It’s been a rough few weeks for Apple when it comes to iPhone security. Earlier this month, Apple issued a security update to address a vulnerability capable of letting a malicious actor have full access to everything on your phone. Even more jarring is that the exploit was so sophisticated that it didn’t even require iPhone users to click on a link.
More recently, a security researcher named Denis Tokarev took Apple to task for ignoring his warnings about a handful of iPhone security flaws. Tokarev reported four separate zero-day security vulnerabilities to Apple. However, only one of them was addressed with the iOS 15 update. Tokarev grew so frustrated with Apple’s lack of communication that he ended up publishing the security exploits publicly.
Apple’s lack of communication regarding iPhone security
Starting in March, Tokarev unearthed four zero-day vulnerabilities with respect to the iPhone. In March and April, Tokarev relayed these vulnerabilities to Apple via the company’s Bug Bounty program.
From there, things get a bit murky. Over the next six months, Apple’s communication with Tokarev was minimal. In fact, Apple last corresponded with Tokarev about the exploits in August. What’s more, none of the four bugs had been addressed in the six months since Tokarev brought them to Apple’s attention. Naturally, Tokarev became frustrated.
And so, Tokarev in early September told Apple that he would publish details of the exploits if he didn’t hear back. And that he did.
Apple apologizes to security researcher
Once the iPhone security exploits were made public, Apple started to garner some bad press. And, like clockwork, the company finally addressed the issue and apologized to Tokarev.
Apple’s email to Tokarev, via Motherboard, reads:
We apologize for the delay in responding to you. We want to let you know that we are still investigating these issues and how we can address them to protect customers. Thank you again for taking the time to report these issues to us, we appreciate your assistance. Please let us know if you have any questions.”
Were the iPhone exploits serious?
This is an interesting question. Notably, even Tokarev concedes that the iPhone security vulnerabilities weren’t critical. Indeed, the exploits would only come into play in a theoretical scenario where a malicious app managed to make its way onto the App Store and people’s iPhones.
That notwithstanding, the major issue here isn’t the severity of the vulnerabilities, but Apple’s complete lack of communication.
Apple’s bug bounty program
Incidentally, The Washington Post a few weeks ago published an unflattering look at Apple’s Bug Bounty program. Some iPhone security researchers, for example, said Apple doesn’t always pay out what it owes for unearthed vulnerabilities. Additionally, some security researchers said Apple is horrible at maintaining open lines of communication with them. Some Apple employees claim there is a backlog of bugs Apple hasn’t even had time to address yet.
“You have to have a healthy internal bug fixing mechanism before you can attempt to have a healthy bug vulnerability disclosure program,” Luta Security CEO Katie Moussouris said to the Post. “What do you expect is going to happen if they report a bug that you already knew about but haven’t fixed? Or if they report something that takes you 500 days to fix it?”
If Apple doesn’t improve the way it runs its Bug Bounty program, iPhone security researchers may simply focus their attention elsewhere. Further, rival bug bounty programs from Facebook and Google already pay out more money than what Apple offers.
Tokarev’s blog post about his experience dealing with Apple is available here. It’s well worth a read and helps show how poorly Apple’s security team handled correspondence with him.