ReportWire

Tag: security researchers

  • Apple doubles its biggest bug bounty reward to $2 million

    [ad_1]

    Apple is updating its Security Bounty program this November to offer some of the highest rewards in the industry. It has doubled its top award from $1 million to $2 million for the discovery of “exploit chains that can achieve similar goals as sophisticated mercenary spyware attacks” and which requires no user interaction. But the maximum possible payout can exceed $5 million dollars for the discovery of more critical vulnerabilities, such as bugs in beta software and Lockdown Mode bypasses. Lockdown Mode is an upgraded security architecture in the Safari browser.

    In addition, the company is rewarding the discovery of exploit chains with one-click user interaction with up to $1 million instead of just $250,000. The reward for attacks requiring physical proximity to devices can now also go up to $1 million, up from $250,000, while the maximum reward for attacks requiring physical access to locked devices has been doubled to $500,000. Finally, researchers “who demonstrate chaining WebContent code execution with a sandbox escape can receive up to $300,000.” Apple’s VP for security engineering and architecture Ivan Krstić told Wired that the company has awarded over $35 million to more than 800 security researchers since it introduced and expanded the program over the past few years. Apparently, top-dollar payouts are very rare, but Apple has made multiple $500,000 payouts.

    The company said in its announcement that the only system-level iOS attacks it has observed in the wild came from mercenary spyware, which are historically associated with state actors and typically used to target specific individuals. It said its new security features like Lockdown Mode and Memory Integrity Enforcement, which combats memory corruption vulnerabilities, can make mercenary attacks more difficult to pull off. However, bad actors will continue evolving their techniques, and Apple is hoping that updating its bounty program with bigger payouts can “encourage highly advanced research on [its] most critical attack surfaces despite the increased difficulty.”

    [ad_2]

    Mariella Moon

    Source link

  • Tile trackers reportedly have a security flaw that can let stalkers track your location

    [ad_1]

    Researchers have discovered major security flaws with Tile tracking tags, according to a report by Wired. These flaws could allow both the company itself and tech-savvy stalkers to track a user’s location. The security issue could also let a malicious actor falsely frame a Tile owner for stalking, as the flaw can make it appear as if a particular tag is constantly in the vicinity of somebody else’s tag.

    The issue pertains to how Tile tags transmit data during use. Tile tags transmit a lot of data beyond that of other trackers, including the static MAC address and the rotating ID. According to reporting, none of this stuff is encrypted. The rotating ID changes all of the time, but a MAC address doesn’t.

    Researchers believe that all of this information is stored in cleartext, making it easy for hackers to get ahold of. This also would theoretically give Tile itself the ability to track its users, though the company says it doesn’t have this capability.

    It gets worse. Anyone with a radio frequency scanner can allegedly intercept all of this information as it’s being transmitted, creating another potential security hole. Also, this problem might not even be solved if Tile decides to stop transmitting the MAC address. This is because the company generates its rotating ID in such a way that future codes can be reliably predicted from past ones.

    “An attacker only needs to record one message from the device,” one of the researchers behind the findings said, adding that a single recorded message will “fingerprint it for the rest of its lifetime.” The researcher said this creates a risk of systemic surveillance.

    The security researchers, who are involved with the Georgia Institute of Technology, reached out to Tile’s parent company Life360 in November of last year to report the findings. Wired said the company stopped communicating with the researchers in February. The company did say it has made a number of improvements to its security but didn’t elaborate further.

    [ad_2]

    Lawrence Bonk

    Source link