Google Project Zero because it says no to Apple SRD

Google project vs Apple: Some of the Biggest Names in iPhone Vulnerability Research Announce They Won't Take Part in New Program Apple Security Research Device (SRD) due to the restrictive rules of the company in disclosure of a vulnerability.

The list also includes Project Zero (Google's elite bug-hunting team), Will Strafach (Guardian CEO), ZecOps (mobile security company that recently discovered a series of iOS attacks) and Axi0mX (iOS researcher). and author of Checkm8 iOS exploit).

What is the Apple SRD program?

The Security Research Device (SRD) program is unique among smartphone makers. Through the SRD program, Apple promised to sell the iPhone before selling it to security researchers.

These iPhones have been modified to have fewer restrictions and allow deeper access to iOS and in the device's hardware, so security researchers can detect which they would not normally be able to discover on standard iPhones where the phone's default security features prevent security tools from "seeing" deeper into the phone.

Apple officially announced the SRD program in December 2019, when it also expanded the bug program to include more than operating systems and her.

Restrictive new rule

A of the company contains all the official rules of the SRD program. So according to complaints shared on various social media, one particular regulation angered most security researchers:

"If you report a vulnerability that affects Apple products, Apple will give you a release date (usually the date on which Apple will release the fix). Apple will work in good faith to resolve any vulnerabilities as soon as possible. You cannot discuss vulnerabilities with others before the publication date. ”

The new regulation allows Apple to silence security researchers.

It gives Apple full control over the vulnerability detection process by allowing it to set a release date. Until then, security researchers are not allowed to talk or post anything about the vulnerabilities they discover on iOS and iPhone through the SRD program.

Many security researchers now fear that Apple will abuse this regulation and delay significantly with repairs, as it will not be afraid of any publication that reveals the vulnerability.

The first to notice this regulation and understand its implications was Ben Hawkers, the head of the Google Project Zero team.

"It appears that we will not be able to use Apple's 'SRD' due to the vulnerability disclosure restrictions, which appear to be specifically designed to exclude Project Zero and other researchers from using the 90-day policy," said Hawkes in Twitter today.

Hawkes's tweet, of course, caught the attention of the infosec community.

On Twitter, security company ZecOps also announced that it would drop the SRD program and continue hacking iPhones the old-fashioned way.

Security researcher Axi0mX told ZDNet that he is considering not participating either.

"Apple requires investigators to wait indefinitely, at Apple's discretion, before they can detect any errors they found in the SRD. There is no deadline. "

Alex Stamos, a former Facebook Information Security Director, also criticized Apple's move, which is part of a broader set of decisions the company has made in recent months against the cyber security and vulnerability research community.

Apple security programs are not doing well

Fears that Apple may abuse the SRD rules to bury significant iOS bugs are justified by those involved in Apple's security programs. Apple has been accused of exactly the same practice in the past.

In a series of tweets posted in April, macOS and iOS developer Jeff Johnson attacked the company for not being serious enough about its security.

"I am thinking of leaving the Apple Security Bounty program", said Johnson. "I do not see any evidence that Apple is serious about the program. I have only heard of one payment and the error was not even for a specific Mac. Also, Apple Product Security ignored my last email for weeks.

Apple announced the program in August, did not open it until a few days before Christmas and now have not paid a single security researcher I know. Its funny. "I think their goal is just to keep investigators silent about the mistakes for as long as possible," Johnson said.

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.

Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).