10.1 C
New York
Thursday, April 11, 2024

Apple’s Hackable iPhones Are Finally Here

Last August, Apple announced that it would distribute special iPhones to elite security researchers. The idea was to offer a device that had fewer constraints, allowing researchers to home in on security vulnerabilities more easily, without first having to work around standard iOS defenses. Starting today, you can apply to get your hands on one.

Apple is opening its security research device program to analysts with an established track record of finding iOS bugs, as well as those with expertise in other platforms who want to start on iOS. The company will loan the devices for a year with the possibility to renew, and participants will also gain access to new security forums focused on the devices. If researchers "find, test, validate, verify, or confirm" a vulnerability using one of the special iPhones, they must report it to Apple—and any relevant third parties—under the terms of the loan agreement.

Historically, relationships between Apple and the security industry have been strained, in part because Cupertino has offered so little visibility into iOS. The new research phones serve as something of an olive branch, with the added benefit of helping shore up iPhone security. Outside professionals can investigate iOS from different angles, helping find problems that may arise after an attacker bypasses iOS defenses.


Security researchers have until now had to resort to jailbreaks and third-party iOS emulators to gain that deeper insight. But Apple has aggressively attempted to swat down those efforts. The company sued the mobile development and security firm Corellium last year for making an iOS emulator. And Apple argues that jailbreaks, which are achieved by exploiting hardware or software vulnerabilities, result in imperfect research due to inherent differences from unadulterated iOS. Plus, most jailbreaks only work on outdated hardware and old versions of the firmware, Apple argues, because the vulnerabilities used to achieve jailbreaks get patched.

iOS-focused security researchers told WIRED on Wednesday that the new devices will be useful in many ways. They'll essentially grant unlimited permissions within the operating system so researchers can run code without iOS's typical limitations and analyze how other programs function. This will help researchers spot vulnerabilities, but it will also make it much easier for them to analyze how Apple's own software and third-party apps behave and manage data, whether that's assessing a prominent app like TikTok or possible spyware like ToTok.

"Security researchers have already proved to be rather successful at uncovering flaws in both iOS proper and security and privacy issues in third-party apps," says Patrick Wardle, an Apple security researcher at the enterprise management firm Jamf. "Armed with these new devices, they are likely only going to find more. Being able to audit and analyze third-party apps more easily on modern devices running the latest version of iOS would be lovely. It's ultimately a big win for Apple's users and Apple itself."

Wardle and others point out, though, that this level of openness and insight may not extend beyond the user-facing parts of the operating system. That would mean the special devices wouldn't help researchers analyze iOS's core "kernel," its boot-up procedures, the firmware that coordinates hardware and software, or hardware itself, like Apple's custom T2 security chip.

"The devices appear to give researchers unrestricted access only to a portion of iOS," says Will Strafach, a longtime iOS researcher and creator of the Guardian Firewall app for iOS. "It's a good start for vulnerabilities in user-facing apps and services, which can be easily fixed in an iOS update. But they appear to intentionally not allow poking at lower-level security mechanisms, which may be more difficult to fix."

Apple says that it carefully designed the research devices to behave like consumer products and give researchers as much insight as possible without inadvertently creating exposure or risk for the hundreds of millions of iOS devices deployed around the world. For example, the security-research devices are not the same as Apple's own internal development prototypes, known as "dev-fused" iPhones, which are much more flexible and open than consumer iPhones and leave many iOS security features disabled. Still, the new security-research devices are loaners for a reason, and they will presumably be carefully tracked and controlled by Apple.

"It is not known what these devices will allow yet. It seems reasonable to assume that Apple will give researchers additional software and tools to help with their research, but no information is available yet," says the jailbreaker known as "axi0mX," who discovered an unfixable Apple hardware bug that enables the "checkra1n" jailbreak in older iPhones. "I think research devices are a good idea, but it seems that Apple is doing the bare minimum here."

Ultimately, researchers say that the degree to which the new offering fosters goodwill depends on how helpful it turns out to be in practice. Strafach points out, for example, that researchers may be cautious about how they use the devices, fearing they might upset Apple and lose their access at the company's whim. And depending on the new device's limitations, researchers say it is unlikely to totally replace the other tools in the iOS analysis toolbox.

"For someone like me, who mostly looks at third-party apps, it will be very useful," Jamf's Wardle says. "But for hardcore vulnerability discovery, it may be limited. I can see this being just another option, like using checkra1n to get super low-level on older devices or an emulation/virtualization solution."

A special device from Apple isn't going to magically reveal and eliminate all iOS privacy and security issues. Given the small number of tools researchers have had at their disposal, though, anything that offers more insight is an important step forward.

Related Articles

Latest Articles