Skip to main content

Apple pays $75,000 to hacker for discovery of exploits to hijack iPhone camera

Apple awarded $75,000 to a hacker who discovered exploits that allowed him to hijack the cameras of iPhones and Macs.

Security researcher and former Amazon Web Services security engineer Ryan Pickren disclosed at least seven zero-day vulnerabilities in Safari to Apple, according to Forbes. Three of these vulnerabilities may be used to hijack the cameras of iOS and macOS devices.

The exploit required victims to visit a malicious website, which could then access their device’s camera if it had previously trusted a video conferencing service such as Zoom.

“A bug like this shows why users should never feel totally confident that their camera is secure,” Pickren told Forbes, “regardless of operating system or manufacturer.”

Pickren informed Apple about his discovery in mid-December 2019. Apple validated all seven vulnerabilities, and after a few weeks, released a fix for the iOS and macOS camera exploit. The security researcher was then paid $75,000, which Pickren said was his first earnings from the company.

Security researcher Sean Wright told Forbes that the exploit that Pickren discovered, even if it required the victim to visit a malicious website, was “a very viable form of attack.” Wright added that compared with the attention on webcams in computers, there has not been much focus on the cameras and microphones of mobile phones, which he said is “a far more likely route” for attackers if they want to eavesdrop on their targets.

Bug bounties

Bug bounty programs provide incentives to security researchers to help tech companies find vulnerabilities in their software, instead of the exploits falling into the hands of malicious hackers.

Apple, which launched a bug bounty program in 2016, made changes in August 2019 that included the addition of a $1 million reward for hackers who could launch a “zero-click full chain kernel execution attack with persistence.” In December 2019, the program was finally expanded to accept submissions for macOS bugs.

Apple rival Google has also been generous with its bug bounty program, with an up to $1.5 million reward for “full chain remote code execution exploit with persistence which compromises the Titan M secure element on Pixel devices.” In 2019, Google paid a total of $6.5 million in bug bounties, for a total of $21 million since the program was launched in 2010.

Editors' Recommendations

Aaron Mamiit
Aaron received a NES and a copy of Super Mario Bros. for Christmas when he was 4 years old, and he has been fascinated with…
I hate my iPhone’s keyboard, but this app made it better
Theming on SwiftKey

The iPhone does a lot of things right. From serving a secure environment, a smooth operating system, unmatched performance, and consistently good cameras, there are plenty of practically justifiable reasons to overlook any of the best Android phones in favor of a pricey iPhone.

Interestingly, Apple tends to take a conservatively slow approach when it comes to smartphone innovations and only serves them after nearly near-perfecting the formula. But the default iPhone keyboard is a tale of stagnation. Or, to put it more accurately, it’s absurdly feature-devoid and depressingly non-exciting.

Read more
I wish I never bought my iPhone 14 Pro
The iPhone 14 Pro Max.

The original iPhone came out in 2007, but I received mine in 2008 as a birthday gift. Not only was it my first iPhone, but it was also my very first Apple product. But my clumsy little self had a case of the butterfingers one day, and I ended up dropping it on concrete — resulting in a shattered screen. This was just a few weeks before the iPhone 3G was coming out, so instead of just getting the screen replaced, I decided I would upgrade my phone instead.

Thus began a new tradition I set for myself — upgrading my iPhone every year. I’ve had at least one iPhone from every generation that has come out so far, with my latest being the iPhone 14 Pro.

Read more
Your iPhone just got a first-of-its-kind security update
Deep Purple iPhone 14 Pro held in hand with a wooden gate in the background

Smartphone users should be completely accustomed to getting regular security updates to make sure that their data is protected. Now, Apple is simplifying things by introducing a new way to quickly update iPhone security without needing to push a full-on iOS update.

Apple has been running beta tests of its Rapid Security Responses (RSR) feature that's meant to make security patches easier. As of May 1, RSR has launched for all Apple device owners.

Read more