109 comments

[ 3.2 ms ] story [ 165 ms ] thread
(comment deleted)
Wow the Security research device looks awesome! https://security.apple.com/research-device
They discussed that, at one of the latest dub-dubs. I think last year.

It's basically an "officially cracked" iPhone.

Looking at the list of approved countries.

Israel not present. Probably because of NSO. Quite hilarious.

I find it funny that most of the true cyber powers are left off the list but India is considered to be “safe choice”. India may be poor but it is hardly lacking in engineering prowess. Apple’s own employees are a testament to that.
This isn't really about skill. I imagine they want to only include countries that aren't big on cyber warfare.
Well they left USA on the list.
The laws around US citizens hacking the computers of US companies are straightforward and easily applied.
Right, but we aren't talking about private citizens but nation state actors with an interest in cyberwar capabilities. USA is probably near the top of that list.
It's kind of a lost cause when the government could just directly compromise Apple itself though? Maybe they are also fine with helping their own country's cyberwar abilities.
I wonder what the selection criteria was. For example mexico is also not on the list
Mexico also abused Pegasus, right? I wonder if any national governments that are affiliated with NSO are restricted.
If you look at the list at https://en.wikipedia.org/wiki/Pegasus_Project_(investigation... it seems like most of the countries that used pegasus are still on the allowed list, many of them much more extensively users than mexico was.

I really dont think nso group client is the pattern.

You're right. Main political opposition in India was affected with Pegasus and it is part of this program. I think this has more to do with the level of Apple's presence in a country/jurisdiction and their ability to retrieve the device back in case of misuse.
(comment deleted)
Yeah pretty ballsy move! (Android being always like this does put a bit of damper on it - shell, running tools, custom kernels yeah all of that ;)
Making a separate, 'researcher-friendly' device that is easier to own "without having to bypass its security features" on the surface seems so incredibly in line with Apple's general ethic yet so counter-productive in this particular context...
> Shell access is available, and you can run any tools, choose your own entitlements, and even customize the kernel.

Wow, I want one of this just for fun, sounds like what I want my normal iPhone to be able to do

> Have a proven track record of success in finding security issues on Apple platforms, or other modern operating systems and platforms.

Well, that put a stop to my dream...

I remember when the iPhone tech remoted into my phone. I knew it had to be technically possible but it is reserved for Apple. Probably a good idea that it's not generally accessible, all my relatives who I recommend use their iPads for banking would be in trouble.
What do you mean by “remoted”?
Apple support can push a screen share to your device. Iirc, you have to accept it before it starts sharing.
I’ve seen this done for support. Apple seems to have an internal remote access tool similar to common VNC or RDP based tools that allows them to view a video stream of your display and send touch inputs to it as if they were physically using your device.
> and send touch inputs to it as if they were physically using your device.

No they can't. They overlay a red arrow showing where they want you to push, and you (the user) are asked to push there.

They can literally send custom firmware to the device. It is their device, not yours, and they can do whatever they want with it.
Not even close to true. If Apple were to exfiltrate your files, or monitor your screen intentionally without you opting in, they’d be taken to pieces in court.
Or maybe you visit a different country, like China, where Apple has ceded all power over their servers and encryption keys to the CCP.

Or even in the US, the courts you think will save you could be the very ones ordering your data because you are suspected of a crime because you typed a certain trigger phrase that activates an automated warrant like those Google has.

The 4th amendment only protects you when data is stored on your property. When it is in control of a corporation, the corporation gets the warrant, not you.

Or maybe Apple simply changes their terms of service to resemble that of TikTok or Facebook giving them more or less complete legal freedom over your data.

Or maybe it is just a rouge Apple system administrator that does not care about the rules.

You can not own an Apple device and the data on it is at the mercy of choices made by remote humans with incentives very different from yours.

Power that exists will always be abused. It is how humans work.

Maybe, the sky is falling, maybe it isn’t.

> Power that exists will always be abused.

I hate to break it to you, but power isn’t going anywhere, and it isn’t always abused.

Telling the difference is what matters.

I hold my own data on devices that I own on property that I own.

No one has legal power to change their terms of service governing my data, or issue secret warrants, or extralegal power to outright take my digital property.

Would those situations ever have seriously impacted me in the first place? Probably not. Thing is though, they can and do affect a lot of people.

The more people that learn to take back control of their digital property, the safer we all are.

I was just making the point that Apple hardware and the data on it is not in your control. If you fully trust Apple and your politicians to never mistakenly target you or anyone you recommend the same practices to, then you are all good.

The comments you are making on HN right this very moment are contrary to what you preach. HN owns the data on your account, not you.

