 |
| The Google Security team has boycotted Apple's security plan |
Due to Apple's restrictive security vulnerabilities rules, the Google Error Research Group (Project Zero) has announced plans to bypass Apple's new hardware security (SRD) program.
The county list also includes famous figures in iPhone vulnerability research: Will Strafach, ZecOps security and the vulnerability research team (Axi0mX).
Apple has promised to provide security researchers with modified iPhone devices through the software, so these devices are less restricted and have deeper access to devices and the operating system (iOS), so security researchers can search for errors. .
Apple officially announced the SRD plan in December 2019. Official provisions of the SRD plan are included on the Apple website.
According to complaints on social media platforms, there is a special clause that has angered most security researchers.
The project states that if you report a security vulnerability affecting Apple products, Apple will give you a release date (the date that Apple starts the update to resolve the issue), and Apple will address the vulnerability as soon as possible and I cannot discuss the vulnerability with anyone before the release date.
With this clause, Apple can silence security researchers, and with this clause, Apple has full control over the vulnerability detection process.
The project enables iPhone manufacturers to determine the release date, which prevents security researchers from speaking or posting information about vulnerabilities in (iOS).
Many researchers fear that Apple will misuse this project by delaying the release date to delay important reforms and delay issuing security updates, while other researchers fear that Apple will use this project even to prevent it. To spread their work.
Ben Hookers, the leader of the Zero Project team, was the first to notice this project and understand its meaning.
"It seems that we cannot use the new Apple security software," Hooks said in his official Twitter account. Because of the vulnerabilities, these restrictions appear to be specifically designed to exclude Project Zero zero and any other 90-day use. Designed by strategy researchers. “”
Hooks' tweets received widespread attention in the information society, and security researchers quickly followed the decision of the Google team. Struffach said: For the same reason, he will not join the plan.
ZecOps has announced that they will bypass the SRD software and continue to hack the iPhone in the old way, and the Security Research Team (Axi0mX) said: they are considering not participating.
Alex Stamos (Alex Stamos), former head of information security at Facebook, also criticized Apple's move.
This step is part of a larger series of decisions the company has taken in recent months regarding the cybersecurity community and vulnerability research.
There seems to be concern that Apple may use the SRD to bury serious iOS errors. For those who follow Apple's security software, this is appropriate.
Apple was previously accused of following the same approach because MacOS and iOS developer Jeff Johnson attacked the company for failing to take its security work seriously enough in a series of tweets released in April.