Apple Bug Bounty Program and Teenage Hackers
Apple through a press statement said that it will be paying the teenager who first discovered the bug in Face Time Group chat. The bug made it possible to listen in someone before they could pick your call. 14-year-old Grant Thomson discovered the bug two weeks ago when he was setting up a group chat for his friends to play Fortnite together. His mother Michele Thompson then tried to contact the phone manufacturer through phone calls and emails but wasn’t successful. The company only contacted her later about the issue when it had already gone viral and was forced to take down Group FaceTime.
Apple has managed to fix the bug by releasing the iOS 12.1.4 security update. The release credits the teenager together with someone else named Daven Morris from Arlington Texas. In a report by Reuters, Apple is said to be planning to reward Grant Thomson and also include additional gifts geared towards his education.
The details have not yet been made public but Apple does offer generous cash rewards of up to $200,000 as part of the bug bounty program. The program was launched by Apple in 2016 and started by inviting a couple of security researchers to participate in it. The first person to jailbreak the iPhone was yet another teenager Luca Todesco. It only took him less than 24 hours to jailbreak a new iPhone 7 by using bugs as vulnerability points. It was also the same year (2016) when Facebook rewarded a 10-year-old Finnish boy for finding a way to permanently delete user’s comments from Instagram servers.
The Rise of Teenage Hackers
One wrong turn on the internet can lead you to muddy waters. Teenage hackers have been known to cause havoc on the internet with some causing millions of dollars in damages. In most cases, money is not always the issue. They just want to prove a point as you’d expect of rebellious teenagers.
When the iPhone 7 was launched, Apple touted it as the “most advanced iPhone ever.” Everything from the design to the security was meant to be perfect. However, it did not take more than 24 hours for Luca Todesco to jailbreak the new iPhone 7 that came with a new iOs. Todesco has had a reputation for finding bugs in the ios ecosystem. He admitted that he had a hard time with the iPhone 7 security system but was still able to jailbreak it.
Todesco was proud of his achievement and went on to post on Twitter, five days after the iPhone 7 had just been released. He even shared a video to prove his accomplishment. He did not want to share the details yet until Apple would announce the release of a patch.
The Jailbreak came at a time when Apple had just announced a new program called “bug bounty” aimed at encouraging people to report bugs they find in Apple products. Todesco did not want to submit the bug report to Apple because he needed to fine-tune the exploit process as to enable the jailbreak to work with Safari browser.
According to a report by Vice, Todesco might have been the first to announce jailbreaking the iPhone, but there was a possibility that other people might have exploited the bugs albeit silently.
According to Ryan Duff, a former member of the US Cyber Command, jailbreaking is something that is not likely to go away anytime soon. It is also too valuable to be given away from free and that could be the reason why Todesco did not take advantage of the bounty program by Apple.
Apple refused to comment on Todesco’s jailbreak since it was an isolated case.
How Jailbreaking Works
Jailbreaking involves hacking into the iOs operating system and then unlocking it. An unlocked iPhone allows users to install software not allowed by Apple. Jailbreaking has been around since 2007 and there was even a website dedicated to the process. Jailbreaking is made possible through the exploitation of one or two bugs which disable the security mechanism in the iOs operating system. The jailbreak allows the hacker to run code that is not approved by Apple. Jailbreaking was an economic phenomenon when the first iPhone was launched in 2007 and picked up quickly in 2008.
Since then, the jailbreaking community has fractured. Those who were high in the hierarchy have joined top internet security firms or are working for Apple. Those who are doing it in the confines of their bedroom do it privately so that they can be able to ask for huge payouts from companies they’ve exploited. Finding the bugs is not an easy process. The iOs is known to be the toughest to hack and most secure operating system in the world. It is difficult to figure out how the code aligns in the ios ecosystem.
Hackers who are able to penetrate the tough security system should not be ignored. Most of these hackers are teenagers who are always looking for the next challenge.
Teenager Hacks Apple Servers
The hacking phenomenon is not limited to jailbreaks alone. In August 2018, a 16-year-old teenager from Australia hacked into Apple’s main computer network and downloading over 90GB of sensitive information. Apple was quick to report that no personal customer data had been comprised despite the teenager accessing the information.
