26 September 2021

How Much Does Apple Care About Your Security?

They claim to love security and privacy. So it is hard to see how this situation came to pass. They wouldn't be lying to everyone, now would they? Researcher drops three iOS zero-days that Apple refused to fix

The researcher has followed responsible disclosure. He waited 6 months - double the 90 days Google Project Zero uses as a benchmark - in the case of one of the bugs. Apple did fix one bug that he notified them of, but without mentioning it and without paying for it.

Click thru for the details on these 3 zero-days. But there is one thing that really caught my attention.

It seems that this is not one-off occurance, but that Apple has a tendency to NOT live up to the terms of its published bug-bounty.

Other security researchers and bug bounty hunters have also gone through a similar experience when reporting vulnerabilities to Apple's product security team via the Apple Security Bounty Program.

Just this year, some of them have reported that they weren't paid the amount listed on the official bounty page [1, 2] or haven't received any payment at all, others that they have been kept in the dark for months on end with no replies to their messages.

Others have also said their bugs were silently fixed with Apple refusing to give them credit, just as it happened in this case.

It isn't because they can't afford it. So it must be because they don't want to pay.

And as for Apple's "we care deeply about your privacy" statements.

"All this information is being collected by Apple for unknown purposes, which is quite disturbing, especially the fact that medical information is being collected," the researcher said, referring to the analyticsd zero-day silently patched in iOS 14.7.

"That's why it's very hypocritical of Apple to claim that they deeply care about privacy. All this data was being collected and available to an attacker even if 'Share analytics' was turned off in settings.

Some of these vulnerabilities are probably not of interest to folks like Zerodium, but some probably are, and while I don't like the idea of feeding the beast, I completely understand the "if you're going to screw me over then all bets are off" point-of-view. I wonder if Apple understands that?

The Register had even harsher things to say. Frustrated dev drops three zero-day vulns affecting Apple iOS 15 after six-month wait

"To me, the bigger takeaway is that Apple is shipping iOS with known bugs," [Patrick Wardle, founder of free security project Objective See and director of research at security biz Synack] continued, noting that IllusionOfChaos claims to have reported the bugs months ago. "And that security researchers are so frustrated by the Apple Bug Bounty program they are literally giving up on it, turning down (potential) money, to post free bugs online."

Wardle said he considered the researcher's critique of Apple's Security Bounty program to be fair.

"It's not that Apple doesn't have resources or money to fix this," he said. "Clearly it's just not a priority to them. "

And why should it be. If your iPhone gets hacked, what does it cost Apple? 15 minutes of egg on their faces? Maybe. But you agreed to the terms and conditions when you opened the shrink-wrap on your new iPhone, and those terms say that they aren't responsible for anything. (The same goes for Microsoft and Windows. Bugs don't cost them anything. But that is a story for another day.) Are you going to quit using your iPhone because of any of this?

The Register asked Apple to comment, but the brick wall did not respond.

Heh.

1 comment:

  1. They got you.

    Initially, computers were the gamed of dedicated nerds. Now "smart" phones are an over-priced status appliance that has a pretty case and which causes most illiterate users to struggle when trying to make a phone call. Most users don't even have a clue how dangerous their cute little toys are. Privacy is a joke and your bank or credit card is just a few clicks away from a hacker in Moscow or Wuhan. All the users care about is the pictures and the crummy music. Apple, Microsoft, et al. have protected themselves with lawyers and a wall of argle-bargle that the common user can't escape.

    I have been in one auto accident and helped clean up after aother as well as a few "industrial incidents" . Touch screens are "iffy" on a good day in sane family room. In the field, with mud, debris and blood, they are a joke. Geezer buttons for me. Even so, with my new "flip phone" I spent hours after dinner turning off "features" and "permissions". Even so, it is clear that if I care, popping the battery is necessary before sticking the toy into a Faraday Bag. I leave no critical info on Biden's listening device, . The Phonies and ISPs have offices for the Democratic Party in all their main switch centers, but let them work for it. The new shiney toys from China are insecure by design. You are a fool to think otherwise.

    ReplyDelete

Comment Moderation is in place. Your comment will be visible as soon as I can get to it. Unless it is SPAM, and then it will never see the light of day.

Be Nice. Personal Attacks WILL be deleted. And I reserve the right to delete stuff that annoys me.