Apple's Lack of Bug Bounty Program May Explain Why Hackers Would Help FBI

← Back to Stories (view on slashdot.org)

Apple's Lack of Bug Bounty Program May Explain Why Hackers Would Help FBI

Posted by msmash on Thursday March 24, 2016 @02:00AM from the you-gotta-reward-people dept.

On Wednesday, it was reported that FBI has contracted Cellebrite, an Israeli software provider specializing in mobile phone forensics, for $15,000 to break into the iPhone. It is believed that Cellebrite knows of a flaw in the iPhone which could allow circumvention of iOS' built-in security layers. Cellebrite could have worked with Apple on this flaw, but it chose to help FBI instead. It doesn't take rocket science to understand why Cellebrite chose to take the other route. The New York Times says that many security firms and hackers would love to work with Apple to further improve its products, but they don't because of a lack of incentive. There's little to no monetary incentive in helping the company with finding loopholes in its products. Apple -- unlike a number of Silicon Valley giants including Facebook, Microsoft, Google, Mozilla, and recently added to the list, Uber -- doesn't maintain a Bug Bounty program. Nicole Perlroth and Katie Benner report for the Times: When hackers do find flaws in Apple's code, they have little incentive to turn them over to the company for fixing. [...] Apple, which has had relatively strong security over the years, has been open about how security is a never-ending cat-and-mouse game and how it is unwilling to engage in a financial arms race to pay for code exploits. The company has yet to give hackers anything more than a gold star. When hackers do turn over serious flaws in its products, they may see their name listed on the company's website -- but that is it. That is a far cry from what hackers can expect if they sell an Apple flaw on the thriving underground market where a growing number of companies and government agencies are willing to pay hackers handsomely.

42 of 73 comments (clear)

Min score:

Reason:

Sort:

Stupid article is stupid... by Anonymous Coward · 2016-03-24 02:03 · Score: 5, Insightful

So if Apple pays the hackers $10,000 then the hackers won't go to the FBI when the FBI offers them $100,000?
What if Spectre pays the hackers one millyun dollars? Would you then write an article about how it's Apple's fault they wrote those bugs in the first place allowing crime and not paying enough a bounty so that good and noble heroic autobot white hat hackers could get paid for their awesome work?
1. Re:Stupid article is stupid... by Shoten · 2016-03-24 02:22 · Score: 4, Insightful
  
  So if Apple pays the hackers $10,000 then the hackers won't go to the FBI when the FBI offers them $100,000?
  What if Spectre pays the hackers one millyun dollars? Would you then write an article about how it's Apple's fault they wrote those bugs in the first place allowing crime and not paying enough a bounty so that good and noble heroic autobot white hat hackers could get paid for their awesome work?
  You're onto part of the real point here...but only part of it. Cellebrite already makes their living doing this kind of thing; they're the primary producer of forensic tools for mobile devices. They used to do iPhones, back before it got so hard to hack them that it wasn't worth their time any longer. When troops in the field capture cellular devices and they want to know what is in them? They plug them into a Cellebrite device.
  So, 1, Cellebrite isn't 'hackers,' it's a company with a business model that focuses on pulling data out of devices when you don't have the PIN to unlock them. And 2, a bug bounty program isn't meant to deter companies from producing forensic tools.
  
  --
  
  For your security, this post has been encrypted with ROT-13, twice.
2. Re: Stupid article is stupid... by Desler · 2016-03-24 02:26 · Score: 1
  
  Assuming all that was true why would they choose a measly bug bounty over selling to intelligence agencies with unlimited black budgets? That defies logic.
3. Re:Stupid article is stupid... by Anonymous Coward · 2016-03-24 02:28 · Score: 2, Insightful
  
