Apple Releases Dedicated Security Researcher Device

rmogull · July 23, 2020, 7:42pm

Originally published at: https://tidbits.com/2020/07/23/apple-releases-dedicated-security-researcher-device/

In an effort to encourage more security researchers to look for security vulnerabilities in iOS, Apple will provide approved researchers with a Security Research Device, a custom iPhone with key security controls disabled. It’s a good way for Apple to engage more fully with the security community.

LarsAGundersen · July 24, 2020, 10:27am

Great initiative. I am not a security expert, but doesn’t the fact that Apple is removing the software and hardware locks to allow access kind of undermine part of the program in that it removes the very blocks attackers are likely to try to crack, and which therefore are the most interesting parts to examine? On the surface it sounds like a company asking an outside party to do a security/penetration audit and then they remove the locks on the building to let the audit company inside… ?

Simon · July 24, 2020, 3:05pm

Well yeah, but that’s why their limiting and vetting those allowed access to these locks-removed devices and then requiring them to release their findings only to Apple.

ace · July 24, 2020, 8:21pm

I think it’s more subtle than that, luckily. It would be more like a bank asking an auditor to evaluate the security of its safe-deposit box room, but making sure they could get in the front doors and past the lobby guards. Those initial layers of security are good and useful, but they make it a lot harder for researchers to explore the deeper levels.

@rmogull, what I’ve been pondering since we posted this is how this plays with Apple’s claim that it won’t put a backdoor in iOS. Obviously, the SRDs will be running a custom version of iOS that won’t be running on devices confiscated by law enforcement from suspects, but it seems to be introducing a bit of a gray area if it’s that easy for Apple to disable certain security features.

cwilcox · July 24, 2020, 8:53pm

The article says “SRD lacks code execution and containment capabilities on multiple levels of the hardware and software” (emphasis added). If custom hardware is essential to allowing security researchers expanded access, Apple still can’t comply with law enforcement demands to crack confiscated iPhones.

ace · July 24, 2020, 10:20pm

Ah yes, good point—I glossed over that. If the SRDs really are special hardware, that addresses my concern almost completely. There’s still the concern of one of these things falling into the wrong hands, but I’ll bet Apple will have remote kill switches for them too.