I cannot assume your jurisdiction, but if one were to believe what you have stated, these assumptions would need to be true:

1) you’ve never flown anywhere before 2) you do not belong to any single country (you need to be a nomad, as all modern countries have identification systems in place for their citizens) 3) you’re using internet at a cafe because if you are paying any bills to your ISP that’s game over

-

I find it highly improbable you speak the truth. I’m sorry to say, but it really seems like the type of comment made by an “ignorance is bliss” type of individual that has recently watched an episode of mr robot.

I am easy to look up, as well as what I do for a living, if you wish to do so.

The data I post on HN is public. When I post data to a public place it is no longer mine. I am not a luddite, I simply have separation of concerns between public and personal life. Data that is not public, is mine.

When I fly, I accept this is a public event. All parties are transparent about this. You will however be hard pressed to buy a record of the local locations I frequent or what I purchase at a pharmacy without an expensive private investigator because I do not carry a cell phone and I pay cash.

The data that I consider mine, such as personal family photos, detailed location history, my IoT product usage, etc, lives in servers I physically own on property I own. Not unlike a box of photos in someones attic. If you want to rifle through it, get a warrant. No surveillance capitalism companies will have a chance at buying that data regardless.

I do sometimes use third party services to distribute private data, such as matrix.org. The privata data such as DMs can not be decrypted or controlled by the server operators, and only by my keys on devices I control all software on. That data is mine too.

You do not need to trust your ISP to have a useful level of digital sovereignty.

> No one has legal power to change their terms of service governing my data, or issue secret warrants, or extralegal power to outright take my digital property.

I don’t see how this is even close to true. Governments seize property all the time.

Sure, but if the data lives on my property then they need to get a judge to sign off on probable cause and show me the warrant. Then at least I am aware of what is happening and can challenge it in court, or go public, if it is unjustified.

When the data lives with Apple or Google, they can just secretly take it, even in bulk. The NSA wire taps on Google and others were a real thing that actually happened. No pesky constitutional protections in the way for the data you freely give to corporations.

> Sure, but if the data lives on my property then they need to get a judge to sign off on probable cause and show me the warrant. Then at least I am aware of what is happening and can challenge it in court, or go public, if it is unjustified.

In principle, but not in practice. All they need is a witness for probably cause, and once they have your stuff, you aren’t going to get it back without a bankrupting fight, if at all.

If you think the government plays fair in the real world, you might want to have a discussion with a Mr Assange, currently a guest of King Charles III.

> When the data lives with Apple or Google, they can just secretly take it, even in bulk. The NSA wire taps on Google and others were a real thing that actually happened.

The NSA wire taps were ruled illegal. How satisfying.

They may be able to confiscate my stuff, but I will at least make them put in the work to target me individually and make them find that judge and that witness and that warrant. Doing that for -everyone- is infeasible and expensive which was the exact point of the constitution. It is designed to clip the wings of hopeful authoritarian elements of our government.

Also, because I control my technology, and my encryption keys, the constitution gives me one other major protection. The right to not self-incriminate, or, the right to not give them additional rope to hang me with.

No one knows my decryption passwords but me, and no one can compel me to reveal them legally.

It is exactly because the government does not always play fair, as you point out, that every citizen owes it to themselves and each other to limit their power.

Meanwhile you give up all rights and control of your data when you agree to the terms of service of Apple or Google. They will hand over your plain text data without your knowledge or consent if you merely say the wrong trigger phrase.

I'd need to see some evidence they have this capability.

They could publish a firmware that abuses your device, but they would have to ship this to everyone on that particular channel (e.g. general releases, public beta, developer beta)

They host the servers. They know your current IP and current login session to the app store at all times. Of course they could ship a signed update to only you with a court order. How do you think beta channels work?

Maybe judges do not realize they have that power yet, but they will eventually.

The CCP certainly understands this well, which is why they seized the HSMs governing encryption and binary signing for Chinese citizens.

it really spooked me when they did that to my mac
Did you have to accept a prompt? There's a preinstalled app to do that in macOS, called Screen Sharing. You can remotely access other people's macs using only their Apple ID, and their approval of course.
(comment deleted)
If you want a potential alternative to the security research device from Apple look into Corellium[1] - startup that emulates iOS on ARM64 server hardware, sued by Apple for copyright claims and survived.

It is a paid product (eg $x/hr cloud billing). Supposedly easier to obtain than the security research device.

[1] https://corellium.com

Apples copywriters make everything the brand says sound smug. e.g;

"iPad. Loveable. Drawable. Magical"

"iPhone 14 Pro. Pro. Beyond"

And now;

Apple Security Bounty. Upgraded.

They're just better than you... /s hehe

I know what you mean. But I just think they're very proud of their work, ya know?

> I just think they're very proud of their work, ya know?

And for good reason too. Apple is in a league of its own in quality.

