4 takeaways from Apple’s security blitz
Apple has recently introduced a standalone security research site, significant changes to its bug bounty program and a bevy of security-related updates with iOS 16. But major vulnerabilities are still plaguing the tech giant. Here’s what to know.
Apple’s security team has had a busy few months. The tick-tock cycle of the company touting security features in summer and patching zero-days in autumn continued with the release of iOS 16, only to be followed by a major update to Apple’s bug bounty programs and the introduction of a dedicated Apple Security Research blog meant to provide more insight into the company’s efforts to defend its customers.
This shift began with the introduction of features such as Lockdown Mode, Rapid Security Response, Passkeys and Safety Check, all of which have been praised for improving the security of iPhone users even if they have some drawbacks. Apple has also made significant changes to underlying parts of its operating systems, from iOS and iPadOS to macOS, that most people never see.
Dataflow Security co-founder Luca Todesco simultaneously praised and lamented these changes in a talk at Hexacon 2022. Dataflow has hired former staffers of embattled Israeli spyware company NSO Group and is known for its no-holds-barred approach to offensive security, so its co-founder giving a presentation titled “Life and death of an iOS attacker” was sure to make people take notice of Apple’s efforts.
Todesco spent most of his Oct. 14 talk complimenting Apple’s work to lock down its mobile operating system. “For the first time in 15 years,” he said, “Apple has been doing the right things in terms of actually affecting attackers and not just doing useless mitigations.”
These efforts have made discovering vulnerabilities in iOS, developing reliable exploits for them and using those capabilities significantly more expensive, Todesco said, which is causing the cost of these services to skyrocket. It seemed that hope was all but lost for offensive security research on iOS — and then Todesco demonstrated a live exploit on the fourth developer beta version of iOS 16.1.
Here are four of Apple’s most recent security moves:
Apple Security Research and bug bounty changes
Apple has a reputation for being very tight-lipped about its work to secure its platforms. Researchers have lamented the company’s lack of responsiveness since it launched a bug bounty for iOS in 2016 and the company rarely offers a glimpse at what its security teams are doing. But that is poised to change, starting with the launch of the new Apple Security Research blog on Oct. 27.
The blog debuted with two posts: “Towards the next generation of XNU memory safety: kalloc_type” and “Apple Security Bounty. Upgraded.” The former was described as “the first in a series of technical posts that delves into important memory safety upgrades in XNU, the kernel at the core of iPhone, iPad, and Mac,” while the latter post detailed changes Apple is making to its bug bounty programs.
Those updates include a pledge to respond more quickly to vulnerability disclosures; a new portal to submit reports, track their progress and “communicate securely with Apple engineers” investigating the bug; and further transparency via “detailed Apple Security Bounty information and evaluation criteria.”
As Mac security researcher Csaba Fitzl put it:
Apple also started to accept applications for the 2023 Apple Security Research Device Program that allows select researchers to request access to a modified iPhone better suited to their needs.
“The Security Research Device (SRD) is a specially fused iPhone that allows you to perform iOS security research without having to bypass its security features,” Apple said. “Shell access is available, and you can run any tools, choose your own entitlements, and even customize the kernel. Using the SRD allows you to confidently report all your findings to Apple without the risk of losing access to the inner layers of iOS security.”
It’s easy to start a blog; the trick is keeping it updated. But even with this first pair of posts, Apple has shown that it’s starting to be more open with security researchers than it has been in the past. Now the question is whether or not this newfound transparency will continue and extend to Apple’s other efforts.
Lockdown Mode and Rapid Security Response
Apple touted a variety of security-related updates with iOS 16. The latest version of the company’s mobile operating system introduced Lockdown Mode for iPhone owners concerned about being targeted by spyware, added passkeys to make passwordless authentication more popular and enabled the hassle-free deployment of security updates via Rapid Security Response, among other things.
Those were the changes Apple highlighted with the release of iOS 16 on Sept. 12. With the release of iOS 16.1 on Oct. 24, the focus was on 20 vulnerabilities security researchers had discovered and disclosed in the intervening weeks, one of which Apple said “may have been actively exploited.” (The company then updated that article on Oct. 27 with information about more security flaws addressed in these patches.)
Apple released precious few details about the iOS 16 zero-day. The company identified the vulnerability as CVE-2022–42827, attributed its discovery to an anonymous researcher and said it was a problem in the iOS kernel that affected several models of iPhone and iPad. Other information — such as whether or not earlier versions of iOS and iPadOS were affected by the flaw — wasn’t provided in the support article.
