Apple pays $75,000 to hacker for discovery of exploits to hijack iPhone camera
Apple awarded $75,000 to a hacker who discovered exploits
that allowed him to hijack the cameras of iPhones and Macs.
Security researcher and former Amazon Web Services security
engineer Ryan Pickren disclosed at least seven zero-day vulnerabilities in
Safari to Apple, according to Forbes. Three of these vulnerabilities may be
used to hijack the cameras of iOS and macOS devices.
The exploit required victims to visit a malicious website,
which could then access their device’s camera if it had previously trusted a
video conferencing service such as Zoom.
“A bug like this shows why users should never feel totally
confident that their camera is secure,” Pickren told Forbes, “regardless of
operating system or manufacturer.”
Pickren informed Apple about his discovery in mid-December
2019. Apple validated all seven vulnerabilities, and after a few weeks,
released a fix for the iOS and macOS camera exploit. The security researcher was
then paid $75,000, which Pickren said was his first earnings from the company.
Security researcher Sean Wright told Forbes that the exploit
that Pickren discovered, even if it required the victim to visit a malicious
website, was “a very viable form of attack.” Wright added that compared with
the attention on webcams in computers, there has not been much focus on the
cameras and microphones of mobile phones, which he said is “a far more likely
route” for attackers if they want to eavesdrop on their targets.
Bug bounties
Bug bounty programs provide incentives to security
researchers to help tech companies find vulnerabilities in their software,
instead of the exploits falling into the hands of malicious hackers.
Apple, which launched a bug bounty program in 2016, made
changes in August 2019 that included the addition of a $1 million reward for
hackers who could launch a “zero-click full chain kernel execution attack with
persistence.” In December 2019, the program was finally expanded to accept
submissions for macOS bugs.
Apple rival Google has also been generous with its bug
bounty program, with an up to $1.5 million reward for “full chain remote code
execution exploit with persistence which compromises the Titan M secure element
on Pixel devices.” In 2019, Google paid a total of $6.5 million in bug
bounties, for a total of $21 million since the program was launched in 2010.
Comments
Post a Comment