Apple Refused to Pay $1 Million Bounty to Kaspersky Lab for iOS Zero-days

Apple has refused to pay Kaspersky Lab a reward for discovering critical vulnerabilities in iOS that allowed attackers to install spyware on any iPhone.

According to RTVI, the vulnerabilities were reported to Apple in 2023, and under the Apple Security Bounty program, such discoveries can earn up to $1 million.

However, Apple declined to transfer the reward to Kaspersky Lab or a charity.

- Advertisement -

Kaspersky Lab’s Discovery and Apple’s Response

Dmitry Galov, head of the Russian research center at Kaspersky Lab, expressed his confusion and disappointment over Apple’s decision.

“We found zero-day, zero-click vulnerabilities, transferred all the information to Apple, and did a proper job.

Essentially, we reported a vulnerability to them, for which they must pay a bug bounty.

We don’t need this remuneration, but large companies often donate such payments to charity.

Apple refused to pay us, even to a charity, citing internal policies, without explanation,” Galov told RTVI.

In early June 2023, the FSB announced the discovery of an intelligence campaign by American intelligence services using Apple mobile devices.

With ANYRUN You can Analyze any URL, Files & Email for Malicious Activity : Start your Analysis

The agency reported several thousand iPhones, including those of embassy and diplomatic mission employees, were infected in Russia and abroad.

On the same day, Kaspersky Lab published a detailed report on the “most sophisticated cyberattack” on iOS, dubbed “Operation Triangulation.

“The attack involved sending an iMessage with a special attachment containing an exploit.

The exploit triggered the execution of malicious code without any user interaction, allowing attackers to introduce spyware into the iPhone silently.

Kaspersky Lab found spyware modules on the iPhones of its employees, including top management and middle managers.

“The purpose of that attack was espionage—a collection of any information from devices: Geolocation, cameras, microphones, files, contacts.

In general, all the data that can be represented on the device.

This was not a financially motivated cyber attack—attackers do not use many resources to steal users’ banking data, for example.

We are confident that this was high-level targeted cyber espionage activity,” Galov explained.

Apple’s Acknowledgment and Patch Release

A few weeks after the cyber attack information was made public, Apple acknowledged the problem and released updates to fix the vulnerabilities in iOS.

The vulnerabilities, identified as CVE-2023-32434 and CVE-2023-32435, posed a threat to all versions of iOS released before iOS 15.7.

In the description of the released patches, Apple named the four Kaspersky Lab employees who discovered the vulnerabilities.

Kaspersky Lab’s Shift to Android

Following the detection of the cyberattack, Kaspersky Lab transitioned all employees to mobile devices with Android OS.

“After discovering a spyware module in the iPhone of company employees last year, we [Kaspersky Lab] left iOS.

All company employees are now being issued corporate mobile devices on Android as planned, step by step.

We left iOS not because it is less secure but because we, as a security vendor, want to have more control over device security,” Galov stated.

Despite Kaspersky Lab’s significant contribution to identifying and reporting critical iOS vulnerabilities, Apple’s refusal to pay the bounty or donate it to charity has raised questions about its internal policies and decision-making processes.

Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo