Wednesday, July 22, 2020 [Tweets] [Favorites]

Apple Security Research Device Program

Apple (via Hacker News):

The Security Research Device (SRD) is intended for use in a controlled setting for security research only. Shell access is available, and you’ll be able to run any tools and choose your entitlements. Otherwise, the SRD behaves as closely to a standard iPhone as possible in order to be a representative research target.

SRDs are provided on a 12-month renewable basis and remain the property of Apple. They are not meant for personal use or daily carry, and must remain on the premises of program participants at all times. Access to and use of SRDs must be limited to people authorized by Apple.

[…]

Participation in the Security Research Device Program is subject to review of your application. Device availability is limited. Devices will not be available for all qualified applicants in the initial application period.

If you use the device to find a vulnerability, you have to report it to Apple and are not allowed to discuss it until Apple fixes it. Unfortunately, as with the bug bounty program, there’s a giant loophole, which is that Apple could either take a long time to fix it, decide they don’t want to fix it, or purposely impose a gag for vulnerabilities it doesn’t want disclosed. There’s no automatic delay after which you can publish if Apple decided to sit it. We already have evidence of this being a problem from the bug bounty program.

It seems risky to join the program, both because you may end up muzzled and because it ties your hands regarding anything you figure out without using the SRD. Since you can’t prove you did it on your own, everything you do becomes subject to the SRD rules. You’d be setting yourself up to get sued.

Previously:

Update (2020-07-22): Ben Hawkes (via Jeff Hunter):

It looks like we won’t be able to use the Apple “Security Research Device” due to the vulnerability disclosure restrictions, which seem specifically designed to exclude Project Zero and other researchers who use a 90 day policy.

Will Strafach:

no researchers or engineers on our end are participating (in an official/Guardian-affiliated capacity) due to the restriction Apple appears to impose on information disclosure.

Update (2020-07-27): Rich Mogull:

On the whole, Apple’s program requirements and restrictions appear reasonable, and I look forward to seeing how they work in practice. However, there is some risk that the program restrictions will muzzle some researchers while Apple sits on vulnerabilities. Apple’s track record for fixing issues has been pretty good in recent years, but we can’t dismiss this concern out of hand.

Peter Steinberger:

It’s sad that Apple thinks shell access is only useful for security engineers.

Update (2020-07-29): See also: Pwn20wnd.

Update (2020-08-11): David Shayer:

Based on Apple’s announcement, backed up by some logical deduction, we can speculate about how this program and the particular devices will work.

3 Comments

Jeff Hunter

Sounds like Google Project Zero won't be participating:

https://twitter.com/benhawkes/status/1286021329246801921

[…] As Michael Tsai notes, this restriction could inhibit program members from releasing other iOS vulnerability information discovered independently.  Researchers might lack solid records defending the origin of an independent discovery and thus feel constrained by Apple’s restrictions. […]

Hopefully most will boycott !

Stay up-to-date by subscribing to the Comments RSS Feed for this post.

Leave a Comment