Friday, June 7, 2024

No Bounty for Kaspersky

Alexander Martin (via Damien Petrilli):

Apple declined to issue a bug bounty to the Russian cybersecurity company Kaspersky Lab after it disclosed four zero-day vulnerabilities in iPhone software that were allegedly used to spy on Kaspersky employees as well as Russian diplomats.


Operation Triangulation, as the spying campaign was named, was “definitely the most sophisticated attack chain we have ever seen,” the Kaspersky researchers said, with an explanation of it including 13 separate bullet points.


On the same day as Kaspersky’s disclosure, Russia’s Federal Security Service (FSB) accused the United States and Apple of having collaborated to enable the U.S. to spy on Russian diplomats.


Although Kaspersky is not specifically sanctioned in the United States in relation to the Ukraine conflict, the Department of Homeland Security had previously banned its products from government use on security grounds due to the level of control anti-virus software requires on a computer and the risks attached to that control for a company based in Russia.

See also: MalwareTips.


Update (2024-06-12): Arin Waichulis (Hacker News):

Galov even proposed that Kaspersky donate the bounty to charity, but Apple rejected this, citing internal policies without explanation. It’s not uncommon for research firms to donate bounty payments from large companies to charity. Some perceive it as an extension of their ethical obligation, but it undeniably contributes to a positive reputation within the security community.


According to Apple’s Security Bounty Program, the reward for discovering such vulnerabilities can be up to $1 million. It’s crucial to maintain this reward, as non-reported iOS zero-days can sell for well north of a million dollars in corners of the dark web.


Additionally, per Apple Security Bounty’s terms and conditions, “Apple Security Bounty awards may not be paid to you if you are in any U.S. embargoed countries or on the U.S. Treasury Department’s list of Specially Designated Nationals, the U.S. Department of Commerce Denied Person’s List or Entity List, or any other restricted party lists.”

It doesn’t seem like giving it to charity would violate the sanctions.

Nick Heer:

Kaspersky discovered this malware. It has affected devices running versions up to iOS 15.7, and it has been seen in use as early as 2019.

Dan Goodin (via Hacker News):

According to officials inside the Russian National Coordination Centre for Computer Incidents, the attacks were part of a broader campaign by the US National Security Agency that infected several thousand iPhones belonging to people inside diplomatic missions and embassies in Russia, specifically from those located in NATO countries, post-Soviet nations, Israel, and China. A separate alert from the FSB, Russia's Federal Security Service, alleged Apple cooperated with the NSA in the campaign. An Apple representative denied the claim.

Kaspersky Lab (via Hacker News):

This script allows to scan iTunes backups for indicator of compromise by Operation Triangulation.

4 Comments RSS · Twitter · Mastodon

Old Unix Geek

I remember watching a presentation the Kaspersky guys did on that. It was a jaw-droppingly bad set of bugs. If Kaspersky were working with the Russian Government, you'd expect them to keep quiet about it, so that the FSB could exploit it. But they didn't, suggesting they aren't working with the FSB.

I find it pretty pathetic that Apple doesn't consider this level of bug worth a reward. It suggests their "privacy" assurances aren't worth very much, and also that the attack might have been done by a government that has the power to seal Apple's lips.

I think if you have a bounty program the amounts per exploit/type should be published and predetermined. The policy shouldn’t be “maybe we’ll pay you if we feel like it.”

Isn't this par for the course? I feel like we get "Apple doesn't pay out bug bounties" as headlines quite often. Honestly, I have no faith in the company.

Maybe Apple doesn't feel obligated to honor the bounty program if someone uncover vulnerabilities that were a feature rather than a bug.

Leave a Comment