Kaspersky, the renowned Russian cybersecurity firm, made headlines at this time last year after uncovering an attack chain using four iOS zero-day vulnerabilities to create a zero-click exploit. Kaspersky was able to identify and report one of the vulnerabilities to Apple. However, in an unfortunate update, Apple reportedly refuses to pay the security bounty for the firm’s contribution.
9to5Mac Security Bite is exclusively brought to you by Mosyle, the only Apple Unified Platform. Making Apple devices work-ready and enterprise-safe is all we do. Our unique integrated approach to management and security combines state-of-the-art Apple-specific security solutions for fully automated Hardening & Compliance, Next Generation EDR, AI-powered Zero Trust, and exclusive Privilege Management with the most powerful and modern Apple MDM on the market. The result is a totally automated Apple Unified Platform currently trusted by over 45,000 organizations to make millions of Apple devices work-ready with no effort and at an affordable cost. Request your EXTENDED TRIAL today and understand why Mosyle is everything you need to work with Apple.
It is common for big tech companies like Apple to use security bounty programs to encourage researchers and hackers to find and report vulnerabilities to them rather than selling them to malicious actors, often nation-states, who might exploit them.
“We found zero-day, zero-click vulnerabilities, transferred all the information to Apple, and did a useful job,” Dmitry Galov, head of the Russian research center at Kaspersky Lab, told Russian news outlet RTVI. “Essentially, we reported a vulnerability to them, for which they must pay a bug bounty.”
Galov even proposed that Kaspersky donate the bounty to charity, but Apple rejected this, citing internal policies without explanation. It’s not uncommon for research firms to donate bounty payments from large companies to charity. Some perceive it as an extension of their ethical obligation, but it undeniably contributes to a positive reputation within the security community.
“Considering how much information we provided them and how proactively we did it, it is unclear why they made such a decision.”
In 2023, Kaspersky publicly disclosed a suspected highly sophisticated spying campaign when it detected anomalies from dozens of iPhones on its network. It was dubbed Operation Trigulation, which would become the most sophisticated iOS attack ever constructed.
The attack leveraged a series of four zero-day vulnerabilities chained together to create a zero-click exploit. It allowed attackers to elevate privileges and execute remote code on compromised iPhones. Users would have no idea their device was infected, as the malware would transmit sensitive data, including microphone recordings, photos, and geolocation, to servers controlled by the attacker.
Not only did Kaspersky uncover the campaign, but its research lab reverse-engineered one of its vulnerabilities in the attack chain, tracked as CVE-2023-38606. They found that the kernel at the heart of the iOS operating system was being used to execute arbitrary code and elevate user privileges. Apple was notified, and it wasn’t long before the company released emergency security patches, referencing the team at Kaspersky behind the discovery of the flaw.
According to Apple’s Security Bounty Program, the reward for discovering such vulnerabilities can be up to $1 million. It’s crucial to maintain this reward, as non-reported iOS zero-days can sell for well north of a million dollars in corners of the dark web.
The likely reason why
While Kaspersky is a multi-national company, it was founded and headquartered in Russia, a country the United States has heavily sanctioned due to the war in Ukraine. This could severely restrict financial transactions between U.S. companies and those in the region.
Additionally, per Apple Security Bounty’s terms and conditions, “Apple Security Bounty awards may not be paid to you if you are in any U.S. embargoed countries or on the U.S. Treasury Department’s list of Specially Designated Nationals, the U.S. Department of Commerce Denied Person’s List or Entity List, or any other restricted party lists.”
I believe Apple’s hands are tied here, but I’d like to hear your thoughts in the comments. The whole situation is unfortunate. I would’ve liked to see this bounty money donated if Kaspersky was actually going to uphold this.
Follow Arin: Twitter/X, LinkedIn, Threads
More in this series
FTC: We use income earning auto affiliate links. More.