  So if Apple pays the hackers $10,000 then the hackers won't go to the FBI when the FBI offers them $100,000?
  I wouldn't put it past the FBI to pay someone $100k for an exploit which Apple already fixed.
  The point is that if you find a good exploit for an Apple product, you can either get a nice sticker to put on your fridge along with your crayon artwork, or you can go and sell it for a pile of money to law enforcement, security firms, or blackhat hackers on the 'darknet'. Then a bunch of people are running around with a Zero Day which Apple may not even be aware of.
  OR, Apple could start a 'bug bounty' program, where people can get paid to tell THEM about an exploit first, and they stand a chance of fixing the issue before it starts showing up in the wild.
4. Re:Stupid article is stupid... by Registered+Coward+v2 · 2016-03-24 02:47 · Score: 4, Informative
  
  So if Apple pays the hackers $10,000 then the hackers won't go to the FBI when the FBI offers them $100,000?
  What if Spectre pays the hackers one millyun dollars? Would you then write an article about how it's Apple's fault they wrote those bugs in the first place allowing crime and not paying enough a bounty so that good and noble heroic autobot white hat hackers could get paid for their awesome work?
  You're onto part of the real point here...but only part of it. Cellebrite already makes their living doing this kind of thing; they're the primary producer of forensic tools for mobile devices. They used to do iPhones, back before it got so hard to hack them that it wasn't worth their time any longer. When troops in the field capture cellular devices and they want to know what is in them? They plug them into a Cellebrite device.
  So, 1, Cellebrite isn't 'hackers,' it's a company with a business model that focuses on pulling data out of devices when you don't have the PIN to unlock them. And 2, a bug bounty program isn't meant to deter companies from producing forensic tools.
  Exactly. Forensic companies are unlikely to let vendors know what exploits they find because that eliminates one of their entry points once the bug is fixed; the NYT article points that out as well. A bounty program could make it financially unviable to keep trying to find holes in iOS but as it becomes more difficult to find exploits it also becomes more lucrative to sell them to others, white or black hat. Why collect 100K from Apple when you can sell the same exploit multiple times and make a lot more than that? The best outcome Apple could achieve is to make it so difficult and time consuming to find exploits that those with the technical skills to do so turn to easier targets. Sure, a dedicates lone hacker or two may find an exploit and so so simply of rtes challenge; but you only need one of them to turn it it to kill the bug. Recognition and some cash may be enough to convince one person to reveal the bug to Apple; and you only need one person for bounties to be effective. In the end, those who use exploits for financial gain will continue to search and keep their findings to themselves; those that do it for other reasons such as research or for recognition of their skills may be more willing to share what they find.
  
  --
  I'm a consultant - I convert gibberish into cash-flow.
5. Re:Stupid article is stupid... by Khyber · 2016-03-24 03:32 · Score: 1, Informative
  
  "So if Apple pays the hackers $10,000 then the hackers won't go to the FBI when the FBI offers them $100,000?"
  Correct. If the hackers know about it, and already got paid by Apple, as soon as the FBI finds out it's not a legit 'never-before seen' hack (because it has been reported and a prize claimed) then they'll be on that hacker's ass.
  Hackers have logic. Try using some of it some time.
  
  --
  Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
6. Re:Stupid article is stupid... by fustakrakich · 2016-03-24 03:47 · Score: 1
  
  What if Spectre pays the hackers one millyun dollars?
  One million dollars isn't exactly a lot of money these days.
  
  --
  “He’s not deformed, he’s just drunk!”
7. Re:Stupid article is stupid... by IamTheRealMike · 2016-03-24 04:46 · Score: 1
  
  This is the same Apple that at one point had more money than the entire US govt?
  If there's one company in the world that can start a bidding war with the FBI and win, it's Apple.
8. Re:Stupid article is stupid... by tlhIngan · 2016-03-24 05:07 · Score: 3, Informative
  
