Apple’s Hackable iPhones Are Finally Here

Last August, Apple announced that it would distribute special iPhones to elite security researchers. The idea was to offer a device that had fewer constraints, allowing researchers to home in on security vulnerabilities more easily without first having to work around standard iOS defenses. Starting today, you can apply to get your hands on one.

Apple is opening its security research device program to analysts with an established track record of finding iOS bugs, as well as those with expertise in other platforms who want to start on iOS. The company will loan the devices for a year with the possibility to renew, and participants will also gain access to new security forums focused on the devices. If researchers “find, test, validate, verify, or confirm” a vulnerability using one of the special iPhones they must report it to Apple—and any relevant third parties—under the terms of the loan agreement.

Historically, relationships between Apple and the security have been strained, in part because Cupertino has offered so little visibility into iOS. The new research phones serve as something of an olive branch, with the added benefit of helping shore up iPhone security. Outside professionals can investigate iOS from different angles, helping find problems that may arise after an attacker bypasses iOS defenses.

Security researchers have until now had to resort to jailbreaks and third-party iOS emulators to gain that deeper insight. But Apple has aggressively attempted to swat down those efforts. The company sued the mobile development and security firm Corellium last year for making an iOS emulator. And Apple argues that jailbreaks, which are achieved by exploiting hardware or software vulnerabilities, result in imperfect research due to inherent differences from unadulterated iOS. Plus, most jailbreaks only work on outdated hardware and old versions of the firmware, Apple argues, because the vulnerabilities used to achieve jailbreaks get patched.

iOS-focused security researchers told WIRED on Wednesday that the new devices will be useful in many ways. They’ll essentially grant unlimited permissions within the operating system so researchers can run code without iOS’s typical limitations and analyze how other programs function. This will help researchers spot vulnerabilities, but will also make it much easier for them to analyze how Apple’s own software and third-party apps behave and manage data, whether that’s assessing a prominent app like TikTok or possible spyware like ToTok.

“Security researchers have already proved to be rather successful at uncovering flaws in both iOS proper and security and privacy issues in third-party apps,” says Patrick Wardle, an Apple security researcher at the enterprise management firm Jamf. “Armed with these new devices they are likely only going to find more. Being able to audit and analyze third-party apps more easily on modern devices running the latest version of iOS would be lovely. It’s ultimately a big win for Apple’s users and Apple itself.”

Wardle and others point out, though, that this level of openness and insight may not extend beyond the user-facing parts of the operating system. That would mean the special devices wouldn’t help researchers analyze iOS’s core “kernel,” its boot-up procedures, the firmware that coordinates hardware and software, or hardware itself, like Apple’s custom T2 security chip.

“Apple appears to only give researcher devices unrestricted access to a portion of iOS,” says Will Strafach, a longtime iOS researcher and creator of the Guardian Firewall app for iOS. “It’s a good start for vulnerabilities in user-facing apps and services, which can be easily fixed in an iOS update. But they appear to intentionally not allow poking at lower level security mechanisms, which may be more difficult to fix.”

Apple says that it carefully designed the research devices to behave like consumer products and give researchers as much insight as possible without inadvertently creating exposure or risk for the hundreds of millions of iOS devices deployed around the world. For example, the security research devices are not the same as Apple’s own internal development prototypes, known as “dev-fused” iPhones, which are much more flexible and open than consumer iPhones and leave many iOS security features disabled. Still, the new security research devices are loaners for a reason, and will presumably be carefully tracked and controlled by Apple.


Author: showrunner