Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Bug Hunter Urges Apple To Change Its iOS Security Culture; Asks Tim Cook To Donate $2.45 Million To Amnesty For His Unpaid iPhone Bug Bounties (threatpost.com)

Posted by msmash on from the how-about-that dept.

secwatcher writes: Prolific Google bug hunter Ian Beer ripped into Apple on Wednesday, urging the iPhone maker to change its culture when it comes to iOS security. The Verge: "Their focus is on the design of the system and not on exploitation. Please, we need to stop just spot-fixing bugs and learn from them, and act on that," he told a packed audience. Per Beer, Apple researchers are not trying to find the root cause of the problems. "Why is this bug here? How is it being used? How did we miss it earlier? What process problems need to be addressed so we could [have] found it earlier? Who had access to this code and reviewed it and why, for whatever reason, didn't they report it?" He said the company suffers from an all-too-common affliction of patching an iOS bug, but not fixing the systemic roots that contribute to the vulnerability. In a provocative call to Apple's CEO Tim Cook, Beer directly challenged him to donate $2.45 million to Amnesty International -- roughly the equivalence of bug bounty earnings for Beer's 30-plus discovered iOS vulnerabilities.

39 of 79 comments (clear)

  1. From Google? by Anonymous Coward · · Score: 1

    The company with the most Swiss cheese mobile OS on the market today? Unbelievable.

    1. Re:From Google? by Anonymous Coward · · Score: 1, Interesting

      "The Box", is simply a PR trick invented to provide a win-win for Apple and the Government.

      1. Apple spawns new company under untraceable ownership.
      2. Comply with government requests to unlock phones by providing the fake company vulnerabilities.
      3. Win with consumers because they don't know it's Apple selling backdoors,

      The whole thing reeks of a collaboration with the government to both comply with FISA/NSLs and appeal to consumers by pretending not to at the same time.

      Wake up.

    2. Re:From Google? by DarkOx · · Score: 1

      Or if you are cynical it suggests Apple wants to have it both ways. They want to show the public they are not kowtowing to anyone and offering consumers good privacy protection. At the same time they don't want to make the devices so secure LEOs can't get into them when the crimes get serious enough to justify paying some security "researchers" a few hundred thousand dollars. I for one think Tim Cook is not dumb.

        I suspect he was pretty confident for example that the FBI was going be able to get into the San Bernardino shooter's iPhone without Apple's help. I suspect strongly Apple would have cooperated and assisted in unlocking the phone if they had believed that was the only way the FBI was going to get access in a timely fashion. If the FBI had not got access to that phone what do think the mainline political conversation pushed by the news outlets and repeated congressional caucus talking points would have been? Face facts they public values privacy but they are more scared of 'teh terrorists..' had the situation come to a head and the conversation about the iPhone angle moved out the technical press and into the main headlines the outcome would have been different. The regulators would have had their excuse...

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    3. Re:From Google? by TheFakeTimCook · · Score: 3, Insightful

      You can buy a device that unlocks the supposedly super secure iPhone. Every time they update the iPhone software and hardware, the device gets updated very quickly. That strongly suggests that he is right, Apple just fix each bug as they find it and don't fix the underlying flaws.

      On the other hand, no such box exists for Google Pixel phones, for example.

      No.

      It strongly suggests that that device maker is being helped with Industrial Espionage.

    4. Re:From Google? by omnichad · · Score: 1

      If that were true (not totally discounting it), it would also be a way to actually get paid for all that effort rather than doing it for free or nearly free.

    5. Re:From Google? by Demena · · Score: 1

      Yep, if this is not sarcasm then it just is not rational.

    6. Re:From Google? by TheFakeTimCook · · Score: 1

      apple is great at Industrial Espionage. Its a slimy shitshow of a company

      Citation or STFU.

    7. Re:From Google? by tsa · · Score: 1

      Feeding trolls makes them worse.

      --

      -- Cheers!

