The iOS vulnerability scanning program has failed: hackers do not report Apple's error -


Post Top Ad

Post Top Ad

Monday, 10 July 2017

The iOS vulnerability scanning program has failed: hackers do not report Apple's error

In an interview for Motherboard researchers invited to participate in Apple's vulnerability scanning program on iOS, they explained that the operating system's vulnerability are too valuable to inform the company. Hackers do not share with Apple about the багах, as well as on the gray market this information is worth more.

"People can earn more, if they will sell the other detected vulnerabilities," said Никис Bassen, specialist in Information security at Zimperium, which joined Apple's vulnerability scanning program last year. - If you're doing this just for the money, you will not have to report on the vulnerability of Apple. "

Of every ten young professionals or one, did not send the report from Apple.
Announced at the Black Hat 2016 conference, the iOS bug detection program aims to identify zero-day vulnerabilities and improve platform security.

The maximum size of fees under the bounty-the Apple program is $ 200 000. And the company has limited the field of action of hackers. The search for vulnerabilities is carried out in five specific categories, the highest priority of which - download protection programs. The goal is to exclude from the possibility of running unauthorized programs at the time of turning on the device in which iOS is installed.

There are less generous payments. For example, unauthorized access to iCloud data on Apple servers, the company will pay $ 50,000, and access to user data is $ 25,000.

Private companies, such as Zerodium, willing to pay hackers more than $ 1.5 million for a set of vulnerabilities that allow you to install the jailbreak on the iPhone. Other companies agree to accept reports of "holes" in iOS for $ 500 000, but the price depends on the value of berry. The company claims they act under the law and sell vulnerability information to companies that want to protect their systems or law enforcement authorities.

Hackers refuse to inform Apple about the vulnerabilities and because it is a threat to their own research. IOS takes the security of the system very seriously, making it difficult to find vulnerabilities. Providing information on Apple's security breaches ensures that it will soon improve, and this is clearly not necessary for hackers.

Apple's guests, security researchers have asked the company to provide special iPhone or device developers, "which will be deprived of certain restrictions, normally present on the public's models. These samples would allow hackers to report Apple's error and conduct studies deeply into iOS. Apple declined to provide such devices.

At this time the bounty-program has many of the big companies, including Facebook, Google, Microsoft and Yahoo. Microsoft initiates the initiative four years ago, already paid hackers for a total of $ 1.5 million the Company also offers high fees for the search for certain types of vulnerabilities. Two of the largest payments amounted to $ 100,000 each.

No comments:

Post a Comment

Post Top Ad