  So if Apple pays the hackers $10,000 then the hackers won't go to the FBI when the FBI offers them $100,000?
  You're off by an order of magnitude.
  The bug bounty for a zero-day iOS9 bug is $1,000,000 with up to $3,000,000 paid out in total.
  So yes, even if Apple offered $100K, when people are willing to spend millions on a bug, it's just an arms race.
9. Re:Stupid article is stupid... by chihowa · 2016-03-24 11:12 · Score: 1
  
  Why collect 100K from Apple when you can sell the same exploit multiple times and make a lot more than that?
  Because you run a legitimate business and don't want to get involved with shady mobsters, for one.
  If I discovered a flaw that Apple would pay me anything for, I would totally "sell" it to them instead of reaching out to my local crime syndicates. Maybe I've watched too many movies, but dealing with organized crime never seems to end well, especially as the dollar amount goes up and/or they get wind that you're re-selling the same product to their competition.
  
  --
  If you want a vision of the future, imagine a youtube comments section scrolling - forever.
10. Re:Stupid article is stupid... by RockDoctor · 2016-03-25 14:22 · Score: 1
  
  by Anonymous Coward on 2016-03-24 14:28 (#51768351) I wouldn't put it past the FBI to pay someone $100k for an exploit which Apple already fixed.
  
  Such a scurrilous and baseless allegation! I cannot for one second imagine why you chose to anonymously post this. It's not like the target of the allegation would be likely to send the SWAT team round to plant some good evidence on your computer and a cap in your ass.
  
  --
  Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
Isn't this enough to get into the phone? by Anonymous Coward · 2016-03-24 02:10 · Score: 1

Breaking into a 5c iphone:
https://www.aclu.org/blog/free...
1. Re:Isn't this enough to get into the phone? by mrclevesque · 2016-03-24 03:16 · Score: 1
  
  Yeah, it looks like that's how they'll get into the phone.
2. Re:Isn't this enough to get into the phone? by Khyber · 2016-03-24 03:35 · Score: 2
  
  I already offered to do so (in fact, my experience in the semiconductor field gives me a great advantage here and I've broken into every iPhone from the original to the 5C) but it's obvious they don't want to be outed by criminals for their own criminal behavior. They want a company they can bribe to stay silent.
  
  --
  Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
What? by jittles · 2016-03-24 02:12 · Score: 5, Insightful

So you're claiming that a company who specializes in helping government break into phones and do a forensic analysis on phones would rather take a meager bug bounty than potentially earn millions by aiding government spying and investigation? Yes that makes perfect sense. Do these NYT authors know that NASA is hiring rocket scientists?
1. Re:What? by shawn2772 · 2016-03-24 02:52 · Score: 4, Interesting
  
  So you're claiming that a company who specializes in helping government break into phones and do a forensic analysis on phones would rather take a meager bug bounty than potentially earn millions by aiding government spying and investigation? Yes that makes perfect sense. Do these NYT authors know that NASA is hiring rocket scientists?
  While you're right, that doesn't change the fact that Apple is foolish for not running a bug bounty program. It's not a question of engaging in a "financial arms race", it's about creating an incentive for external researchers to help you improve your product. You can spend $250K annually to hire one good researcher who will spend all of his time exploring a small number of attack vectors, or for the same amount of money you can get the benefits of the part-time work of dozens of good people exploring a large number of attack vectors. The latter will be a lot more effective. Or you can spend, say, $5M annually to hire your own large team and probably find more bugs internally than are reported externally... but you will still get many more, and very cheaply, if you offer a bounty.
  Vulnerability research isn't a simple matter of X person hours yield Y benefit. It depends tremendously on the avenues explored and the clever ideas the researcher has... and even the best researchers have, individually, a limited number of clever ideas and novel approaches. More (qualified) eyes are better, even if each pair is looking less.
  Bug bounties are also a really good practice just to sweep up all of the low-hanging fruit. If you offer $10K, you'll get all of the vulns that would sell to reputable buyers for that much or less, and those that would sell for two or three times that much to shady buyers. You won't get the $100K or $1M bugs, sure, but you'll still get very good value for your money.
  I wonder if Apple doesn't have another concern, though, which is that perhaps they don't want to make iOS too secure. While they don't want to offer a legitimate way to root their devices, they may also not want to completely shut out the fairly large minority of iOS users who jailbreak. So they may want to leave some low-hanging fruit. That would be harder if all of that low-hanging fruit were consistently reported through an official channel. I'm obviously speculating here, and probably completely off base.
  (Aside: I think it's going to be interesting to see what happens in the Android world over the next couple of years, because SELinux, monthly patch cycles, verified boot and a few other security improvements are moving us to a state where many Android devices -- perhaps nearly all of them from first tier OEMs -- will be unrootable. Some of them are there now. Will this provoke people to buy unlockable devices (e.g., Nexus), or will it encourage them to switch to iOS so they can jailbreak?)
  (Disclaimer: I work for Google but I'm speaking only for myself. Any correspondence between my views and official company positions is coincidental, and probably means that the company should re-think.)
2. Re:What? by Whorhay · 2016-03-24 09:28 · Score: 1
  
