For instance, it could have started a formal programme to incentivise researchers to disclose bugs to the consumer tech behemoth. Such bug bounty programmes are incredibly simple: tech manufacturers pay those who responsibly hand over information on vulnerabilities. The vendors then fix those flaws and subsequently make their technology more secure for their customers. Twitter launched one just yesterday, joining the likes of
Despite the simplicity and clear benefits of such an initiative, Apple has decided to ignore calls for it to establish one. Yet ethical hackers looking to make a name for themselves would probably be far more willing to responsibly disclose vulnerabilities if money was on the table. Indeed, the problems concomitant with a lack of end-to-end two-factor authentication in iCloud might have been pointed out to the iPhone maker more clearly before this week's debacle.
But here's the crucial point: the researcher who publicly detailed an apparent brute force flaw in iCloud over the weekend, Alexey Troshichev, said he would have told Apple about that vulnerability if it had implemented a bug bounty project. The Russian told me he would have done so instead of posting the information on Github, a public code depository, which likely helped hackers successfully compromise iCloud accounts. In short, a bug bounty might have saved Apple a lot of pain.
Apple did eventually patch the flaw, according to Troshichev, which allowed for unlimited username and password guesses on the Find My iPhone software, but it appears the security hole was open long enough for hackers to cause trouble. Some suspected Troshichev’s iBrute tool was used by those responsible for the celebrity leaks, alongside a number of hacking tools such as Elcomsoft’s Phone Password Breaker and Jack the Ripper. But Apple in its infinite opacity has neither confirmed nor denied such claims, simply saying there was no breach of its iCloud or Find My iPhone systems and that the photo leaks were the result of "a very targeted attack on user names, passwords and security questions", which didn't rule out use of brute forcing or subsequent account compromises.
"I think the time to set bug bounty up was a year ago," Troshichev said, noting he'd tested his tool once on his own account, just to know it worked. He has been quoted elsewhere expressing his dismay at the apparent use of his tool for exposing pictures of naked celebrities.
It might not be wise to adopt a bug bounty program too quickly, however. Security researcher Andreas Lindh told me over email that Apple needs to get a grip on wider security issues before it launches a rewards initiative. “I think Apple is lagging way behind on security in general… Apple has invested a lot of efforts in making iOS secure, but all the things around it (like iCloud) are nowhere near that standard,” he said.
“As for a bug bounty, I think Apple needs to make the same kind of company-wide realization that security needs to be built-in, like Microsoft has done, before doing a bug bounty. If you start with a bug bounty, chances are you'll settle with that and that would just be treating the symptoms, not the root causes.”
Katie Moussouris, chief policy officer at HackerOne, the vulnerability disclosure platform that Twitter is using, said much the same: that Apple has to get security right before it can launch a bounty programme. “Every organization, Apple included, should continue investing first in building security into their products from the ground up, then work on getting their vulnerability coordination program running smoothly, before considering whether or not a bug bounty is right for them and their customers.
“Big companies like Apple that have a broad product portfolio that includes hardware, software, and services need to wade into the bug bounty arena more carefully than companies with only a few supported products or organizations with only online services. Scoping and structuring these programs can be complex.”
However Apple chooses to react, events over the past week have made it all too apparent that its products are far from hacker-proof. It needs to improve. Fast.
Also on Forbes: How To Not Get Hacked At A Hacker Convention
