Analysis: Why Apple's Participation At Black Hat Is A Big Deal7:00 AM EST Tue. Jun. 12, 2012
Booming sales of iPhones and iPads are causing Apple to do things it has not done in the past, and the company's planned appearance at next month's Black Hat security conference is the latest example.
This is a potentially significant development because Apple has never allowed its security people to present at Black Hat on its behalf. In 2008, three Apple security engineers were scheduled to lead a Black Hat panel entitled "Meet the Apple Security Experts," but they pulled out a week before at the behest of Apple's marketing team.
Yet some of the biggest previous Black Hat storylines have centered on Apple flaws uncovered by third-party researchers, from David Maynor and Jon Ellch's controversial Macbook wireless driver hack in 2006 to Charlie Miller's iPhone SMS flaw in 2009 and the battery firmware hack in 2011, to name a few.
Dallas De Atley, manager of the Apple platform security team, is slated to give a talk on iOS security at this year's Black Hat. Apple's publication last month of a 20-page document outlining the iOS security architecture is a sign that his presentation will continue as planned.
However, Apple does not have a great track record of working with security researchers, many of whom claim to have been ignored after bringing serious issues to the company's attention. Some, in frustration, have taken vulnerability disclosure into their own hands, as evidenced by the Month of Apple Bugs and the Pwn2Own contest at the CanSecWest security conference.
So why is Apple opening up on security? On one hand, it could be looking to fix the dent that the Flashback malware and botnet caused to its security reputation. Apple says iOS is "inherently more secure" than OS X by design, and at Black Hat, De Atley may offer additional insight into how this has been achieved.
The second, more plausible explanation is that Apple wants a bigger share of the enterprise market. Apple CEO Tim Cook recently vowed to "double down on secrecy," but enterprise CIOs want a clearer picture of how security works in Apple products, and providing this could help pave the way for broader iPhone and iPad adoption in businesses.
Apple has been recruiting Microsoft channel partners to handle large-scale deployments of iPhones and iPads, mainly because Apple's own partners lack the necessary security and network infrastructure skills. Apple never would have dreamed of doing this in the past, and the company’s planned participation at Black Hat would seem to fall into the same category.
Of course, if Apple is really serious about opening up on security and working more closely with researchers, De Atley will field questions from Black Hat attendees, who undoubtedly will have plenty to ask.