Apple

Apple announced today that iOS security researchers can now apply for a Security Research Device (SRD) by the end of October.

SRDs are iPhone 14 Pros with disabled security features and shell access that makes vulnerability research possible on an otherwise locked platform.

Apple describes them as a "specially-built hardware variant" of consumer-ready devices, providing researchers with the tools required to deactivate built-in iOS security safeguards.

"Shell access is available, and you can run any tools, choose your own entitlements, and even customize the kernel," Apple says.

"Plus, any vulnerabilities that you discover with the SRD are automatically considered for Apple Security Bounty."

If they receive a SRD as a 12-month renewable loan, researchers can use it to:

  • Install and boot custom kernel caches.
  • Run arbitrary code with any entitlements, including as platform and root outside the sandbox.
  • Set NVRAM variables.
  • Install and boot custom firmware for Secure Page Table Monitor (SPTM) and Trusted Execution Monitor (TXM), new in iOS 17.

The company added that iPhones provided through the Security Research Device Program should only be used by authorized people and never leave the premises of the security research facility.

Applications open until October 31

"From today through October 31, we invite security researchers to apply for the 2024 iPhone Security Research Device Program (SRDP) to jump-start their iPhone research, work with our security teams to help protect users, and qualify for Apple Security Bounty rewards," the company said.

"Each year, we select a limited number of security researchers to receive an SRD through an application process that's primarily based on a track record in security research, including on platforms other than iPhone."

Apple also allows universities to request access to the 2024 iPhone Security Research Device Program to use it as an instructional aid in computer science courses.

All submissions will undergo a thorough evaluation by the end of the year, with notifications to chosen participants scheduled for the beginning of 2024. 

You can find more information regarding program eligibility and submit an application for a Security Research Device on the Apple Security Research Device Program page.

Related Articles:

CISA warns of patched iPhone kernel bug now exploited in attacks

iPhone apps abuse iOS push notifications to collect user data

Apple fixes first zero-day bug exploited in attacks this year

iShutdown scripts can help detect iOS spyware on your iPhone

Apple fixes two new iOS zero-days exploited in attacks on iPhones