Apple Releases Dedicated Security Researcher Device

Originally published at:

In an effort to encourage more security researchers to look for security vulnerabilities in iOS, Apple will provide approved researchers with a Security Research Device, a custom iPhone with key security controls disabled. It’s a good way for Apple to engage more fully with the security community.

Great initiative. I am not a security expert, but doesn’t the fact that Apple is removing the software and hardware locks to allow access kind of undermine part of the program in that it removes the very blocks attackers are likely to try to crack, and which therefore are the most interesting parts to examine? On the surface it sounds like a company asking an outside party to do a security/penetration audit and then they remove the locks on the building to let the audit company inside… ?

Well yeah, but that’s why their limiting and vetting those allowed access to these locks-removed devices and then requiring them to release their findings only to Apple.

I think it’s more subtle than that, luckily. It would be more like a bank asking an auditor to evaluate the security of its safe-deposit box room, but making sure they could get in the front doors and past the lobby guards. Those initial layers of security are good and useful, but they make it a lot harder for researchers to explore the deeper levels.

@rmogull, what I’ve been pondering since we posted this is how this plays with Apple’s claim that it won’t put a backdoor in iOS. Obviously, the SRDs will be running a custom version of iOS that won’t be running on devices confiscated by law enforcement from suspects, but it seems to be introducing a bit of a gray area if it’s that easy for Apple to disable certain security features.

1 Like

The article says “SRD lacks code execution and containment capabilities on multiple levels of the hardware and software” (emphasis added). If custom hardware is essential to allowing security researchers expanded access, Apple still can’t comply with law enforcement demands to crack confiscated iPhones.

1 Like

Ah yes, good point—I glossed over that. If the SRDs really are special hardware, that addresses my concern almost completely. There’s still the concern of one of these things falling into the wrong hands, but I’ll bet Apple will have remote kill switches for them too.

1 Like