    8. Re:From Google? by Demena · · Score: 1

      Given the lack of actual facts supplied in your post it remains an unsubstantiated, unquantified allegation. ie. noise.

      Please support your assertions or shut the fuck up.

    9. Re:From Google? by TheFakeTimCook · · Score: 1

      Feeding trolls makes them worse.

      I assume you mean the AC, right?

    10. Re:From Google? by tsa · · Score: 1

      Indeed.

      --

      -- Cheers!

    11. Re:From Google? by TheFakeTimCook · · Score: 1

      Indeed.

      ;-)

  2. He missed something...no surprise by malchus842 · · Score: 3, Insightful

    Apple does have a well-thought-out security design. Maybe there are things wrong with it, but to say they 'just fix bugs' and don't think about overall security ignores the truth. But I suppose that's what you get when you're click-seeking. See: https://www.apple.com/business... Can we find holes in that? I'm sure. But they do have a plan. And that's the public one. I'd wager there's an even more detailed internal one.

    1. Re:He missed something...no surprise by Anonymous Coward · · Score: 2, Interesting

      You're kidding, right?

      Apple's stance on bugs is "we don't care until it makes the press."

      Remember that bug where you could log in as root with a blank password on almost every Mac? Turns out Apple knew about it for months. They only bothered fixing it when the tech press found out about it.

      This is pretty much the only way security fixes ever happen for Apple products: the tech press hears about the flaw, then Apple decides "OK, now we'll fix it."

    2. Re:He missed something...no surprise by Jaime2 · · Score: 5, Insightful

      Guy who found more than 30 iOS bugs says he sees a pattern that indicates Apple is failing at the fundamentals. Guy with access to a PDF say he's wrong. Guess who has the stronger case?

    3. Re:He missed something...no surprise by bill_mcgonigle · · Score: 4, Interesting

      No, you're talking about something completely different. Back when Apple was working on the 5S, and they developed the whole Secure Enclave architecture, it did have some really good engineers working out good security for system. What this guy's talking about is the past few years where they have the iOS bugs that have been identified, patched, and then in the next go-round we find out that they only patched the extremely specific bug, on one line. The next exploit is a few lines down, the same darn thing, in a slightly different way. The most likely explanation for this is that they lost the talent that was working there, making the system good. Why would top people stay when Apple doesn't innovative any more? It's clear from the results that they lost their performance engineering people, for about four major iOS releases, with only iOS 11 having any kind of decent performance again. Now that they are going into the thought police business, good luck getting anyone worth their salt to work there.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    4. Re:He missed something...no surprise by orlanz · · Score: 3, Informative

      So true. Our company's iOS count is in the mid 5 digit range. And early on, there was a Exchange Calendar glitch that we just couldn't solve. It would only appear on iOS and not the numerous non-iOS devices.

      It took us MONTHS to get Apple to even see that there was an issue. Some guy in a forum figured it out but it took us MONTHS to have them accept that it was an issue with how they implemented the ActiveSync protocols. It took almost 18 months for Apple to actually fix the problem (the fix itself was fairly simple, related to assigning a meeting ID properly).

      On one meeting, we were literally told. "Corporate isn't really our target audience, so this is a low priority issue." Which is FINE, just don't be telling us this 6 months into the discussions! Atleast accept the fact that something is wrong and put a communication about it.

    5. Re:He missed something...no surprise by TheFakeTimCook · · Score: 1

      Apple does have a well-thought-out security design. Maybe there are things wrong with it, but to say they 'just fix bugs' and don't think about overall security ignores the truth. But I suppose that's what you get when you're click-seeking.

      See: https://www.apple.com/business...

      Can we find holes in that? I'm sure. But they do have a plan. And that's the public one. I'd wager there's an even more detailed internal one.

      Yeah. It is EXTREMELY suspicious why a non-Apple "engineer" would have ANY special knowledge of what Apple's bug-fixing policies are.

      EXTREMELY suspicious.

      Or, as is much more likely, he is talking out his ass.