  This is what I was hoping to find in this discussion. It doesn't really matter whether or not Cellebrite would have turned in this vulnerability to Apple for some pittance of a bug bounty. But since they aren't offering any bounties it is unlikely that anyone else who also discovered this weakness would turn it in.
That's because Apple's appy app apps are bug-free! by Anonymous Coward · 2016-03-24 02:12 · Score: 2, Funny

Only LUDDITE companies making LUDDITE software have bugs. Apple's modern appy app apps are 100% appy and don't have any bugs!
Apps!
Flaw or brute force? by UnknowingFool · 2016-03-24 02:20 · Score: 2

From what I can tell from Cellebrite themselves that they are not taking advantage of a security or software flaw but simply copying the data repeatedly at chip level after failing the 10 attempt limit.

--
Well, there's spam egg sausage and spam, that's not got much spam in it.
Apple weak by fulldecent1341 · 2016-03-24 02:25 · Score: 1

Of course this article is over the top -- bugs will be worth more on the open market. However it is worth discussing. Apple does offer you something: acknowledgement on their website and a swift resolution of the problem. I have submitted a bug to Apple under this program that was acknowledged but have found that they leave much to be desired in this process. Replies from Apple on each email take about 30 days. No status reports are provided unless you ask. No details are provided whatsoever on the fix (from an academic perspective). For this first time I am following this process solely to see if it will work and so I may document for the public. However in the future I will be following my standard ethics / best practice with Apple just like every other company: "here's your vuln, I'm publishing in two weeks, please link to my blog when you announce this, call me if you need help or more time."
Re:"because of a lack of incentive" by slashdot_commentator · 2016-03-24 02:27 · Score: 1

Well companies like Celebrite are being responsible, because they're reporting the exploit to the FBI, and getting paid for it. Pragmatic security researchers then implement a kludge to minimize their exposure.
This allows them to "make a living" while dedicating their income earning time towards making their community more secure. Its children who think the world works on "right and wrong", and that actions which "reward" behavior labelled as bad should never be conducted. Of course, because they're clueless, they don't realize the consequences of impractical decisions that doesn't correspond to reality. If Apple doesn't offer to pay them to disclose their security holes, and the FBI doesn't offer to pay to disclose security holes, then criminal organizations will pay for those security holes. "Nyah Nyah Nyah, I don't want to listen to the obvious, let me sit in my useless, uncomfortable social justice armor".

