Apple announced last week that it was willing to pay up to $1.5 million for iPhone bugs, and that it will give security researchers special devices so they can find more vulnerabilities in iOS.
These announcements, made to much fanfare at the Black Hat security conference in Las Vegas, were met with delight and enthusiasm by the jailbreaking and iOS hacking community, who saw this as a “historic moment” for the security of iPhones all over the world.
Just a few days later, Apple appears to have squandered that goodwill by suing a startup that provides virtual versions of iOS to developers and security researchers who look for flaws in iPhones to then sell them in the thriving market for software exploits. In its complaint, Apple argues that Corellium is infringing the company’s copyright by selling a service that allows customers to create virtual versions of iOS.
“Corellium’s business is based entirely on commercializing the illegal replication of the copyrighted operating system and applications that run on Apple’s iPhone, iPad, and other Apple devices,” Apple argued in the complaint. “Recreating with fastidious attention to detail not just the way the operating system and applications appear visually to bona fide purchasers, but also the underlying computer code. Corellium does so with no license or permission from Apple.”
Have a tip about Apple or a Apple-focused security company? You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, OTR chat at firstname.lastname@example.org, or email email@example.com
Chris Wade, the founder of Corellium, did not respond to a request for comment. Earlier this year, Motherboard revealed that several security researchers, including Corellium, were buying stolen iPhones “prototypes,” which allowed them to more easily pull apart iOS and find flaws in it, an investigation that Apple references in its lawsuit.
Several security researchers who specialize in finding vulnerabilities and ways to exploit them lashed out at Apple on Twitter, saying that Apple's crackdown on Corellium would be like Microsoft or other operating system developers going after virtual machines, which are copies of operating systems that can run within other operating systems and are widely used in security research and for other legitimate purposes.
“Hackintosh considered harmful today eh? Lame. Quick way to spend all the goodwill they just built in the community,” wrote Bas Alberts on Twitter, who works at government contractor Immunity.
Matt Suiche, a well-known researcher who developed virtualization software in the past, tweeted: “Imagine what today's Cloud Computing landscape would look like if VMware had been sued by IBM or Microsoft back in 1998,” referring to the popular virtualization platform VMware. Daniel Cuthbert, who is on the Black Hat conference review board and a veteran of the infosec community, called it a “poor move” by Apple. Luca Todesco, a well-known iPhone hacker, said this lawsuit is akin to Apple pulling “a Sony,” in reference to the Japanese giant suing security researcher George “Geohot” Hotz, in 2011 for jailbreaking the Playstation 3.
Apple did not respond to a request for comment, but the company defended its position in the complaint, arguing that Corellium encourages its customers to “to sell any discovered information on the open market to the highest bidder,” and that Corellium’s “sole function” is to “enable the creation of “virtual” iOS-operated devices, running unauthorized copies of iOS.”
In other words, Apple really doesn’t like the idea of having security researchers using Corellium to find exploits that may end up being sold to exploit brokers such as Zerodium, or directly to governments like Azimuth Security does.
“You really couldn’t ask for a lawsuit more than Corellium has.”
“Corellium makes no effort whatsoever to confine use of its product to good-faith research and testing of iOS. Nor does Corellium require its users to disclose any software bugs they find to Apple, so that Apple may correct them,” the company wrote. “Instead, Corellium is selling a product for profit, using unauthorized copies of Apple’s proprietary software, that it avowedly intends to be used for any purpose, without limitation, including for the sale of software exploits on the open market.”
In a way, offering special devices and suing Corellium may be part of the same strategy: attempting to control what security researchers do with iPhones. On the other hand, perhaps this was inevitable.
“You really couldn’t ask for a lawsuit more than Corellium has,” said an Apple employee, who spoke on condition of anonymity because he was not authorized to speak to the press.
The employee explained that the way Apple licenses its software, you can’t run a virtual version of MacOS on VMware or other virtualization platforms if it’s not running on a Mac computer. Corellium does something similar, but with iOS.
After Apple announced its new bug bounty payouts and the research devices, Corellium’s founder Wade criticized them on Twitter.
“Glad to see Apple opening the bounty to all. But how’s it a fair playing field if not everyone has the same tools? No track record of security research? Tough luck no soup for you,” Wade wrote on Twitter. “Apple has the potential to add serious cloud services revenue from developers but chooses instead to build custom devices for a select few.”
Subscribe to our new cybersecurity podcast, CYBER.