This lack of information can make it difficult to determine the impact of iOS security updates. Consider Lockdown Mode: Apple announced the feature in July to offer “specialized additional protection to users who may be at risk of highly targeted cyberattacks from private companies developing state-sponsored mercenary spyware,” but it wasn’t officially available until iOS 16’s debut in September.
Lockdown Mode gives iPhone users the ability to prioritize security over convenience by disabling some features, such as support for “complex web technologies” in the Safari browser and link previews in iMessage, known to have been targeted by spyware developers. Although the feature’s reception has been mixed, Trail of Bits CEO Dan Guido told README he is excited by what it represents.
“Previously, Apple did not publicly acknowledge iOS’s vulnerability to advanced spyware threats, but with Lockdown Mode they are effectively saying, ‘Yes, iOS can be breached, so here is something you can do to reduce your attack surface if your threat model includes such advanced threats’,” Guido said. “That, combined with their large grant to the Ford Foundation to support iOS security research represents a major admission by Apple that they have a real, persistent issue.”
Apple expanded its bug bounty platform to include a maximum payout of $2 million for “researchers who find Lockdown Mode bypasses and help improve its protections.” Yet the company hasn’t said whether or not the feature would have defended iOS 16 users from attempts to exploit CVE-2022–42827.
The disclosure of this vulnerability called into question another iOS 16 update: Rapid Security Response. Apple said the feature would allow users to “get important security improvements between normal software updates, so you automatically stay up to date and protected against security issues.” But there’s no indication that a Rapid Security Response update was released in response to CVE-2022–42827, an actively exploited zero-day.
Passkeys
Tech companies have been advocating for passwordless authentication mechanisms for years. Passwords simply aren’t effective at securing accounts — people forget them, expose them and keep them so basic that attackers can find ways around them in seconds. Many companies rely on multi-factor authentication (MFA) to mitigate the risks posed by bad password habits.
Passkeys essentially cut out the middleman by using MFA protocols instead of, rather than in addition to, passwords. Apple said it now supports Passkeys “based on FIDO Alliance and W3C standards,” namely the FIDO Alliance’s client to authenticator protocol (CTAP) and the World Wide Web Consortium’s Web Authentication API (WebAuthn), which together form the FIDO2 protocol.
Unlike other implementations of FIDO2, Passkeys are designed to sync across devices using the iCloud storage platform. That approach has some benefits, especially when it comes to convenience and recovery options, but it has also been cause for concern.
SlashID CEO Vincenzo Iozzo examined Passkeys in September and found that “iOS 16 makes it impossible to use device-bound WebAuthn keys, effectively downgrading WebAuthn security on Apple devices to an AppleID reset flow,” and “makes device verification harder and prevents novel applications of WebAuthn such as getting rid of CAPTCHAs.” Iozzo wasn’t the only one to notice:
The problem isn’t necessarily with the Passkey technology itself. FIDO Alliance executive director Andrew Shikiar told README in September that he had no issue with Apple’s implementation of WebAuthn in Passkeys. “You need to have a lower-threshold, user-friendly approach to passwordless authentication,” he said, “and Passkey brings that promise.”
Shikiar wasn’t alone in that assessment — Iozzo told README in an email that he believes “the current implementation of Passkeys in iOS/Mac is a good balance of UX and Security.” Instead, his criticism is that Apple removed the ability to use WebAuthn without relying on iCloud with the release of iOS 16, presumably to avoid confusion between that implementation of the protocol and Passkeys.
“I’d like to see hardware-bound WebAuthn keys make a comeback so that you can have a safer alternative to Passkeys without requiring an external security key like YubiKey,” Iozzo told README. “I would also like to see the reintroduction of key attestation so it is easier to establish key provenance.”
Essentially: People want to have their Passkeys and their hardware-bound WebAuthn too.
Safety Check
Safety Check is a new feature that allows people to manage the information they share with other people via Apple’s platforms. It differs from Lockdown Mode and Passkeys in that it doesn’t introduce entirely new capabilities — iOS has offered various ways of viewing and modifying the settings covered by Safety Check in the past — but instead encourages their use with a streamlined process.
Guido said that Safety Check “can be a highly effective tool for domestic or intimate partner threat situations,” though he noted that it only affects the Apple ecosystem. “It doesn’t cover all the other services that might be sharing one’s data, such as Google, Facebook, etc., so it’s worth exploring additional services that cover those or at least being aware of the limitations,” he said. “It’s useful, but no panacea.”
Safety Check can be accessed via the iPhone’s built-in Settings app. It has two options: Emergency Reset allows users to “immediately reset access for all people and apps,” while Manage Sharing & Access lets them “customize which people and apps can access [their] information.” Apple provided more details about the apps and data that can be managed using Safety Check in a support article.