Apple's macOS is inherently more secure than Windows or Android, but securing any operating system is a 24/7 operation, and at Black Hat, Ivan Krstic, Apple's Head of Security Engineering and Architecture, detailed three highly technical security accomplishments and added his own One More Thing.
Tighter and Tighter Security
Most Black Hat attendees have coding skills ranging from strong to insane, and they needed those skills to follow Krstic's detailed rundown of Apple's work. Don't worry, I won't attempt to report at the deep code level.
"We've been investing heavily in Mac secure boot," said Krstic. "Gatekeeper, user privacy protection, these are features we premiered in Mojave, and more in Catalina. There are malware checks in nearly every execution path. Catalina adds many more categories of protected data."
The team's plan for Mac secure boot required having a T2 security chip take the initiative before passing control to the standard UEFI secure boot. Other innovations prevented subversion of secure boot by such things at boot-time ROM drivers.
Krstic then went for a deep dive into enhancements in code integrity protection for iOS devices. Suffice it to say that iOS 13 will be significantly more secure than its predecessor.
The "Find My" system that lets you track down a lost Apple device can't do much if your device is offline. Or can it? Apple's new enhancement to this feature lets it get help from nearby Apple devices using Bluetooth. I can't say I understood all the cryptographic details, but it somehow does so without letting Apple, your device, or the nearby "finder" device know anything they shouldn't. Or so Apple says.
New Bug Bounty Plan
Apple's security bounty program was introduced in 2016, with a $200,000 pot, and Apple has since received "over 50 useful reports," according to Krstic.
Apple's program will be "open to all starting this fall," Krstic announced, to a round of applause. "We're expanding it to add tvOS, iPadOS, watchOS… and macOS"—which got even more applause.
He went on to detail numerous new categories and their bounties, which range from $100,000 to a maximum of $500,000. In addition, bug hunters who succeed during a product's pre-release period get a 50 percent bonus, "because the best time to catch a bug is before it's released."
That's not all. "What about a zero-click iOS full chain with kernel code execution and persistence?" Krstic asked. In simple terms, that would be an attack that could totally pwn your iPhone, and that rare unicorn of an exploit is worth a cool million.
We all understand the allure of a million dollars, but Krstic's final announcement was equally intriguing to the Black Hat audience.
"It's too hard to get started in iOS research," noted Krstic. "Many skilled researchers stick to other platforms." So next year, Apple will open an iOS Security Research Device program. Access will be by invite-only, but Apple will take applications from anyone with security expertise.
Those accepted will receive a special developer-centered iPhone pre-loaded with essential tools.
Gloss