a larger set of decisions that the company has taken in recent months
against the cybersecurity and vulnerability research community — which also
included a lawsuit against a mobile device virtualization company that helped
security researchers track iOS bugs.
It's one thing to see no-name
security researchers talking about a security program, but it's another thing
to see the industry's biggest names attacking one.
Apple Security Programs are not
well viewed
The fear that Apple might abuse the
rules of the SRD program to bury important iOS bugs and research is justified
for those who followed Apple's security programs. Apple has previously been
accused of the same practice.
In a series of tweets published in
April, macOS and iOS developer Jeff Johnson attacked the company for not being
serious enough about its security work.
"I 'm thinking about
withdrawing from the Apple Security Bounty program," said Johnson. "I
don't see any evidence that Apple is serious about the program. I've heard of
just 1 bounty payment, and the bug wasn't Mac-specific. Also, Apple Product
Security has ignored my last email to them for weeks.
"Apple announced the program
in August, did not open it until a few days before Christmas and has not yet
paid a single Mac security researcher to my knowledge. This is a joke. I think
the goal is to keep researchers quiet about bugs for as long as possible,
"Johnson said.