Apple did acknowledge there was unauthorized access to their servers and reported the case to authorities. After the breach had been discovered, Apple reported the case to the FBI who in turn referred the case to the Australian Federal Police. The hacker was not keen on hiding his tracks since the serial of the laptop, IP, and a mobile number could easily be traced back to him. This was because the teenager wanted to work with apple and shared his dream with the authorities. The messages on his WhatsApp also showed the boy boasting of hacking Apple’s main computer network.
What Motivates Teenage Hackers?
In a study by the National Crime Agency, teenagers are motivated by idealism and the idea of impressing their friends as opposed to money when hacking.
The enforcement agency interviewed kids as young as 12 years who had been cautioned or arrested because of computer-related crimes. The study found out those around the age of 17 were unlikely to be involved in harassment, fraud, or theft. Instead, the saw hacking as a “moral duty” There are also those who were motivated to tackle technical problems and to boast to their friends. They were not aware of the implications for businesses, governments, and individuals. According to Paul Hoare, senior manager at NCA, there is a shortage of skilled cybersecurity analysts and teenagers could put their skills to good use.
Some of the hacks are politically motivated. There those teenagers who are of the idea that the internet is a Utopian space and there should be no censorship. According to Jack Davis, a former member of the Anonymous hackers, he was motivated by the fact that the internet should not be monitored or filtered. Davis was arrested at the age of 18 and was banned from using the internet for two years. According to Davis, he could have opted for ethical hacking instead of going the black hat route.
The Rise of Bug Hunters
There are currently numerous schemes by companies that pay handsomely for people who discover vulnerabilities in their systems. The payoff can set one on an insatiable hunt for bugs. In order to be really good at bug hunting, you need to be a curious person. Apart from curiosity, you also need solid expertise in discovering the vulnerabilities. It is a skill that requires patience and constant iteration to get it right. Some bug bounty hunters can earn up to $50,000 a month.
It is not common to find a bug that has never been discovered before. Such bugs usually have the highest payouts that can run up to hundreds of thousands of dollars. Elite white hat hackers can earn up to $350, 000 a year depending on the number of projects they work on.
Any piece of software is bound to contain some mistakes since it written by humans. Criminals have put in place automated systems that are always checking for vulnerabilities. It is the work of the bounty hunter to find the mistakes before the bad guys do. Most firms don’t have the expertise to handle the surveillance on their own. Companies that deal with sensitive information are more susceptible to attacks.
One of the companies working to secure the internet is HackerOne. They’ve paid over $20 million dollars in bounties so far which goes to show how big the industry is becoming. It is not always going to be easy approaching firms telling them that their websites or apps can be hacked. The huge rewards have made been bug bounty a very competitive field. Finding bugs is becoming harder. To some people, bug hunting is a hobby and provides a legal alternative to the black hat world.
Apple Bug Program
In 2016, Apple announced that it would start a bug bounty program to reward those researchers who uncover vulnerabilities in Apple products. Facebook, Microsoft, and Google are some of the big companies that are already offering a similar program. When it was started, Apple wanted to keep the scope small and grow with time.
Apple planned on widening the scope to outside researchers to be eligible for the bug bounty program. Those who want to be eligible will need to submit a report to the Apple with at least proof of concept. It is also mandatory that the researchers don’t disclose the bugs to the public before they’re fixed. The researchers will be given credit in the security patch that is released to address the bug. Those who have been successfully rewarded have the option to donate to charity with Apple matching their contribution. When the program was started, Apple started implementing in sections because bugs were becoming hard to come by. It is even hard to get bugs today because of the security measures put in place by companies. Apple also started the program to deter researchers from selling the exploits to entities that might have ulterior motives.
To sum it up, bug bounty programs can be used to lure people especially teenagers from the black hat world. They get to prove a point legally without interfering with businesses and governments operations. Illegal hacking causes millions of dollars in damages and a good number are carried out by teenagers. Empowering them with legal alternatives could be seen as a solution to the menace.
