Why hackers might help FBI and not Apple

SAN FRANCISCO • After a third party went to the Federal Bureau of Investigation (FBI) with claims of being able to unlock an iPhone, many in the security industry said they were not surprised that this party did not go to Apple.

For all the steps Apple has taken to encrypt customers' communications and its rhetoric about customer privacy, security experts said the tech giant was still doing less than many rivals to seal up its systems from hackers. And when hackers do find flaws in Apple's code, they have little incentive to turn them over to the company for fixing.

Google, Microsoft, Facebook, Twitter, Mozilla and many other tech firms all pay outside hackers who turn over bugs in their products and systems. Uber began a new bug bounty programme this month. Google has paid outside hackers more than US$6 million (S$8.3 million) since it announced a bug bounty programme in 2010, and it has just doubled its top reward to US$100,000 for anyone who can break into its Chromebook.

Apple, which has had relatively strong security over the years, has been open about how security is a never-ending cat-and-mouse game and how it is unwilling to engage in a race to pay for code exploits.

The company has yet to give hackers anything more than a gold star. When hackers do turn over serious flaws in its products, they may see their name listed on Apple's website - but that is it. That is a far cry from what hackers can expect if they sell an Apple flaw on the thriving underground market where a growing number of companies and government agencies are willing to pay hackers handsomely.

The disclosure by the US government last Monday that an unknown third party had approached it - and not Apple - to help open a controversial iPhone only highlights how the tech giant approaches bug-hunting efforts and security differently from the rest of the industry.

CLOSED CASE

Apple can embrace security researchers, or try to facilitate programmes that will secure its operating system, but it's never going to be able to compete with what is going on behind the scenes in the black market. It's just not going to happen.

MR JAY KAPLAN, a former NSA analyst and co-founder of Synack, a company that deploys hackers to weed out vulnerabilities in clients' systems, on how no bounty Apple could offer would match the reward it could expect from the underground market.

But security experts, especially those with a stake in such bug programmes, said Apple could now be doing more, especially in this day and age where the conventions of finding bugs and fixing them have changed. Just last week, researchers at Johns Hopkins University uncovered a flaw that would allow attackers to decrypt the contents of photos and videos attached in Apple's iMessage program. The researchers turned that flaw over to Apple for patching.

"Especially with the stakes being as high as they are, if Apple wants to continue to compete in the modern world, they have to modernise their approach," said Ms Katie Moussouris, a policy officer at HackerOne, which companies like Yahoo, Dropbox and now Uber pay to manage their bug bounty programmes.

The identity of the third party that approached the FBI with the possible way to unlock the iPhone - which was used by one of the gunmen of a mass shooting in San Bernardino, California, last year - remains unknown. The emergence of this third party halted, at least temporarily, a contentious case between Apple and the US government over whether the company should weaken the security of its iPhone to help law enforcement.

The Justice Department has declined to name this third party or to describe the proposed method for breaking into the device. The third party may not have approached Apple for many reasons.

In the past, Microsoft's systems were a more frequent target for malicious-minded hackers, largely because of the prevalence of its products. But as Microsoft began to embrace the hacking community, its security improved.

As Apple's desktops and mobile phones have gained more market share, and as customers began to entrust more and more of their personal data to their iPhones, Apple products have become far more valuable marks for criminals and spies.

An Apple spokesman referred to an editorial by Mr Craig Federighi, the company's senior vice-president for software engineering, in which he wrote: "Security is an endless race - one that you can lead but never decisively win. Our team must work tirelessly to stay one step ahead of criminal attackers who seek to pry into personal information. Despite our best efforts, nothing is 100 per cent secure."

Apple has long been less visible in the security community compared with other tech companies. It has shied away from bug bounty programmes and instead relied on large testing programmes and the work of its security team to spot vulnerabilities, partly because it is disinclined to keep up with a financial arms race of paying for bugs, say three former and current staff, who spoke on condition of anonymity.

Apple has said it will fight to know more about the flaw in the software or hardware that the third party has presented to the FBI. A senior executive said in a conference call with reporters last Tuesday that if the government found the method did not work and tried to force Apple to help break into the phone, Apple would have questions about what was tried, in order to keep its products as secure as possible.

If the third-party method does work, the government may dismiss a court order demanding that Apple weaken its security, but keep the process it used to break into the phone under seal. In that case, Apple would have no way of knowing how the government broke into its software or hardware.

Exploits in Apple's code have become increasingly coveted, especially as its mobile devices have become ubiquitous, with an underground ecosystem of brokers and contractors willing to pay top dollar for them.

Flaws in Apple's mobile devices can typically fetch US$1 million. Last September, a boutique firm in Washington, called Zerodium, which sells flaws to governments and corporations, announced a US$1 million bounty for anyone who would turn over an exploit in Apple's iOS 9 mobile operating system - the same operating system used to power the iPhone used by the San Bernardino shooter. By November, Zerodium said a team of undisclosed hackers had successfully claimed the bounty.

Zerodium founder Chaouki Bekrar said his company was not the outside party referred to in the government's court filing on Monday. But Mr Bekrar added that even if Zerodium had helped the FBI, he would not disclose it.

"For every Zerodium, there are a thousand other organisations like Zerodium that are far less vocal about doing what they do and will pay researchers who find this stuff to keep it a secret," said Mr Casey Ellis, founder of BugCrowd, a company in San Francisco that helps vendors manage bug bounty programmes.

The heated battle between the US government and Apple over breaking into the iPhone used by the gunman may have inadvertently catalysed the underground market for Apple code flaws. With the FBI pushing Apple to help unlock the device with a court order and publicising that it has been unable to get into the iPhone, hackers saw a blank cheque for them if they could accomplish it, said Mr Jon Oberheide, the chief technology officer of Duo Security, a cloud security company.

Some security researchers said no bounty Apple could offer now would match the reward it could expect from the underground market. Apple has waited so long that the black market for its flaws has become extremely lucrative, perhaps making any bug bounty programme the company would create seem late to the game.

"Apple can embrace security researchers, or try to facilitate programmes that will secure its operating system, but it's never going to be able to compete with what is going on behind the scenes in the black market," said Mr Jay Kaplan, a former National Security Agency analyst and co-founder of Synack, a company that deploys hackers to weed out vulnerabilities in clients' systems. "It's just not going to happen."

NEW YORK TIMES

A version of this article appeared in the print edition of The Sunday Times on March 27, 2016, with the headline 'Why hackers might help FBI and not Apple'. Print Edition | Subscribe