Google researcher urges Apple to change iOS security culture

Posted 09 August 2018 23:26 CET by Jan Willem Aldershoff

Apple should better secure iOS, because victims of targeted attacks are increasingly iPhone users, according to Google security researcher Ian Beer in a presentation during the Black Hat conference currently held in Las Vegas. In the last couple of years, Beer reported more than 30 iOS vulnerabilities to Apple.

The researcher blames Apple that the company patches iOS vulnerabilities without understanding the root causes and mitigating against those. Beer said each bug needs to be a lesson where a security lead needs to ask: “Why is this bug here? How is it being used? How did we miss it earlier? What process problems need to be addressed, so we could’ve found it earlier? Who had access to this code and reviewed it and why, for whatever reason, didn’t they report it?”

Two years ago, Apple started a bug bounty program for a select group of security researchers who would receive a reward for reporting vulnerabilities in Apple products. Beer, who is not amongst that select group of researchers, states on Twitter that his bug reports to Apple are worth $2.45 million. He calls for Tim Cook to donate the bounty to Amnesty International, because the non-profit organization recently became victim of a targeted attack. The company that provided the infrastructure used by that attack, was also responsible for a zero-day attack on iPhone users in 2016.

Beer therefore urges Apple to better secure iOS, as an increasing number of victims of targeted attacks are iPhone users. “Targeted exploitation is more widespread than you think,” according to the researcher. He concluded his presentation at Black Hat stating, “the time of isolated security fixes is over, he said – and the goal is understanding root causes and mitigating against those.”


Related content


Comment on this news item