Let’s talk about “bug bounties.” They’re an important security tool in the arsenal of many tech companies.
Here’s how they work: Give ethical hackers the chance to probe your systems for weaknesses, pay them for the “exploits” — or ways those weaknesses could be exploited — they find, and fix said exploits before ne’er-do-wells can find and use them.
Bounty programs vary from company to company in terms of how they’re run, how generous their bounty price lists are and how much they annoy the hackers they recruit. Reed Albergotti is a tech reporter for The Washington Post. He wrote about widespread dissatisfaction with how Apple pays its bounties and the ways it limits communication about the bugs hackers find — all problems that may hurt security for Apple users. One of the researchers he talked to is Cedric Owens. The following is an edited transcript of our conversation.
Reed Albergotti: He stumbled upon this flaw in Apple’s software. It’s actually on Macs, where it allows a person to install malicious software on a Mac computer and circumvent Apple’s protections for that. And he said that when he looked at the price list, he should have gotten somewhere around $100,000 for finding this vulnerability. And what he actually got was $5,000. This was a vulnerability that was actually written about a lot. I mean, it was covered on security blogs. So to get $5,000 for that, he felt like he had really kind of been ripped off or shortchanged.
Jed Kim: Well, what does Apple say about all of this?
Albergotti: I got a statement from Apple’s head of security, Ivan Krstić, and he said that this has actually been a runaway success and that they pay higher dollar figures per bug than any other company. But in the statement, he did acknowledge that there are some things they need to improve. I think for Apple that says a lot. It’s a company that doesn’t often like to admit that it’s made mistakes. And so I think there is an acknowledgement, sort of between the lines in the statement, that shows Apple knows they need to improve in this area.
Kim: Apple has a reputation for being closed off when it comes to culture, and even they make their products hard to modify. How much does that play into what’s going on with this program?
Albergotti: Well, that is, to me, the central theme here, is that you take a company that has made secrecy so much a part of its culture and its business, and that’s for good reason, right? Apple wants people to be surprised and delighted when they reveal these new products at their annual events. But bug bounty programs are the opposite of secretive. This is a company’s chance to kind of open up and allow these researchers to be a part of their process, and it involves a lot of outreach. And that’s just not something Apple does. It’s not a muscle that they use very often.
Kim: It seems kind of not smart to be welcoming hackers to find holes in your defenses, and then kind of stiff them. Like, what’s the risk there?
Albergotti: Yeah. I mean, the risk there is that, you know, unlike with other companies, there is a thriving market for software bugs in Apple, especially iOS and iPhones. So if you want to sell a bug, or really the top exploit, Apple will pay you a million dollars for the worst kind of exploit, which is one of these ones where you hack into someone’s phone remotely, and they don’t even have to do anything. They don’t have to click on anything or even know that you’ve ever done it. That is a remote zero-click exploit. Apple will pay you a million dollars to turn one of those in, and a company called Zerodium which, which sells exploits to government agencies, they say, you know, in North America and Europe, they will pay you $2 million for that. So it’s double. So I think part of bug bounties is companies do not pay more than these things are worth, but they appeal to the ethics of hackers. And I think that there are a lot of hackers, I’ve talked to a lot of them, who do feel a sense of responsibility. They do want to see the software that they use and other people use become more secure because they, they see that, as you know, protecting people, it’s a public good. So they are willing to take less money. But if they’re not treated well, I mean, they might sell it on the black market. And the other possibility, and this is probably even for ethical hackers is the bigger possibility, is that they just won’t tell Apple, and instead, they’ll just explain the bug and put it on their blog or tweet about it and get a lot of credit and attention, or maybe present it in a conference. That is embarrassing to Apple, and it also means that Apple has to really scramble to try to fix the bug. Because immediately when people do this, hackers around the world will then try to exploit it before customers have patched their software.
Kim: I may or may not have an iPhone. What are the risks to me?
