A startup that makes replicas of the iPhone that help hackers find vulnerabilities is accusing Apple of suing it in an attempt to shut it down. Corellium also fired back at Apple and claimed the company owes it $300,000.
On Monday, Corellium, the startup that was sued by Apple for alleged copyright infringement in August, filed its response to the lawsuit. Apple alleged that Corellium’s product is illegal, and helps researchers sell hacking tools based on software bugs found in iOS to government agencies that then use them to hack targets. The cybersecurity world was shocked by Apple’s lawsuit, which was seen as an attempt to use copyright as an excuse to control the thriving, and largely legal, market for software vulnerabilities. The lawsuit was filed just a few days after Apple announced it would give researchers special “pre-hacked” devices to allow them to find and report more bugs to the company.
“Through its invitation-only research device program and this lawsuit, Apple is trying to control who is permitted to identify vulnerabilities, if and how Apple will address identified vulnerabilities, and if Apple will disclose identified vulnerabilities to the public at all,” Corellium argues in its response, echoing arguments made by the security research community.
In its response, Corellium essentially argues that using Apple’s code in Corellium is fair use and its product makes the world a better place by helping security researchers inspect the iPhone’s operating system, find flaws in it, and help Apple fix them. With Corellium, researchers can more easily find bugs by creating virtual instances of iOS and test them more quickly, as opposed to having to use actual physical devices. Corellium attempts to illustrate this by including "before" and "after" images in its response that demonstrate what it was like to try to hack the iPhone before it released its software.
As Motherboard reported earlier this year, Corellium employees acquired special iPhones from the grey market that are sometimes called “dev-fused” or “prototype” iPhones. These are iPhones loaded with special software that Apple employees and factory workers use for testing, and have fewer security restrictions in place, allowing researchers better access to parts of the phone’s operating system and code. (At the time, Wade denied ever acquiring these devices, but six sources told us that the company did have them.)
Last week, Apple made eBay remove a listing that offered a prototype iPhone for sale for $10,000.
Corellium’s key argument lies on the assumption that Corellium’s customers are looking for bugs with the intention of alerting Apple of their existence.
Do you work or have at Apple or Corellium? We'd love to hear what you think about this lawsuit. You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at firstname.lastname@example.org, or email email@example.com
For now, however, that is only an assumption.
The only customer Corellium names in its response is Azimuth Security, which was acquired by defense contractor L3 last year. As Motherboard reported last year, Azimuth is one of the best companies in the world at finding bugs in iOS, and developing exploits that take advantage of those bugs. Azimuth does not report those bugs to Apple. Instead, it sells hacking tools based on those bugs to law enforcement and intelligence agencies in the United States, UK, Canada, and other countries. Many security researchers who specialize in finding flaws in iOS don’t report bugs to Apple because they prefer to keep the bugs for themselves, or sell them to third parties.
When Motherboard asked today whether they ever reported a bug in iOS found using Corellium, Mark Dowd, the founder of Azimuth, said: “no.”
Daniel Cuthbert, the head of cybersecurity research at Santander bank, said that his team used Corellium to test the bank’s apps on different iPhone devices and iOS versions, and it was very useful for that.
“The real power and strength of Corellium is that it helps people write better apps by distributing and testing them in an automated fashion that doesn't depend on physical devices,” Cuthbert said in a phone call. “Apple is hurting the business world more than they think.”
Another key part of Corellium’s defense is that Apple has known about the company for years and has always been friendly to one of its founders, Chris Wade. Corellium alleges that Apple invited Wade to join its bug bounty program, which rewards researchers who report security vulnerabilities to Apple, in 2017, and even offered him a job years before he founded Corellium. Since then, according to Corellium, Wade reported as many as seven bugs, worth $300,000, for which he has not been paid.
When asked for comment, an Apple spokesperson directed Motherboard to the company's original filing.
Wade was not immediately available to respond to questions.
Researchers had been reluctant to report bugs to Apple after the bug bounty was launched in 2016, and some complained it was hard to get paid. But some researchers have been paid in the last couple of years, as Motherboard reported last year.
Corellium hinted that it knows the real reason why Apple allegedly did not pay Wade for the bugs he found, but the reason is redacted in the response.
The startup asked for permission to file its response under seal to avoid “the possibility of expanding this litigation,” but said in a motion that it believes the response should be published in full.
In an article published on Tuesday, Forbes revealed that Apple was in talks to acquire Wade’s previous startup, which offered a similar product as Corellium. Multiple sources told Motherboard that Apple was in talks to acquire Corellium as well, but those talks did not go anywhere.
This story was updated to include Daniel Cuthbert's comments.