A cybersecurity research firm Corellium has announced a new initiative that focuses on testing Apple’s claims of Child Sexual Abuse Material (CSAM) privacy and security. Based on rewards and free access to its platform, the “Corellium Open Security Initiative” invites independent researchers to validate Apple’s security and privacy claims of the upcoming CSAM detection system.
Apple recently announced a CSAM detection feature as part of its new “Expanded Protections for Children” that will scan users’ iCloud Photos for known CSAM using a NeuralHashing system. Although the company’s intent is commendable for introducing measures to create a safe online space for young children, characterizing it as a “backdoor” critics are concerned about the mechanics of the feature and it can be exploited by government agencies or other malicious attackers.
The company’s head of Software, Craig Federighi expressed that the CSAM detection system is “auditable and verifiable” by security researchers and Corellium is putting those claims to test.
Corellium invites independent researchers to test Apple’s privacy and security claims about the new CSAM system.
Appreciating the contributions of independent cybersecurity researchers in the identification of and defense against security threats, Corellium says that the community also plays an important role in “holding software vendors accountable for the security and privacy claims they make about their products.”
Therefore, the initial pilot of the new Security Initiative, the first call for proposals targets Apple’s CSAM claims to validate any security and privacy of the company, either in the operating system or third-party application.
Setting aside debates on the civil and philosophical implications of this new feature, Apple has made several privacy and security claims about this new system. These claims cover topics as diverse as image hashing technology, modern cryptographic design, code analysis, and the internal mechanics and security design of iOS itself. Errors in any component of this overall design could be used to subvert the system as a whole, and consequently violate iPhone users’ privacy and security expectations.
The three qualifying submissions will be awarded a $5000 grant and one-year free access to the Corellium platform. Any independent researcher can apply by October 15, 2021, and their submission should cover the company’s following criteria:
- The likely impact of the proposed research on improving mobile security or privacy.
- The novelty and feasibility of the proposed research.
- The likelihood that the project will be completed successfully.
- The technical merits of the proposed research.
Both companies have a history; recently Apple settled a copyright lawsuit against Corellium on undisclosed settlement terms over the research firm’s virtual iOS devices for security researchers.