Safety is an essential issue in any system today, and it is clear that no matter how much companies invest or strive to improve it, it is not enough as no system is 100% safe by definition . That is why companies like Microsoft, Facebook or Google have security reward programs to encourage researchers who find failures in these companies’ systems to report them to those responsible and thus get a financial reward for such work (more than deserved).
The problem is when the rewards offered are below what a serious security mistake costs on the black market , and perhaps the researcher chooses the wrong path and not the side of light. Apple already opened a reward program in August 2016, where it paid up to $200,000 for certain serious errors.
Apple has renewed its security failure rewards program, expanded its awards, and revamped its platform security portal.
But last December 20th, Apple announced that it was making public (so that anyone can participate) its new rewards program that it had already advanced at the last WWDC. A program that is accompanied by a renewal in all its security documents with the publication of the autumn 2019 guide to security on Apple platforms, which you can consult at this link.
It was the head of architecture and security engineering at Apple, Ivan Krstic , who announced the launch of the program, the final rewards and the new security documentation for the entire platform. And here we’re going to look at the new program and what each of its categories means.
What Apple will pay for the different bugs is as follows:
Type of service
Type of security error
Attack with a fitness device
Skip the lock screen
Extraction of user data
Attack the device through user-installed apps
Unauthorized access to sensitive data
Kernel code execution
Side channel” attack on the CPU
User interaction network attack
Unauthorized one-click access to sensitive data
One-click kernel code execution
Network attack without user interaction
Wireless kernel attack with proximity to the physical device
Click-free access to sensitive, unauthorized data
Kernel code execution without clicks with persistence and passing the Kernel CAP
Let’s explain what each of these points in the table means in a short way .
Apple divides security attacks into those that require physical access to the device and those that only require it to be on our same network or in range through any technology such as Bluetooth or services such as AirDrop.
The list is divided into four main categories: the first is attacking a device that we have physically with us and that we could even connect by cable to a computer. From there we have two categories: getting the device unlocked by jumping its data protection or getting information extracted from it, valid and unauthorized, without unlocking it or unlocking it without using the usual way of unlocking it.
So basically with this option we talk about unlocking the device I access your data without knowing the code, without a valid fingerprint (TouchID case) or a valid face (FaceID case) .
The next category tells us about vulnerabilities in the security of the device when the user intentionally installs an app . This app could come from the App Store (it’s difficult but not impossible for Apple to miss an unknown security flaw in an app) or from third-party repositories that use Enterprise certificates for enterprise apps and that ask us to install a configuration profile to authorize them. Let’s never do this, please .
These failures would be three: unauthorized access to sensitive data. Also the execution of code at Kernel level, which basically is skipping the device’s code signature check (what we know as jailbreak ).
Apple classifies access to sensitive data as gaining unauthorized access to contact databases, email, messages (from Apple’s service), photos, or access to location history. It also includes access to real-time location data.
The code of any app downloaded from the App Store is digitally signed, but if we can get iOS not to check a code signature or to ignore it, then we can execute anything without any restriction . This is not recommended.
The last one is the side channel CPU attack (or side channel ). Basically it is accessing the CPU through an indirect attack, such as reading the data it stores in a cache or information it can save for its calculations.
In Apple2019, the year in which Apple has reconciled itself with the professionals
The next two categories are bugs that allow access to the device from a network resource access, but require user interaction . Like sending a fraudulent SMS or email to the user and having them intentionally click to access a web trap, believing nothing will happen. Here we have two types of failures: unauthorized access to sensitive data by simply clicking on something and again, kernel-level code execution or circumventing the code signature (the jailbreak ).
There are bugs like the ones discovered and patched in iOS 9.3 (the so called Trident) which was a triple exploit that managed to do jailbreak to a device simply by visiting a particular web page that exploited a Safari bug and then two system bugs. This first Safari bug that would allow the gateway to the system would be one of these. If we manage to get data out or execute kernel-level code, it pays off.
In iOS 9.3, a triple exploit called Trident, created by a large security company with the sole purpose of jailbreak any iPhone by visiting a website, became very famous. Safari would stop responding for a few seconds, hang up, and we had the device open to run any code without checking.
The last category is the most dangerous because it doesn’t even need user interaction . The first one, radio-click-free attack on the kernel with proximity to the physical device, assumes that our device is in the same WiFi network, or in range of Bluetooth with it activated, for example.
The device we want to attack would appear to us as a device in our own network I reach and we could send commands to it . Normally it will reject them if we are not authorized, but if we manage to execute kernel-level code or get through a security hole, just by trying to access the device, we have a very big failure.
In the same situation we have the following, although in this case you may not have to be physically close… simply that we know your direct connection IP (for example). If we manage to access sensitive data that is not authorized, bingo. But the jackpot, the million dollars, is reserved to the total control of the device through network .
The Kernel PAC is a system present in the A12 CPUs onwards, which improves security by digitally signing any pointer to a data in memory.
To do this we must be able to bypass the Kernel PAC or Pointer Authentication, a system that iPhone XS has from now on. Basically it is that the memory pointers are digitally signed . This allows you to authenticate who put those pointers in memory so that they are not modified.
If there is a data in the memory of a program, but I am an attacker who put another malicious data somewhere else, I change the pointer in memory and now the program will read my data thinking it is the authentic one . But if the pointer is cryptographically signed, it won’t be validated because the pointer won’t have a valid signature from the program that created it and my “spoofing” won’t work. This is a protection that Apple’s processes have since the A12, and obviously if we manage to get past it it will provide us with the maximum reward, especially if we get it with a network access and without the user interaction.
Since devices can be connected to a network and therefore be seen by others, security is more important than ever. Before, my Olivetti 286 PC, if it had a security flaw I didn’t care because if someone wanted to steal something from me I had to be sitting on my machine physically to do anything malicious .
Apple Security Bounty
Obviously, more and more devices are connected, more and more data is put into them, and “the bad guys” are trying to break into systems created by big companies with techniques that are increasingly innovative and difficult to detect, so “the good guys” need help because it is impossible for them to detect all the errors by themselves . Does this have a solution? No. Software today is so complex and there are so many variables that have to do with ways of attacking a system, that we security experts always say in a clear way, that it is impossible for a system to be 100% secure .
That Apple is improving and expanding this reward program is certainly great news . If you want to know more, don’t hesitate to go to the official website of the program and if you find any errors, you can claim your reward which is also linked to an express recognition of the person or team that detected it in the software update notes.