Except the head of industrial design has decided to roll and the recent batch of hardware release doesn't look compatible in a hi-fashion sense collection. The latest ipad has been received by one reviewer as "weird" and that pen accessory is finicky in version type and connector type requirement.
The pencil is weird, granted. Especially on the, I will admit, convoluted iPad lineup.

However, one reviewer said it was weird? Name the product, I’ll find someone who called it “weird.”

> Name the product, I’ll find someone who called it “weird.”

"No wireless. Less space than a Nomad. Lame."

If I were cmdrtaco I'd put in my will that this has to be the inscription on my gravestone.

The summary of that video was that it’s a very good product on its own, it’s just facing tough competition from the other iPad models.
In my experience with things made by Apple, when they work, they just work. But when they fail, they do so "successfully" :)

Case in point: Airdrop. Super convenient when it works, doubly annoying when it doesn't.

Could be worse. They could write it clickbait style.

"You won't believe what's new in the iPad"

"Pros are jealous of these new iPhone features"

"5 new upgrades to Apple Security Bounty, and you won't believe number 2!"

By the same merit, could also be a lot better than the lazy copywriting they have now.
It would be funny if Apple start to advertise like tabloids and spam emails. Would totally drive all the silicon valley hipster crazy.
> the lazy copywriting they have now

It’s anything but lazy. You may not like the style, but it’s a very well-developed vocabulary and they’re extraordinarily diligent about making sure that they speak with one voice.

Imagine how operationally efficient their marketing group has to be as a point on the critical path of everything Apple does publicly.

They might be diligent, but in comparison, copywriting was in another level in the Steve Jobs era.
(comment deleted)
> we’ve grown our team and worked hard to be able to complete an initial evaluation of nearly every report we receive within two weeks, and most within six days.

At other big tech companies, an initial evaluation of a security report will be done in 15 minutes... And if it's important, people will be woken up and a workaround will probably be deployed in a matter of hours...

For example, the Google security bug form[1] says "This option might really get someone out of bed."

[1]: https://www.google.com/appserve/security-bugs/m2/new

This statement did seem strange. However, I sent in a report to Apple Product Security a week ago, and I received a personal response within 48 hours saying that they reviewed my report.
This is nonsense. Nobody verifies security reports of any significance in 15 minutes.
Not 'verifies'. Simply read the report and decide on the priority.

Filter out the reports saying "The padlock is missing on my gmail" from those that say "If you type TRUE into the gmail login password box, it will let you log in as any user, and 4chan has discovered it".

I think there's a difference between verifying a report and simply triaging it to the right team. Apple is doing the former while companies that respond in 15 mins are often doing the latter.
I have had replies on bug bounty reports in under 10 before. It can and does happen.

Edit: To clarify, especially in cloud environments (which is most stuff these days) it's really not hard for someone to verify something if it's well written.

I might be a bit pessimistic here, but I'm betting that's not an experienced, trained individual that's responding to the ticket. It's like a level one techie who's basically just moving the ticket from one queue to another and potentially waking someone up if it looks scary enough.

That's not really the same thing.

I'm talking actual confirmation of the issue and acceptance of scoring from someone clearly technical.
It's certainly possible. I've handled a bunch of bug bounty programs and sometimes submissions come in at just the right time and attract just the right attention. It's not a reasonable expectation for the average submission.
It depends on your targets, IME. Huge companies? Yep, you'll get a "thanks for telling us" from a bigger bug bounty program and then not hear anything for weeks to months.

For small- and mid-sized companies that do bug bounties (of which there seem to be fewer and fewer these days as a percentage) you can definitely wind up submitting directly to the right people and get really quick response times.

(comment deleted)
(comment deleted)
I agree.

There are clearly 2 different levels of "evaluation" at play here.

Being able to "evaluate" every security bug submitted to you in 15 minutes implies relatively insignificant bugs, or it implies that you are not "evaluating" the bugs you claim you are "evaluating".

The first time a report came in on meltdown/spectre/heartbleed whatever, there is no way any serious security researcher could have fully evaluated that report in 15 minutes. Never having seen or heard tell of it previously. Heck, just pulling together the requisite hardware and getting the requisite software on it might take more than 15 minutes. I don't buy that it could be "evaluated" in 15 minutes.

how do you feel about the word "triaged"? There's some reports that are obviously going to be worth an immediate response and some that aren't. And some will slip through the cracks, in either direction, because the queue is being watched by a human and not a robot. If the report contains a screenshot of your private admin panel, it's getting escalated.

Anyone serious got advanced notice of meltdown/spectre/heartbleed and had longer than 15 minutes to decide a course of action. Whether that's a good or bad thing about infosec as an industry, I can't decide.

I imagine there’s people scanning through the reports to see if they look important as they come in. They just won’t respond immediately.
(comment deleted)
(comment deleted)
Read more carefully, it says “an initial evaluation of nearly every report we receive within two weeks, and most within six days.”

