In 2023, Kaspersky Lab discovered critical vulnerabilities in iOS that allowed attackers to inject spyware into iPhones without user interaction. Despite the severity of these zero-day, zero-click vulnerabilities, which Kaspersky reported to Apple, the company declined to provide a reward through its Security Bounty program. The maximum reward for such vulnerabilities can reach $1 million, but Apple refused the payment, even for charitable donation, citing internal policies without further explanation.
Kaspersky’s report, published in June 2023, detailed the sophisticated “Operation Triangulation” cyberattack, which exploited iOS vulnerabilities to install spyware via iMessage. This attack targeted high-profile individuals, including employees of diplomatic missions, and aimed at gathering sensitive information like geolocation, files, and personal data. The attack was deemed a high-level espionage operation rather than financially motivated.
Following the disclosure, Apple acknowledged the vulnerabilities and released patches to address CVE-2023-32434 and CVE-2023-32435 in iOS updates. Despite recognizing Kaspersky’s findings in their security updates, Apple did not acknowledge the reward claim. Kaspersky Lab highlighted that their employees’ devices were infected and began transitioning to Android devices for better security and control over mobile management.
The denial of the reward and the subsequent shift in Kaspersky’s device strategy underscores the challenges in securing mobile environments and the implications of corporate decisions on cybersecurity. Kaspersky’s move to Android reflects their need for enhanced security capabilities that iOS’s current restrictions do not support.
Reference:
