Author: David Hoyt, Hoyt LLC Research
Public Release: Monday, August 23, 2021
Estimated reading time: 7 minutes
This Article by David Hoyt looks at Chilling Effect, Best Practice & Transparency in the IT Security Sector.
Table of contents
- Executive Summary
- Public Education
- Best Practices
- Content Fingerprint
Point of View
I am sharing my point of view due to the statement by David Thiel of the Stanford Internet Observatory. In the original Article Thiel stated that the Apple Security Research Device Program “is bound by so many rules on what they can say or do that it doesn’t necessarily solve the problem of trust”. The Screen Capture from the original Article dated Tuesday, August 17, 2021 as Published by MIT Technology Review is seen below:
No Chilling Effect
There is No Chilling Effect by Apple on this SRD Program Participant. Specifically responding to Thiel, I am not bound by any rules on what I can do or say because of my Personal Choice to use the Apple Security Research Device. Our time is better spent on Research and Collaboration contrasted with tilting at windmills.
Transparency implies openness, communication and accountability. The Apple Security Research Device Fleet is a new Battleship Platform constantly in development being Reviewed by Industry Participants. Apple provided a 2021 SRD Cohort a Security Research Device [SRD] prototype in the Form of an iPhone 12,1 Model with Right to Use [RTU]. The Cohort dispatched the provided SRD prototype immediately upon receipt. Apple refloated a prototype quickly, but the Cohort dispatched the prototype a 2nd time. Apple shortly thereafter refloated a 3rd prototype but on its own turtled, that Version String sinking.
My observation is that these outcomes are normal for the Telecommunications Product Development Lifecycle. Apple receives Positive Report for Transparency and Communication from this SRD Program Participant.
In iOS 15.1 Apple added a new entitlement called research.com.apple.license-to-operate to support Frida and other research tools for the Apple Security Research Device. This entitlement allows tools to bypass the PPL codesigning protections and the usual task-port policies to inject code into any process running on the system (platform and non-platform).
The Public purchases a Right to Use [RTU] for a Computing Device such as a Radio Telecommunications Service [RTS] like the iPhone or Pixel. At Power-On the Consumer must accept that Right to Use [RTU] from those Vendors. A Company that develops Intellectual Property (IP) will zealously protect its interest in such Intellectual Property.
Some recent examples of perpetual litigation of IP are Oracle vs. Google in the matter of Java, and Apple vs. Corellium now on appeal. Each litigant seeks to compel the compliance of a Licensing Agreement [LA] often expressed in the form a RTU.
Right to Use
When I choose to use to use the Apple Security Research Device I do so under the terms of the SRD RTU & End User Licensing Agreement [EULA].
No Requirement to Use
The RTU & EULA for the Apple Security Research Device contain No Requirement to Use the Apple Security Research Device.
The Apple Security Research Device affords Researchers the following abilities that a user Device doesn’t: (1) Side-load executable code onto the device with arbitrary entitlements at the same permission level as Apple operating system components, (2) Start services at startup, (3) Persist content across restarts. The Researcher can see and interoperate with all system services and devices with root permissions and Apple Entitlements.
The Operating System is a small piece of the Package badged with iPhone or Pixel. There are many Vendors and millions of lines of Code packaged into a Consumer Device. Those Vendors may require via RTU & EULA the Lockdown of the Consumer Device to protect IP.
There are equivalent Virtualization Platforms [Corellium], Software Development Kits [SDK] and Hardware Development Kits [HDK] that provide greater functionality with purchase of additional RTU. A Security Researcher knows when a standalone RTS Device is in Lockdown and is often compelled to spend more money to License the SDK and/or HDK to conduct a Research Project.
The Blame for the Lockdown of Consumer Phones is due to Vendors of Hardware & Software Intellectual Property (IP) that Require the Lockdown by RTU, EULA or Chilling Effect.
The modern approach to Vulnerability Disclosure [VD] does not place Consumers at Risk due to Uncoordinated Disclosure [UD] made in advance of the Resolution Notification by the Vendor.
UD may be considered by a Researcher at any point in time without Vendor Notification.
The modern approach to Vulnerability Disclosure is Best Practices because Consumers are [mostly] unable to act on self-mitigations, often due to Lockdown restrictions placed on the RTS Device by IP Vendors.
Prove a Bug
My experience in 2021 is that Apple moves very quickly when a high value exploit with a working proof of concept is delivered. It takes time to prove a bug, the better the Report the faster time to Resolution.
The reality is that after an initial Bug Report is made it could be days, weeks or months until the Downstream Code Vendor receives, validates and acts on a Vulnerability Report.
As a matter of Public Record, Content on any Device, Uploaded & Downloaded to or from the Internet has a unique Content Fingerprint. Pictures are Hashed and Indexed by multiple 3rd parties and linked to your Online Identity. Consumers must explicitly take steps to prevent content scanning which may not be possible with the modern RTU.
I have been the Target of many Chilling Effect by Private & Public Companies & Individuals and welcome the opportunity to educate all interested parties.
No Financial Conflict of Interest
I do not Own or Trade in any Apple Financial Products or Derivatives nor am I a Subcontractor or Employee or Agent of Apple Corporation. My relationship with Apple is business formal, arms-length. I have No Financial Conflict of Interest.