Security company Corellium is offering to pay security researchers to check Apple CSAM claims, after concerns were raised about both privacy, and the potential of the system for misuse by repressive governments.
The company says that there are any number of areas in which weaknesses could exist, and they would like independent researchers to look for these…
Corellium is offering $5,000 grants, plus free use of its iOS virtualization platform for a year.
If you want to check Apple CSAM claims through the scheme, the company says you don’t need a track record in security research, though this would make your application more likely to succeed.
Just last week, Apple announced that it would begin scanning photos uploaded into Apple’s iCloud service for Child Sexual Abuse Material (CSAM). Setting aside debates on the civil and philosophical implications of this new feature, Apple has made several privacy and security claims about this new system.
These claims cover topics as diverse as image hashing technology, modern cryptographic design, code analysis, and the internal mechanics and security design of iOS itself. Errors in any component of this overall design could be used to subvert the system as a whole, and consequently violate iPhone users’ privacy and security expectations.
Since that initial announcement, Apple has encouraged the independent security research community to validate and verify its security claims. As Apple’s SVP of Software Engineering Craig Federighi stated in an interview with the Wall Street Journal, “Security researchers are constantly able to introspect what’s happening in Apple’s [phone] software, so if any changes were made that were to expand the scope of this in some way—in a way that we had committed to not doing—there’s verifiability, they can spot that that’s happening.”
We applaud Apple’s commitment to holding itself accountable by third-party researchers. We believe our platform is uniquely capable of supporting researchers in that effort. Our “jailbroken” virtual devices do not make use of any exploits, and instead rely on our unique hypervisor technology. This allows us to provide rooted virtual devices for dynamic security analysis almost as soon as a new version of iOS is released. In addition, our platform provides tools and capabilities not readily available with physical devices.
Applicants need to submit a proposal which includes information on the likely impact of the research, its novelty and feasibility, the likelihood that it will succeed, and the technical merits.
In return, successful researchers need to agree to the terms, which include reporting your discoveries to Apple and providing Corellium with regular updates on your progress.
Full details of the application process can be found in a blog post.
Apple has admitted that its announcement process wasn’t ideal, leading to misconceptions as well as well-founded concerns.