Emphasis mine. What it means is that even reports that fail the initial “oh shit” gut check (which Apple definitely does BTW) will still get worked within 1-2 weeks. That’s pretty good.

It's a lot of talk, but I doubt Apple's honesty here.

See also Gui Rambo getting a measly $7,000 for a couple of fairly serious vulnerabilities.

https://news.ycombinator.com/item?id=33348013

Yeah I love the idea of bug bounties, however there is this issue created when the provider cannot offer the most competitive price for bounties. It's no secret that nation states will pay more than Apple will for vulnerabilities.
There's no reason Apple couldn't pay more than nation-states for bug bounties; They have a ridiculous amount of money after all.

In Crypto there exists a service called ImmuneFi, it's essentially a arbitrator between hackers and services offering bug bounties that provides an impartial third party ruling on the payout.

They recently paid out a $10 million bug bounty. That really needs to move into Web2.

> recently paid out a $10 million bug bounty

ImmuneFi have "paid out +$10,000,000 in bounties" [1]. Not $10mm for a single bounty.

[1] https://immunefi.com/hackers/

That is incorrect: https://www.globenewswire.com/news-release/2022/09/22/252114...

> Immunefi has saved over $25 billion in users’ funds and has paid out $60 million in total bounties. The platform now supports 300 projects across multiple crypto sectors, and collectively offers $135 million in bounties to whitehat hackers. Immunefi has also facilitated the largest bug bounty payments in the history of software, including $10 million for a vulnerability discovered in Wormhole, a generic cross-chain messaging protocol, and $6 million for a vulnerability discovered in Aurora, a bridge and a scaling solution for Ethereum.

That would just create a bidding war and wouldn't stop the arms race at all.

Also, once the rewards increase past a certain point, security researchers would have no reason to work for apple, since one big hit would mean set for life.

Security researchers on ImmuneFi can be set for life by submitting a large bug bounty today. But that's extremely rare, and you don't see them lining up to leave apple.
Under the detailed criteria listed here[0], it seems plain that he qualified for the $50k award when it comes to the Mac vulnerability, and the $25k award for the iOS one. Since they're fundamentally the same flaw, he'd likely only qualify for $50k, not $75k, but Apple still stiffed him of $43k. For shame.

[0]: https://security.apple.com/bounty/categories/

(comment deleted)
Anybody knows how much this costs (if anything)?
(comment deleted)
(comment deleted)
> Device attack via physical access: $5,000: Limited extraction of sensitive data from the locked device after first unlock. As an example, you demonstrated the ability to extract some contact information from a user’s locked device after the first unlock.

Uhhh I must be missing something here… I can trivially share a contact via email after my iPhone is unlocked?

I believe by “first unlock” they mean a login/unlock right after a reboot. So - turn on device, do first unlock, then lock again. Might be wrong, but afaik the very first unlock after a reboot is bit different then subsequent unlocks (I guess cached memory etc)
Ahhh I see. Thank you! There goes my dream of the 5000 dollars. ;)
Yup. it's exactly this. After first unlock, data is decrypted and loaded into memory. You shouldn't be able to extract it though, without unlocking the device.
They mean that the device is in a state where it’s locked after having been unlocked at least once after booting.

That first unlock after booting decrypts a bunch of things.

An iPhone requests the user’s password upon restart, this would be referred to as “first unlock”. The reward is for an exploit that takes place against a _locked device_ but only after it has been unlocked once first. As in, an exploit that applies to the Lock Screen when the device was previously unlocked at least once. It is likely easier to trick a locked system into unlocking after it has already been unlocked the first time, due to password storage, credentialed background processes, and so on.
„Locked device after first unlock“ => the device is locked but was unlocked at least once after boot. I guess this loads some keys from the tpm into ram. Using Face ID for example requires an initial unlock via the users pin
(comment deleted)
(comment deleted)
First unlock means the user entered the PIN to go through the second level of encryption (after Secure Enclave device-level protections of flash).

Without first PIN, most functions don't work because the writable flash areas storing third party apps and user data are still encrypted.

This is also why you have to enter your PIN on reset rather than a biometric; it is far more established to derive a symmetric key from a password than from biometric data.

Do they actually pay out tho? I keep hearing security researchers having difficulty getting these bounties, seems like a great business strategy out source security audits, offer massive pay outs looks good, don't pay out and keep the pot growing larger to look even better.
That would be a terrible business strategy.

If someone comes forward with legitimate good security vulnerabilities and you don’t pay out, you’re massively encouraging them to go to shady brokers next time.

I hear they do now but it can still be a pain (have to remind the several times, etc.)
I just hope you get the money transferred to your bank account and not in Apple product vouchers.
Off-topic: This thread has a cool id (33363333)!