Apple opens up hacker-friendly iPhone to researchers at Black Hat

If you want one, all you need to do is be a distinguished cybersecurity researcher.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
2 min read
James Martin/CNET

The iPhone, with its iOS operating system, is known for its closed ecosystem -- an advantage that provides security for the 2 billion people using it. But for security researchers looking for vulnerabilities, it's a curse. Apple is now embracing hackers by offering special iPhones specifically for security researchers. 

Apple's head of security, Ivan Krstic, unveiled the new program at Black Hat, a cybersecurity conference in Las Vegas. These iPhones aren't the same as the ones you can buy in a store. They're specifically coded for developers who want to poke around iOS and Apple's hardware to find security flaws. 

Apple calls the special iPhone effort the iOS Security Research Device Program, and it'll be available next year. Anyone can apply to receive one of the phones, but Apple is handing out only a limited amount, and only to qualified researchers.

"This is an unprecedented fully Apple supported iOS security research platform," Krstic said at the conference. 

The devices will come with advanced debug capabilities, Krstic added. Think of these iPhones as a step below jailbroken iOS devices -- they won't be as open, but they'll provide enough details for security researchers to hunt for vulnerabilities.

The program was earlier reported by Forbes.

Companies often open up to hackers, with bug bounty programs, finding that outside security researchers can find vulnerabilities that their internal security teams might've missed. Security researchers find the bugs, and instead of selling them to hackers or using them for malicious purposes, they submit them to the bug bounty programs and earn cash rewards. 

In July, Google announced it was offering $30,000 to people who could find flaws in its Chrome browser. Apple also has a bug bounty program, through which it started offering $200,000 for security flaws at Black Hat in 2016.    

On Thursday, Apple announced changes to that program, now offering up to $1 million for a vulnerability that's persistent, could get kernel code execution, and didn't require victims to click on anything. 

"It is important for companies, especially those dealing with mounds of sensitive personal data, to have a public-facing way to report bugs and vulnerabilities," Marten Mickos, CEO of the bug bounty platform HackerOne, said in a statement.

These vulnerabilities are highly valuable because of how closed Apple's ecosystem is. After Apple announced its bug bounty in 2016, an outside group upped the ante and offered $500,000 for the flaws instead.

It's why the hacker-friendly iPhone will be handed out in a limited fashion -- to help prevent hackers from turning around and selling any vulnerabilities to hackers offering a higher price than Apple. 

"We want to attract exceptional researchers who have been focused on other platforms," Krstic said.