Just how private is Apple's Private Cloud Compute? You can test it to find out
Also updates bug bounty program with $1M payout
In June, Apple used its Worldwide Developer Conference to announce the creation of the Private Cloud Compute platform to run its AI Intelligence applications, and now it's asking people to stress test the system for security holes.
Apple has revealed that the platform (PCC) runs on custom-built server hardware and runs a specially hardened operating system derived from the same code base as iOS and macOS. It's also issued a security guide to the system, and pentesters can set up a Virtual Research Environment that investigators can use to examine the platform's strengths and weaknesses.
"In the weeks after we announced Apple Intelligence and PCC, we provided third-party auditors and select security researchers early access to the resources we created to enable this inspection, including the PCC Virtual Research Environment (VRE)," the Apple Security Engineering and Architecture team wrote in a blog post on Thursday.
"Today we’re making these resources publicly available to invite all security and privacy researchers – or anyone with interest and a technical curiosity – to learn more about PCC and perform their own independent verification of our claims."
- Apple ropes off at least 4GB of iPhone storage to house AI
- Apple debuts iPhone 16, Watch Series 10, assorted AirPods
- Apple-flavored Opera One brings its browser AI show to iOS
Apple is also releasing the full source code for some elements of the PCC, namely:
- The CloudAttestation project used for validation;
- The Thimble project, including the privatecloudcomputed daemon that runs on endpoint devices and uses CloudAttestation.
- The splunkloggingd daemon, which limits the logs that come from a PCC node to avoid security snafus;
- The srd_tools project, which contains the VRE tooling.
To further incentivize white-hat hackers, the fruit cart is also offering serious money for flaws. If you can remotely pull off arbitrary code execution with arbitrary entitlements there's up to a million dollars to be had, with $250,000 if you manage to pull data off a user's device. There are also bounties between $50,000 and $150,000 if you can hack the system from a privileged network position.
"We hope that you'll dive deeper into PCC's design with our Security Guide, explore the code yourself with the Virtual Research Environment, and report any issues you find through Apple Security Bounty," the team declared.
"We believe Private Cloud Compute is the most advanced security architecture ever deployed for cloud AI compute at scale, and we look forward to working with the research community to build trust in the system and make it even more secure and private over time." ®