    6. Re:He missed something...no surprise by TheFakeTimCook · · Score: 1

      This is pretty much the only way security fixes ever happen for all "$OEM" products: the tech press hears about the flaw, then the $OEM decides "OK, now we'll fix it."

      FTFY.

    7. Re:He missed something...no surprise by johanw · · Score: 1

      Not that Google is much different - for example the free-speech social network Gab ( https://gab.ai/ ) is not available in either appstore.

    8. Re:He missed something...no surprise by Dr.+Evil · · Score: 1

      "Corporate isn't really our target audience, so this is a low priority issue."

      This has always been stunning to me about Apple. They're madly successful and have machines snuck in the back doors of corporate, but they seem to show no interest in selling hardware into corporate.

      Even the AppleID scheme is a pain in the butt in Corporate environments. Who owns the Apple ID? My last talk with Apple, they said they would have the employee carry it from employer to employer... We preferred to give the employees Apple IDs and $50 gift cards for the itunes store to re-buy whatever dumb utilities they needed and bigger purchases on a case-by-case basis.

      Else the employee exit process requires employees to un-link the corporate machine from their personal ID. These are not things at the top of mind when an employee is leaving.

    9. Re:He missed something...no surprise by captaindomon · · Score: 1

      "Corporate isn't really our target audience, so this is a low priority issue." Yeah, corporate SALES are not their target SALES audience. Guess who is their target audience? Higher-income corporate employees, mostly. Who need to connect to their work accounts. It's amazing how narrow-sighted their approach to playing nicely with ActiveSync is. It makes all of their most valuable individual customers extremely frustrated.

      --
      Just because I can hook a shark from a boat, I do no offer to wrestle it in the water.
    10. Re:He missed something...no surprise by 93+Escort+Wagon · · Score: 2

      Ian Beer has found numerous, significant iOS bugs. Significant enough and low-level enough that two of his discoveries made the most recent two iOS jailbreaks possible. If he sees a pattern, it is assuredly there.

      --
      #DeleteChrome
    11. Re:He missed something...no surprise by Registered+Coward+v2 · · Score: 1

      Apple does have a well-thought-out security design. Maybe there are things wrong with it, but to say they 'just fix bugs' and don't think about overall security ignores the truth.

      His point seems to be not that Apple doesn’t have well thought out security system but rather how they respond to bugs. Patching them is important but he is advocating also looking at the root causes of how they came into being so you can rework process to reduce the chances bugs are introduced. Patching problems rather than fixing causes is not unusual, I once had a plant manager tell me he didn’t have time to fix small problems because he had too many big ones. He was not happy when I pointed out the causes of both were usually the same, just some of the small ones never became big ones because of quick intervention or sheer luck.

      --
      I'm a consultant - I convert gibberish into cash-flow.
  3. Re:HAHAHAHA by Type44Q · · Score: 1

    Android is a security nightmare,

    That's why I still can't unlock the bootloader on this fucking S8+.

    Moron, I almost wish you were right. ;)

  4. He fails to understand the point of Apple products by Anonymous Coward · · Score: 1

    Why would a jewelry maker be interested in security?
    You could remove the touch screen and replace it by a "predictive AI" user interface animation that does what it assumes is most likely what the "owner" wants to see, and half the Apple clients would take longer to notice, than the lifetime of the soldered-in battery.

    Google shouldn't talk about security anyway, when their primary business model is snooping on users to enable sleazebags to lie to them (aka advertisement) and rip them off better.

  5. Software security condundrum by jellomizer · · Score: 4, Insightful

    You have software that took months/years to plan and develop.
    A problem is found.
    You need to Fix it Fast, before it goes out to the wild.
    It will need to be tested to make sure it doesn't break compatibility or break something else.

    If asked to change the infrastructure for every time there is a bug. The fix will take years to get out, and a new infrastructure will introduce new flaws untested.

