Black Hat 2019: Apple’s $1 million prize, new vulnerabilities revealed, and a keynote to remember
The 22nd annual Black Hat USA conference was held this week in Las Vegas. Black Hat is one of the most important events in cybersecurity, bringing together researchers, developers, and hackers from all over the world for a week of training sessions and briefings. As such, it’s often the stage for major announcements affecting security professionals as well as the general public.
This year’s Black Hat did not disappoint, and featured significant new developments that will interest both macOS and iOS users.
Read on for our roundup of Black Hat 2019…
The macOS bug bounty
As rumored earlier this week, Apple announced a long-awaited bug bounty program—a system of financial rewards for security researchers who find exploitable flaws in code—for macOS. Apple’s head of Security Engineering and Architecture, Ivan Krstić, delivered the news in a Thursday session.
Listeners of the Checklist podcast will recall the controversy that arose earlier this year when a young security researcher discovered a serious vulnerability in Keychain—and delayed submitting the details to Apple to draw attention to their lack of a macOS bounty program.
From the perspective of many a third-party security researcher, this is a welcome (albeit overdue) move from Apple.
Bigger prizes, iPhones for hackers, and more
Krstić also announced some other key changes to the way Apple will relate to the security community going forward.
For one thing, the payouts for the company’s existing bug bounty program will be increased considerably. In the past, Apple had come under fire for what many perceived to be the relatively paltry sums the tech giant was willing to pay for exploits (especially compared to Microsoft, Google, or even the black market). In the future, Apple will pay security researchers who come forward with their discoveries as much as $1 million for the most serious types of vulnerabilities.
Another important change is that starting this fall, the bug bounty program will be open to all security researchers. Previously, Apple’s iOS bug hunting program had been invite-only. By widening the field a bit, and making security research a little more democratic, Apple hopes to improve security for its users in the face of increasingly common attacks directed at their platforms.
The third big piece of news from Apple was that the company will soon begin offering “dev device” iPhones—developer-friendly versions of the mobile devices that allow security professionals a closer look at the operating system in order to perform in-depth research and testing. While this initiative will not be as “open to all” as the bug bounty program, it will definitely help to increase the number of researchers and developers working to make iOS as secure as possible.
Underscoring the need to engage with the security community more seriously were a pair of briefings which revealed significant issues related to Apple products.
Google Project Zero’s Natalie Silvanovich disclosed several vulnerabilities in iMessage which could potentially allow a malicious actor to access files or even execute code on a target’s device. Apple has released patches, so it’s probably a good time to update your device if you haven’t done so in a while!
Joshua Maddux gave a talk which highlighted the difficulties of building software that “plays well” with other applications, showing how Apple Pay could be integrated into some websites in such a way as to make them vulnerable to attack. Less a flaw in Apple’s own engineering than in the way its products are sometimes (poorly) implemented by third parties, it nevertheless shows how difficult it is to anticipate every contingency and account for all variables—and why it is so important to have as much help as possible in the fight for cybersecurity.
Note from the keynote
Also worth mentioning was the conference keynote by Dino Dai Zovi, the head of mobile security for Square (as well as an expert on Mac security).
Dino’s talk covered a lot of ground, but one theme that really hit home for us was his emphasis on changing the culture of cybersecurity to one of positivity, engagement, and open communication as the best way to serve the security needs of organizations.
That’s definitely something we at SecureMac can get behind!