--
There is no America. There is no democracy. There is only IBM and AT&T and DuPont, Dow, General Electric, and Exxon
Apple has more cash than the FBI by sjbe · 2016-03-24 02:30 · Score: 1

So if Apple pays the hackers $10,000 then the hackers won't go to the FBI when the FBI offers them $100,000?
Given that Apple has $200 Billion in the bank I'm pretty sure Apple can win that competition if they want to. The FBI's entire budget is something like $8 billion.
Re:"because of a lack of incentive" by Lab+Rat+Jason · 2016-03-24 02:47 · Score: 4, Interesting

Let me offer you an alternative interpretation:
The FBI has known what was on that phone for a LONG LONG time, because they've always had the ability to break into the phone. They realized that they're not going to get the court precedent they wanted, so now it's time to humiliate apple by paying Celebrite to play along like they are the ones that hacked the phone. This gives the FBI three things:
1) The ability to claim that their tech isn't that great, thus keeping their enemies in the dark.
2) Being able to save face and NOT set the precedent in the opposing direction (because they can drop the case which results in no precedent being set)
3) They can throw some egg on Apple's face saying that "an Israeli company" had the ability to break into the phone. (Notice that it's not a foreign government that has this capability), playing on the xenophobia of stupid Americans.
This has always been and always will be a political fight, not a technical one.

--
Which has more power: the hammer, or the anvil?
Re:Or! by marklark · 2016-03-24 02:52 · Score: 1

Except that they don't: https://linux.slashdot.org/sto...
Re:"because of a lack of incentive" by Khyber · 2016-03-24 03:33 · Score: 3, Informative

"How dare you! This is the entitlement generation. Apple owes us money."
Actually, when you look at the offshore tax avoidance, they most certainly do, as far as tax money goes.

--
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Undergtound market by oldmac31310 · 2016-03-24 03:53 · Score: 1

Yes indeed. The FBI are scum that lurk in the sewers of the underground market. But we knew that already.

--
http://www.acetonestudio.com
Re:Maybe, hackers just want to get the terrorists? by fustakrakich · 2016-03-24 04:01 · Score: 1

the FBI's attempts to find his accomplices (if any) is as crispy clean from both legal and ethical point of view as virgin snow.
:-) Always the comedian... You might want to polish up on the metaphors though.

--
“He’s not deformed, he’s just drunk!”
It's the money by nospam007 · 2016-03-24 04:12 · Score: 1

Well, the District attorney will pay 15000 for each and every of the hundreds of iPhones they want cracked, Apple would only pay once.
Re:"because of a lack of incentive" by slashdot_commentator · 2016-03-24 04:43 · Score: 1

Neither interpretation contradicts one another; they can both be valid. I wasn't addressing the motivation for the FBI to reveal their association with a security consulting firm. On the other hand, I was directly addressing the "snitches get stitches" trope that the OP seems to be suggesting.

--
There is no America. There is no democracy. There is only IBM and AT&T and DuPont, Dow, General Electric, and Exxon
Re:Maybe, hackers just want to get the terrorists? by mi · 2016-03-24 04:44 · Score: 1

Yeah, yeah, you just hate white...

--
In Soviet Washington the swamp drains you.
Re:That's because Apple's appy app apps are bug-fr by WallyL · 2016-03-24 04:52 · Score: 1

Bug bounties are for cows, moo?
Re:Maybe, hackers just want to get the terrorists? by fustakrakich · 2016-03-24 05:05 · Score: 1

Not really. crispy clean just made me kinda hungry for a doughnut.

--
“He’s not deformed, he’s just drunk!”
Re:That's because Apple's appy app apps are bug-fr by Marginal+Coward · 2016-03-24 05:08 · Score: 1

You forgot this one: Only PROPRIETARY SOFTWARE companies making CLOSED software have bugs. The gnuPhone's modern appy app apps are 100% free, and since enough eyeballs make all bugs shallow, they don't have any bugs - not even Heartbleed!
(Disclaimer: like its parent, the preceding comment was just a joke. Since no response is necessary for a joke, this comment is ipso facto not a "Troll.")
Re:"because of a lack of incentive" by UnknowingFool · 2016-03-24 05:18 · Score: 3, Interesting

The FBI has known what was on that phone for a LONG LONG time, because they've always had the ability to break into the phone. They realized that they're not going to get the court precedent they wanted, so now it's time to humiliate apple by paying Celebrite to play along like they are the ones that hacked the phone.
Except that Apple already said in their response that the FBI hasn't tried any alternate means before rushing to the court to order Apple to work for them. Congress also grilled the FBI if they tried other means and the answer was they exhausted all alternatives. It appears that they didn't. If I were Apple, I'd throw that in their face.