    A security first design of software made in the 1980's would just have a password login and permissions on what the user could see and do.
    1990's Memory checking and limitation to prevent buffer overflow
    2000's Memory randomization and removing from an ask to allow to don't allow, and you will need to do extra work to allow.
    2010's Application Sand-boxing, Full Encryption, tiered design, redundant checking...

    iOS being a product of the 2000's Is actually stronger then some other systems, but it has a lot of once good practices which are now bad practices in-place. But there hasn't been a massive iOS outbreak of security issues. Like with Windows a decade ago. Makes me figure that the current patching routine is still good enough.

    Will they need an architectural redesign in the future. Probably. Like when Apple moved from MacOS (Classic) to OS X. They will need to upgrade iOS to a new system at some point just to stay current.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    1. Re:Software security condundrum by orlanz · · Score: 2

      Delaying a release for a better fix is not what Mr Beer is complaining about. Basically he is saying Apple releases a bug fix (assuming they agree it is important enough) and then just moves on. They don't do a process or infrastructure review to see if other similar bugs exist or if future similar bugs will be created.

      Few bugs actually need infrastructure changes. But many bugs hint at process problems that could have been prevented and could still be prevented.

      This ignorance is generally true of most companies. However, Apple really takes it to a new level.

    2. Re:Software security condundrum by Anonymous Coward · · Score: 1

      Few bugs actually need infrastructure changes. But many bugs hint at process problems that could have been prevented and could still be prevented.

      Two recent Apple bugs are perfect examples of this: "goto fail" and "passwordless root." Both are symptoms of either Apple not testing, or more likely, Apple only doing positive testing (this works with the values it's supposed to), but never any negative testing (this fails properly when given bad values). As I recall, both bugs were also likely caused by bad merges: fixes were merged from other branches but done incorrectly, so that essential "else if" blocks were missing from the final result, leaving the resulting code to allow various inputs to incorrectly fall through to default behavior.

      Both of those are process problems. Failing to do negative tests is a very common process flaw: it's very easy to write a "positive test" that ensures that a correct value produces a correct result. Writing a negative test is much harder and is why fuzzing is so important: it's fairly easy to come up with "obvious" wrong values but the pool of bad values is generally enormous, so it's very easy to write negative tests that miss scenarios which would cause wrong behavior.

      Bad merges are another common process problem, where merges are blindly accepted with no one reviewing the changes in them for correctness or, in some cases, that the changes were applied correctly. Proper testing can frequently "catch" a bad merge, but as above, it's clear Apple isn't doing complete testing.

    3. Re:Software security condundrum by jellomizer · · Score: 1

      It is still a case of back seat development.
      Sometime what may seem like they are not doing a full review, is actually an outcome of a full review. Sometimes that quick fix, is the safest fix. Because having to fix it across the board may be affecting a set of other systems.

      Lets say the fix for the USB hack into the phone is due to a software design problem needed for the Licensed repair team. If they fix the software to stop that hack, then the repair teams will need system updates as well, and need to make sure it works... Or you can just cut power off the data ports on the device, until a login turns them on. It is an easier fix, doesn't fix the core problem but good enough.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    4. Re:Software security condundrum by TheFakeTimCook · · Score: 1

      If asked to change the infrastructure for every time there is a bug. The fix will take years to get out, and a new infrastructure will introduce new flaws untested.

      Precisely.

    5. Re:Software security condundrum by TheFakeTimCook · · Score: 1

      Apple really takes it to a new level.

      Unless you are actually ON the iOS OS Development Team, how would you know that?

    6. Re:Software security condundrum by jittles · · Score: 1

      Delaying a release for a better fix is not what Mr Beer is complaining about. Basically he is saying Apple releases a bug fix (assuming they agree it is important enough) and then just moves on. They don't do a process or infrastructure review to see if other similar bugs exist or if future similar bugs will be created.

      Few bugs actually need infrastructure changes. But many bugs hint at process problems that could have been prevented and could still be prevented.

      This ignorance is generally true of most companies. However, Apple really takes it to a new level.

