Navigate

Apple refuses to pay up to $1 million to Kaspersky Lab for discovering vulnerabilities in iOS

In 2023, cybersecurity experts from Kaspersky Lab identified a vulnerability in Apple’s iOS that allowed hacking of any iPhone and installation of spy software. When such vulnerabilities are discovered, developers typically offer a Bug Bounty reward. However, Apple refused to pay the cybersecurity experts who had reported the vulnerability, a reward potentially totalling up to $1m.

According to RTVI, Dmitri Galov, head of the Russian research center Kaspersky Lab, reported that his company had discovered several critical zero-day vulnerabilities in iOS. These could be exploited remotely without user interaction. Despite providing this information to Apple, the company ignored its own Security Bounty program, denying the promised reward of up to $1m.

Galov mentioned that the discovered vulnerabilities were actively exploited by cybercriminals in a large-scale cyber espionage campaign named “Operation Triangulation.” The objective was espionage: intelligence gathering from infected iPhones, including geolocation, files, photos, videos, audio recordings and more. Owners of iPhones worldwide, including embassy and diplomatic mission employees, were victims of this attack. The exploit was launched via incoming messages, requiring no action from the user.

Kaspersky Lab’s experts theorise the large-scale cyber espionage campaign was backed by commercial structures or state special services, but concrete evidence was yet to be found.

After the discovery was confirmed and published, Apple released updates to fix these vulnerabilities, CVE-2023-32434 and CVE-2023-32435, in iOS. They even mentioned the Kaspersky personnel who found them. However, they ignored their bounty program and did not pay the due reward to the Russian security experts. The spy software posed a threat to all iOS versions prior to iOS 15.7.

Kaspersky Lab stated they do not require monetary reward from Apple, and often donate such funds to charity. Apple, however, refused to even pay charities citing internal policies without explanation.

Following the incident, Kaspersky Lab decided to stop using Apple devices entirely, opting for smartphones and tablets running Android OS. Dmitri Galov stated that Android offers more opportunities for security and device control.

Apple has not yet commented on the situation of refusing to pay the promised reward under their own advertised Security Bounty program.

This post was last modified on 06/04/2024

Harry Males: Hey there, I'm Harry Males, your go-to news writer at Dave's iPAQ, where I traverse the intricate landscape of technology, reporting on the latest developments that shape our digital world. With a pen in hand and a passion for all things tech, I dive deep into the realms of Software, AI, Cybersecurity, and Cryptocurrency to bring you the freshest insights and breaking news. Artificial Intelligence is not just a buzzword for me – it's a captivating realm where machines mimic human intelligence. From the wonders of machine learning to the ethical considerations of AI, I'm dedicated to keeping you informed about the advancements that are reshaping industries and everyday life. Beyond the bylines and breaking news, I believe in fostering a community of tech enthusiasts. Whether it's engaging in discussions on forums, attending tech conferences, or sharing insights on social media, I aim to connect with readers who share a passion for the ever-evolving world of technology.
Related Post
  1. Hackers Breach Fujitsu – Customer Data Potentially Stolen
  2. The GhostRace vulnerability allows data theft from any modern x86, Arm, and RISC-V processor.
  3. Vulnerability Found in Intel’s Most Advanced Processors – Patches May Reduce Performance by up to 10%
  4. AI Chatbots found vulnerable to ASCII graphics
  5. Vulnerabilities discovered in ChatGPT plugins that allowed hacking of accounts on third-party platforms