--
Well, there's spam egg sausage and spam, that's not got much spam in it.
Apple is smart by XXongo · 2016-03-24 06:03 · Score: 1

Apple is smart.
Basically, bug bounties mean you're paying freelancers to set up a working group to find exploits. And then hope that, once they have their group working well, that the group you paid to set up will sell their results to you, and only you.
Here's what Machiavelli said about mercenaries:

Mercenaries and auxiliaries are dangerous and unreliable. If a mercenary is talented, he will always be trying to increase his power at the prince's expense./blockquote?
1. Re:Apple is smart by schnell · 2016-03-24 06:29 · Score: 1
  
  And not just that - the article (or at least the summarized portion) makes the "hackers" in question sound like extortionists.
  If I find your wallet on the ground, if you are going to just say "thanks" to me for giving it back and not giving me a reward, does that make it in any way justifiable for me to give the credit cards in your wallet to a criminal just because the criminal will pay me?
  There is a perfectly legitimate argument to be made that because you don't give out rewards for lost wallets, I don't have much incentive to search for your wallet. But if I find it and then don't give it back to you because someone else will pay more? I just don't see how that is morally defensible.
  
  --
  "95% of all Slashdot .sig quotes are incorrect or completely fabricated." -Benjamin Franklin
Re:Three letter agencies are after you by Flavianoep · 2016-03-24 06:06 · Score: 1

But isn't iPhone's encryption enough to protect a particular user's data (as long as there is no one with enough resources trying to extract data from said phone)?

--
Linux is for people who don't mind RTFM.
Re:"because of a lack of incentive" by BronsCon · 2016-03-24 07:16 · Score: 1

And if they do manage to track you down, you submit working exploit code as evidence. They either drop the case before the exploit is entered into evidence (where it becomes a matter of public record a-la DeCSS) or, well, you were going away for it anyway, right?

--
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
Re:It is part of apples corporate culture by sl3xd · 2016-03-24 09:57 · Score: 1

Just spout a vulnerability off in front of their sales people and see how they react.
Um...
I don't know what kind of interactions you've had with salespeople in general, but that reaction has nothing to do with Apple.
It's kind of like asking the your DB admin to do your dental work -- it's just not their field.

--
-- Sometimes you have to turn the lights off in order to see.
Re:Maybe, hackers just want to get the terrorists? by sl3xd · 2016-03-24 10:01 · Score: 1

To each their own, but when I think of positive attributes for a doughnut, crispy is not on the list.
In fact, crispy is near the top of the field labeled "negative attributes for doughnuts".

--
-- Sometimes you have to turn the lights off in order to see.
What? by dcw3 · 2016-03-25 00:04 · Score: 1

Wait, people want incentives to work? Oh, the horror! You mean that won't just do stuff for Kumbay, Utopia and altruism? My social justice model is broken.

--
Just another day in Paradise
Re:Maybe, hackers just want to get the terrorists? by mi · 2016-03-25 01:53 · Score: 1

"the ends justify the means, and all is fair in order to get them" ...
Which means do you find so objectionable as to require justification?

this from the guy who's always bitching about government overreach.
Thank you for paying some attention. Had you actually been smarter, you would've noticed, that my objections are always to government doing, what it should not be doing at all.
Prosecuting actual murderers is not on the list...

typical conservative hypocrit.
A typical Illiberal coward — posts anonymously so his precious down-mod survives...

--
In Soviet Washington the swamp drains you.