Security researchers now eligible for bug-hunting iPhones

iPhone X with notch

Apple has revealed it will distribute bespoke iPhones to select security researchers designed to help make it easier for them to find bugs and vulnerabilities.

The special devices will come with a root shell which allows researchers to access a deeper depth of the iPhone, previously made inaccessible, and run commands with the highest possible privileges to scan for issues, the company revealed at Black Hat.

"We want to attract some of the exceptional researchers who have thus far been focusing their time on other platforms. Today many of them tell us they look at our platform and they want to do research but the bar is just too high," said Ivan Krsti, head of security engineering and architecture at Apple, as reported by Wired.

The phone will also come with advanced debug capabilities and secure shell (SSH) to make it easier for bug hunters to search the phone for flaws. The phones will only be given to researchers with a stellar research track record on any platform, not just Apple's, and they'll start rolling out next year.

Alongside the announcement, Apple also said its bug bounty program will be expanded in terms of both the bugs it will pay out for, and how much you can get for successfully finding a flaw.

The maximum potential reward is now set at $1 million, up from $100,000, and will now cover bugs found across iOS, macOS, tvOS, watchOS and iCloud, rather than just iOS.

Researchers can earn an additional 50% bonus on top of their original reward if they discover a bug while the code is still in beta, for a potential total payout of $1.5 million.

"The second-best reason to have a bug bounty is to find out about a vulnerability that's already in the users' hands and fix it quickly," said Krsti. "The number one best reason is to find a vulnerability before it ever hits a customer's hands."

The announcements will surely come as welcome news to researchers who, in the past, have been open about withholding discovered vulnerabilities from Apple, specifically with macOS, until they open a more comprehensive bug bounty programme.

Apple's iPhones have been the subject of a few security incidents this year. In January, an individual discovered a bug in Apple's FaceTime feature which would allow anyone to gain access to a user's camera.

Most recently, Google disclosed a slew of vulnerabilities in iMessage which allowed an attacker to execute code on a device by sending a malformed message.

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.