Apple's Lack of Bug Bounty Program May Explain Why Hackers Would Help FBI

On Wednesday, it was reported that FBI has contracted Cellebrite, an Israeli software provider specializing in mobile phone forensics, for $15,000 to break into the iPhone. It is believed that Cellebrite knows of a flaw in the iPhone which could allow circumvention of iOS' built-in security layers. Cellebrite could have worked with Apple on this flaw, but it chose to help FBI instead. It doesn't take rocket science to understand why Cellebrite chose to take the other route. The New York Times says that many security firms and hackers would love to work with Apple to further improve its products, but they don't because of a lack of incentive. There's little to no monetary incentive in helping the company with finding loopholes in its products. Apple -- unlike a number of Silicon Valley giants including Facebook, Microsoft, Google, Mozilla, and recently added to the list, Uber -- doesn't maintain a Bug Bounty program. Nicole Perlroth and Katie Benner report for the Times: When hackers do find flaws in Apple's code, they have little incentive to turn them over to the company for fixing. [...] Apple, which has had relatively strong security over the years, has been open about how security is a never-ending cat-and-mouse game and how it is unwilling to engage in a financial arms race to pay for code exploits. The company has yet to give hackers anything more than a gold star. When hackers do turn over serious flaws in its products, they may see their name listed on the company's website -- but that is it. That is a far cry from what hackers can expect if they sell an Apple flaw on the thriving underground market where a growing number of companies and government agencies are willing to pay hackers handsomely.

Re:"because of a lack of incentive"

[Lab+Rat+Jason]

Let me offer you an alternative interpretation:

The FBI has known what was on that phone for a LONG LONG time, because they've always had the ability to break into the phone. They realized that they're not going to get the court precedent they wanted, so now it's time to humiliate apple by paying Celebrite to play along like they are the ones that hacked the phone. This gives the FBI three things:
1) The ability to claim that their tech isn't that great, thus keeping their enemies in the dark.
2) Being able to save face and NOT set the precedent in the opposing direction (because they can drop the case which results in no precedent being set)
3) They can throw some egg on Apple's face saying that "an Israeli company" had the ability to break into the phone. (Notice that it's not a foreign government that has this capability), playing on the xenophobia of stupid Americans.

This has always been and always will be a political fight, not a technical one.

Re:What?

[shawn2772]

So you're claiming that a company who specializes in helping government break into phones and do a forensic analysis on phones would rather take a meager bug bounty than potentially earn millions by aiding government spying and investigation? Yes that makes perfect sense. Do these NYT authors know that NASA is hiring rocket scientists?

While you're right, that doesn't change the fact that Apple is foolish for not running a bug bounty program. It's not a question of engaging in a "financial arms race", it's about creating an incentive for external researchers to help you improve your product. You can spend $250K annually to hire one good researcher who will spend all of his time exploring a small number of attack vectors, or for the same amount of money you can get the benefits of the part-time work of dozens of good people exploring a large number of attack vectors. The latter will be a lot more effective. Or you can spend, say, $5M annually to hire your own large team and probably find more bugs internally than are reported externally... but you will still get many more, and very cheaply, if you offer a bounty.

Vulnerability research isn't a simple matter of X person hours yield Y benefit. It depends tremendously on the avenues explored and the clever ideas the researcher has... and even the best researchers have, individually, a limited number of clever ideas and novel approaches. More (qualified) eyes are better, even if each pair is looking less.

Bug bounties are also a really good practice just to sweep up all of the low-hanging fruit. If you offer $10K, you'll get all of the vulns that would sell to reputable buyers for that much or less, and those that would sell for two or three times that much to shady buyers. You won't get the $100K or $1M bugs, sure, but you'll still get very good value for your money.

I wonder if Apple doesn't have another concern, though, which is that perhaps they don't want to make iOS too secure. While they don't want to offer a legitimate way to root their devices, they may also not want to completely shut out the fairly large minority of iOS users who jailbreak. So they may want to leave some low-hanging fruit. That would be harder if all of that low-hanging fruit were consistently reported through an official channel. I'm obviously speculating here, and probably completely off base.

(Aside: I think it's going to be interesting to see what happens in the Android world over the next couple of years, because SELinux, monthly patch cycles, verified boot and a few other security improvements are moving us to a state where many Android devices -- perhaps nearly all of them from first tier OEMs -- will be unrootable. Some of them are there now. Will this provoke people to buy unlockable devices (e.g., Nexus), or will it encourage them to switch to iOS so they can jailbreak?)

(Disclaimer: I work for Google but I'm speaking only for myself. Any correspondence between my views and official company positions is coincidental, and probably means that the company should re-think.)

Re:"because of a lack of incentive"

[UnknowingFool]

The FBI has known what was on that phone for a LONG LONG time, because they've always had the ability to break into the phone. They realized that they're not going to get the court precedent they wanted, so now it's time to humiliate apple by paying Celebrite to play along like they are the ones that hacked the phone.

Except that Apple already said in their response that the FBI hasn't tried any alternate means before rushing to the court to order Apple to work for them. Congress also grilled the FBI if they tried other means and the answer was they exhausted all alternatives. It appears that they didn't. If I were Apple, I'd throw that in their face.