Some of the biggest names in the iPhone vulnerability research field have announced plans today to skip Apple’s new Security Research Device (SRD) program due to Apple’s restrictive rules surrounding the vulnerability disclosure process that effectively muzzles security researchers.
The list includes Project Zero (Google’s elite bug-hunting team), Will Strafach (CEO of mobile security company Guardian), ZecOps (mobile security firm who recently discovered a series of iOS attacks), and Axi0mX (iOS vulnerability researcher and the author of the Checkm8 iOS exploit).
What is the Apple SRD program
The Security Research Device (SRD) program is unique among smartphone makers. Through the SRD program, Apple has promised to provide pre-sale iPhones to security researchers.
These iPhones are modified to have fewer restrictions and allow deeper access to the iOS operating system and the device’s hardware, so security researchers can probe for bugs that they normally wouldn’t be able to discover on standard iPhones where the phone’s default security features prevent security tools from seeing deeper into the phone.
Apple officially announced the SRD program in December 2019, when the company also expanded its bug bounty program to include more of its operating systems and platforms.
However, while the company teased the program last year, it wasn’t until today that Apple actually launched it by publishing an official SRD website and emailing selected security researchers and bug hunters to invite them to apply for the vetting process needed to receive an untethered iPhone.
Restrictive new rule
This new website also contained the SRD program’s official rules, which security researchers haven’t had a chance to review in great detail.
But while the security community greeted Apple’s SRD announcement last year with joy, considering it a first step in the right direction, they weren’t very happy with Apple today.
According to complaints shared on social media, it was one particular clause that rubbed most security researchers the wrong way:
“If you report a vulnerability affecting Apple products, Apple will provide you with a publication date (usually the date on which Apple releases the update to resolve the issue). Apple will work in good faith to resolve each vulnerability as soon as practical. Until the publication date, you cannot discuss the vulnerability with others.”
The clause effectively allows Apple to muzzle security researchers.
The clause gives Apple full control of the vulnerability disclosure process. It allows the iPhone maker to set the publication date when security researchers are allowed to talk or publish anything about vulnerabilities they discover in iOS and the iPhone, while part of the SRD program.
Many security researchers are now afraid that Apple will abuse this clause to delay important patches and drag its feet on delivering much-needed security updates by postponing the publication date after which they’re allowed to talk about iOS bugs.
Others are afraid that Apple will use this clause to silence their work and prevent them from even publishing about their work.
Project Zero and others decide not to apply
The first to notice this clause and understand its implications was Ben Hawkers, the Google Project Zero team lead.
“It looks like we won’t be able to use the Apple ‘Security Research Device’ due to the vulnerability disclosure restrictions, which seem specifically designed to exclude Project Zero and other researchers who use a 90-day policy,” Hawkes said on Twitter today.
Hawkes tweet garnered a lot of attention in the infosec community, and other security researchers soon followed the team’s decision. Speaking to ZDNet sister-site CNET, Will Strafach also said he won’t be joining the program because of this very same clause.
On Twitter, cyber-security firm ZecOps also announced it would skip the SRD program and continue hacking iPhones the old fashion way.
In a conversation with ZDNet, security researcher Axi0mX said they were thinking about not participating as well.
“Disclosure deadlines are standard practice in the industry. They are necessary,” the researcher said.
“Apple is requiring researchers to wait for an unlimited amount of time, at Apple’s discretion, before they can disclose any bugs found with Security Research Device Program. There is no deadline. This is a poison pill,” he added.
Alex Stamos, Facebook’s former Chief Information Security Officers, also criticized Apple’s move, which was part of a larger set of decisions the company has taken in recent months against the cyber-security and vulnerability research community — which also included a lawsuit against a mobile device virtualization company that aided security researchers track down iOS bugs.
It’s one thing to see no-name security researchers talk down a security program, but it’s another thing to see the biggest names in the industry attacking one.
Apple’s security programs are not well viewed
The fears that Apple might abuse the SRD program rules to bury important iOS bugs and research are justified, for those who followed Apple’s security programs. Apple has been accused of the exact same practice before.
In a series of tweets posted in April, macOS and iOS developer Jeff Johnson attacked the company for not being serious enough about its security work.
“I’m thinking about withdrawing from the Apple Security Bounty program,” Johnson said. “I see no evidence that Apple is serious about the program. I’ve heard of only 1 bounty payment, and the bug wasn’t even Mac-specific. Also, Apple Product Security has ignored my last email to them for weeks.
“Apple announced the program in August, didn’t open it until a few days before Christmas, and now still have not paid a single Mac security researcher to my knowledge. It’s a joke. I think the goal is just to keep researchers quiet about bugs for as long as possible,” Johnson said.