      Now add to this the fact that Apple typically fails to merge fixes from master into dev and you have an issue where the team working on the next year’s release pushes out an OS that contains a lot of the security issues and other bugs that existed in the previous iteration and the new master branch takes a month or two to eventually get the fix from what was the previous version of the OS.

    7. Re:Software security condundrum by omnichad · · Score: 1

      Finally an explanation for why everyone always waits for an x.1 OS release for anyone Apple. I've done it, but I never knew why it was so bad.

  6. Re:HAHAHAHA by TheFakeTimCook · · Score: 1

    Google Bug Hunter, who couldn't make Android secure, tries to tell Apple how to do proper security ?

    Android is a security nightmare, it ranked way under other systems on that point. They have no solid grounds to talk to people about security.

    Exactly.

  7. Re:Ha ha ha, the CIA/NSA would not allow it by TheFakeTimCook · · Score: 1

    and Tim Cook is not interested in paying for fixing critical bugs. They make spying-devices branded as luxury phones, do you really think they will donate money or fix critical security bugs at the root?

    That is not what Apple does.

    Dumbass.

    Apple Engineers are SALARIED. It really doesn't matter WHAT they are working on; they cost Apple the same amount of money.

    Idiot.

  8. So much this. Must test the fail case by raymorris · · Score: 1

    > Two recent Apple bugs are perfect examples of this: "goto fail" and "passwordless root." Both are symptoms of either Apple not testing, or more likely, Apple only doing positive testing (this works with the values it's supposed to), but never any negative testing (this fails properly when given bad values). ...
    > Both of those are process problems. Failing to do negative tests is a very common process flaw: it's very easy to write a "positive test" that ensures that a correct value produces a correct result.

    Exactly. It is common. They tested that "it works" putting in the correct password gets you access. They totally forgot to test what happens when you DON'T put in the correct password - you still get access anyway.

    In the famous "go-to fail" bug, a TLS certificate was accepted of it was valid - and accepted just the same of it was invalid. They probably tested that worked, that it trusted a valid cert. But they didn't test that it did not trust an invoice cert.

    There is no "architectural redesign" required to start testing the negatives, checking that NOT entering a password does NOT log you in. It's just a policy change - all Pull Requests need at least two test logs attached - one showing that it does the new / positive thing when it should, one showing it does NOT do it when it shouldn't.

    At my own company, on my team, we recently had the same problem. We added some code to handle the eccentricities of a certain CDN (proxy network) whose engineers have obviously never glanced at the RFC for how proxies are supposed to work. Our code was basically:
    if (looks_like_akamai) {
            do_weird_akamai_stuff;
    }

    We tested that it did in fact invoke the special behavior for Akamai. We didn't test that it did NOT invoke the special behavior when it's NOT Akamai.

  9. Trying again with fewer typos by raymorris · · Score: 1

    Wow that had a lot of typos. Let's try that paragraph again:

    In the famous "go-to fail" bug, a TLS certificate was accepted if it was valid - and accepted just the same if it was invalid. They probably tested that it worked - that it trusted a valid cert. But they didn't test that it did not trust an invalid cert.

    There is no "architectural redesign" required to start testing the negatives, checking that NOT entering a password does NOT log you in.

  10. It's not an architecture issue by raymorris · · Score: 1

    Their major security bugs show a simple PROCESS issue, not an architectural issue.

    You don't have to completely rewrite the architecture in order to test that NOT entering a password, leaving the password field empty, doesn't log you in. You just have to start testing not only "it does the good thing with good input", but also "it does the negative / error case with bad input".

    Their famous "go-to fail" is another example. Their code was basically:
    If certificate is valid {
          trust the certificate
    }
    trust the certificate

    That bug would have been prevented by testing their "validate certificate" code with an invalid cert. They. Probably tested that it correctly trusted a valid certificate, but clearly never tested it with an invalid certificate. That's kind of important for code that's supposed to tell the difference between the two.

    See also this post and its parent:
    https://slashdot.org/comments....