Apple launched the Security Research Device (SRD) program, enabling security researchers to examine the security features of a specially-built hardware variant of the iPhone 14 Pro.
Apple Security Bounty is also available for security flaws discovered using a Security Research Device, with a maximum reward of $500,000.
“From today through October 31, we invite security researchers to apply for the 2024 iPhone Security Research Device Program (SRDP) to jump-start their iPhone research, work with our security teams to help protect users, and qualify for Apple Security Bounty rewards”, Apple announced.
According to Apple, SRDP researchers have found 130 high-impact, security-critical flaws in the previous four years. Their insights have aided them in putting new defenses in place to safeguard their platforms.
How Does It Work?
Researchers can do iOS security research using the Security Research Device (SRD), a specially fused iPhone, without bypassing its security measures.
It allows you to run any tools, select your entitlements, and even modify the kernel using shell access, which is provided.
Notably, by using the SRD, you can confidently inform Apple of every discovery without having to worry about losing access to iOS security’s innermost levels.
Additionally, any vulnerabilities you find using the SRD are automatically taken into account for the Apple Security Bounty.
“The central feature of SRDP is the Security Research Device — a specially-built hardware variant of iPhone 14 Pro that’s designed exclusively for security research, with tooling and options that allow researchers to configure or disable many advanced security protections of iOS that cannot be disabled on normal iPhone hardware in the hands of users”, Apple explains.
Highlights of Security Research Device (SRD)
- Install and boot custom kernel caches.
- Run arbitrary code with any entitlements, including as platform and as root outside the sandbox.
- Set NVRAM variables.
- Install and boot custom firmware for Secure Page Table Monitor (SPTM) and Trusted Execution Monitor (TXM), new in iOS 17.
Only security research in a controlled environment is intended for usage of the SRD. If your application is accepted, the company will give you an SRD in the form of a 12-month loan that is renewable. The device stays Apple’s property throughout this period.
Who Are Eligible For SRD?
- Have a track record of success in discovering security flaws on Apple platforms or other current operating systems and platforms.
- be a resident of an acceptable nation or area.
- Be at least 18 years old, which is generally considered to be the legal age of majority in the country where you now reside.
- Not presently or during the past 12 months been working for Apple.
“We’re also making SRDs available to select educators at the university level who would like to use it as a teaching tool to introduce computer science students to security research. Educators can request to authorize multiple users for use in their classroom or lab”, Apple said.
The final day to submit an online application is October 31, 2023. By year’s end, the company will review all entries, and in early 2024, they will contact the chosen participants.
Source: https://cybersecuritynews.com/apple-opens-security-research-device-program/