Apple has poached a key member of Google’s Project Zero, a hacking team at Google that has found dozens of critical vulnerabilities in Apple’s iOS and other critical Apple software.
Last year, Apple and Google fought over a series of vulnerabilities that Project Zero discovered in iOS, with Apple suggesting that Google was overselling the vulnerabilities. About a year later, Brandon Azad announced on Twitter at the beginning of October that he was leaving Google’s elite team of hackers to join Apple.
“My teammates at Project Zero have been among the kindest and smartest people I’ve met, and I’ve learned so much from them,” Azad wrote. “I’ll really miss working alongside everyone on the team. Thank you all for these wonderful experiences, and keep on hacking!”
Azad has been widely considered one of the best iPhone hackers who didn’t work for Apple, being named by Apple in countless security advisories, and presenting highly technical findings on Apple’s products at major cybersecurity conferences around the world. Last year, Motherboard profiled Project Zero and revealed that Apple had been trying to poach a colleague of Azad, Ian Beer.
Do you work at Apple? Or do you do research on iOS and other Apple products? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, Wickr/Wire at lorenzofb, or email firstname.lastname@example.org
A few weeks later, Beer wrote a series of blog posts revealing that government hackers had used multiple unknown vulnerabilities—called zero-days—in iPhones. Beer has found dozens bugs in Apple’s code—at one point worth more than $2 million in the market—and is also a revered iPhone hacker. Years ago, one of the top independent iPhone hackers in the world told me that Beer was his role model. (Beer could not be reached for comment.)
This may be part of a renewed commitment by Apple to lead the industry in security practices, or at least be more transparent and proactive about it.
Of course, Azad alone won’t change everything, and Apple had been hiring top hackers for years, including several who used to hack for spy agencies in the US, UK, France, and other countries.
Poaching Azad from Project Zero is “a pretty good damn hire” for Apple, according to a defense contractor who specializes in cybersecurity.
“Good job Apple,” the contractor, who is not authorized to speak to the press, told Motherboard.
He then joked that “iOS jailbreakers are sad because they’re going to miss Azad’s free research,” referring to his blog post that could then be used to create more zero-days.
The head of Apple Product Security team, Ivan Krstić, is himself widely respected in the industry, and has appeared at Black Hat in 2016 and 2019, to introduce Apple’s much anticipated—but slow cooking—bug bounty program, and to signal that his company is more open to engage with the security community than before. Krstić did not immediately respond to a request for comment.
At the same time, critics have slammed Apple for suing a startup that was providing virtual versions of iPhones to security researchers who wanted to streamline their hacking processes, as well as to tech companies who wanted to test their iOS apps on multiple iOS versions.
Apple declined to comment but confirmed that Azad will be joining the company soon.
Google also did not immediately respond to a request for comment.
October may be an auspicious month for Apple. New security PR, new iPhone hacker, and oh, new iPhones!