Apple has opened up its latest round of the Security Research Device (SRD) program, inviting security researchers to participate in testing the security capabilities of their unlocked devices. This program allows chosen researchers to explore and analyze the security features of Apple’s iOS.
While Apple proudly touts the iPhone as the most secure consumer mobile device globally, the company acknowledges that even experienced security researchers may face challenges in probing its security mechanisms. To facilitate this process, selected applicants will receive a specialized version of the iPhone 14 Pro, exclusively designed for security research purposes.
The SRD devices provided to researchers come with unique advantages. Unlike retail devices, these devices allow researchers to configure or disable iOS security settings that are typically unchangeable. Moreover, participants have the freedom to experiment with various actions, such as running custom kernel caches, executing arbitrary code with specific entitlement levels, manipulating NVRAM variables, and even installing custom firmware for emerging iOS 17 security features.
Apple’s initiative reflects their commitment to improving and fine-tuning the security of their devices. By collaborating with skilled security researchers, the company aims to strengthen its iOS security further, ensuring a safer and more robust experience for its users.
However, Apple has placed restrictions on the usage of these intentionally vulnerable devices by researchers. The company explicitly states on the application page that the specialized devices provided for the SRD program must be kept within the premises of the approved participants at all times. Additionally, access to the device is limited exclusively to those who have been given approval, so showcasing it to others is off the table.
Apple emphasizes that the selection process for the program is rooted in the applicants’ established history in security research, encompassing expertise on various platforms beyond just the Apple iPhone. This inclusive approach extends to institutions as well, as they are also encouraged to apply.
As part of the SRD program, any identified security flaws in the iOS software must be promptly reported to Apple. Notably, these reported vulnerabilities are eligible for Apple’s bug bounty program. The company has generously increased its maximum bounty to $500,000 in the past year, offering additional bonuses based on the severity of the identified security issue.
Apple’s proactive engagement with the security research community showcases its commitment to continually enhancing the robustness of its products. By collaborating with experienced researchers and incentivizing bug reporting, the company aims to ensure a more secure iOS experience for its users.
Apple has reported that since the launch of the SRD program in 2019, researchers participating in the program have successfully identified 130 significant, security-critical vulnerabilities. These discoveries have led to the submission of over 100 reports by SRD program researchers, resulting in numerous awards reaching up to $500,000. The median award granted stands at nearly $18,000.
Interested individuals can submit applications for the SRD program until October 31. Successful applicants will receive notifications about their participation in early 2024.
In a recent development, a group of hackers made headlines by infiltrating systems belonging to stalkerware company WebDetetive. The hackers claimed to have wiped the company’s system of victim devices. Exploiting vulnerabilities within WebDetetive’s systems, the hackers accessed approximately 77,000 device records stored in its databases. However, they maintain that they did not steal the content from the victims’ devices.
WebDetetive markets itself as the leading spy app in Brazil, promoting its software as a means to discreetly monitor phone activities without the user’s knowledge. Ironically, it appears that WebDetetive failed to implement robust security measures for its own systems. The hackers assert that they effectively disrupted the network connections at the server level, rendering the platform non-functional and preventing any further data uploads from victim devices.
The unidentified hackers behind the recent breach of WebDetetive’s systems revealed their motivations by stating, “Because we could. Because #fuckstalkerware,” in a note included with a 1.5GB data dump from the platform.
In a concerning development, fast fashion retailer Forever 21 has taken its time to notify over half a million employees of a security breach that occurred in March, despite learning about it at that time.
According to a breach notification letter set to be distributed to 539,207 employees, sensitive information was exposed during the breach. Names, social security numbers, birthdates, bank account numbers, and health plan data were among the details stolen.
Forever 21 indicated that the breach was initiated in January, with attackers gaining access to their systems at various intervals until March 21, when the retailer detected and presumably addressed the incident.
The specifics of the breach are not clearly outlined in the notification letter, leaving room for speculation. While the company stated that there is no evidence of information misuse for fraudulent purposes or identity theft resulting from the breach, its assurance seems reminiscent of responses commonly associated with ransom payments, which Forever 21 has not confirmed to be the case.