Albergotti: I think iPhones are generally pretty secure. We don’t exactly know how secure. It’s hard to know if iPhones are more or less secure than, say, Android phones from companies like Samsung or Google. But they are generally pretty secure. However, if somebody wants to hack into your phone, and they have a huge amount of resources, for instance, a government agency, it is almost easy to do. Because they can buy software or create software on their own that can remotely break into your phone, get access to all your files, access your camera, access your microphone without you having to even do anything, and you will never know about it. The good news is governments typically don’t use that willy-nilly because first of all, they have to pay for it. And second of all, the more they use it, the more chance there is that those types of attacks will be discovered and will be closed off.
Kim: This culture of control is not limited to bug bounties. I mean, Apple exerted a lot of control over its app store and in-app purchases. And it got sued and partially lost. Could this latest ruling be a wake-up call?
Albergotti: Well, it’s interesting to sort of look at this in the antitrust context. Certainly what was on trial there is Apple’s control over its own ecosystem. But, while the judge in that case did find that Apple was sort of using anti-competitive behavior illegally, at least in violation of California state law, she also kind of gave a stamp of approval for Apple’s ability to have these strict rules and have control over its own app store. And so we’ll see what happens. I mean, this case will definitely be appealed, probably by both sides, and could go as high as the Supreme Court. So we’ll see what happens in terms of, like, if that’s the final ruling. And you know, the other sort of X-factor there is what are lawmakers going to do? There’s a lot of lawmakers who are working now to try to get legislation passed that would either force companies like Apple to open up more or strengthen antitrust laws. Of course, who knows if people in Congress will get anything done at all?
Related links: More insight from Jed Kim
Apple told us a lot of what it told Albergotti — that it considers the program a success, but they’re working on improvements, including more rewards.
In a statement, Apple’s head of security engineering, Ivan Krstić, said the company had the world’s first $1 million bounty when the program publicly launched in 2019. “Since then, Apple Security Bounty has grown the total rewards paid to researchers far faster than any other program in the industry’s history. We’ve already paid out millions of dollars this year, and issued nearly double the number of researcher rewards compared to all of 2020, all while leading the industry in average payouts,” he said. “We are working hard to scale the program during its dramatic growth, and we will continue to offer top rewards to security researchers working with us side by side to protect our users and their data on more than a billion Apple devices around the world.”
You should, of course, check out Albergotti’s great piece about Apple’s bug bounty program in The Washington Post.
If you’d like to hear about ethical hacking from the hacker’s point of view, listen to an interview our host, Molly Wood, did with Jesse Kinser last year. Kinser probes the security of mostly health-related platforms. At the time, she said demand for services like hers was higher due to COVID-19 and the attendant ramp-up of online activity.
Apple’s vulnerability to hacks was recently highlighted in the revelation of the Pegasus spyware attacks. The government of Bahrain was allegedly among those that used the spyware to gain access to the phones of human rights activists, journalists and others. The vulnerability of iPhones was in its iMessage app, and it allowed for zero-click access to phones. That means anyone of interest to users of the exploit can be targeted at any time. Wired points out that the inability to uninstall iMessage makes this especially ungreat, although it does say that these kinds of attacks are extremely rare. By the way, we’ve also included a link to a toolkit that may help you figure out if you’ve been targeted.
And finally, maybe all of this angst over security has you looking at your smartphone with suspicion. Maybe you’d like to get rid of it entirely, but the games — how can you live without the games? Well, go old school.
The New York Times has an article about the auction of arcade machines from the Museum of Pinball. The museum, sadly, couldn’t keep ahead of costs, largely because of COVID-19. And it was too expensive to move, so more than 1,700 arcade and pinball machines went on the block. I saw there was a Ms. Pac-Man up for auction. I was so tempted to bid, but I didn’t because I couldn’t figure out if it was the sped-up version. It’s the only way to play.
The future of this podcast starts with you.
Every day, Molly Wood and the “Tech” team demystify the digital economy with stories that explore more than just “Big Tech.” We’re committed to covering topics that matter to you and the world around us, diving deep into how technology intersects with climate change, inequity, and disinformation.
As part of a nonprofit newsroom, we’re counting on listeners like you to keep this public service paywall-free and available to all.