The Intercept is reporting that the CIA has conducted a multi-year campaign to break the security of Apple iPhones and iPads.
By targeting essential security keys used to encrypt data stored on Apple’s devices, the researchers have sought to thwart the company’s attempts to provide mobile security to hundreds of millions of Apple customers across the globe. Studying both “physical” and “non-invasive” techniques, U.S. government-sponsored research has been aimed at discovering ways to decrypt and ultimately penetrate Apple’s encrypted firmware. This could enable spies to plant malicious code on Apple devices and seek out potential vulnerabilities in other parts of the iPhone and iPad currently masked by encryption.
* * *
The security researchers also claimed they had created a modified version of Apple’s proprietary software development tool, Xcode, which could sneak surveillance backdoors into any apps or programs created using the tool. Xcode, which is distributed by Apple to hundreds of thousands of developers, is used to create apps that are sold through Apple’s App Store.
The modified version of Xcode, the researchers claimed, could enable spies to steal passwords and grab messages on infected devices. Researchers also claimed the modified Xcode could “force all iOS applications to send embedded data to a listening post.” It remains unclear how intelligence agencies would get developers to use the poisoned version of Xcode.
Researchers also claimed they had successfully modified the OS X updater, a program used to deliver updates to laptop and desktop computers, to install a “key logger.”
* * *
“Spies gonna spy,” says Steven Bellovin, a former chief technologist for the U.S. Federal Trade Commission and current professor at Columbia University. “I’m never surprised by what intelligence agencies do to get information. They’re going to go where the info is, and as it moves, they’ll adjust their tactics. Their attitude is basically amoral: whatever works is OK.”
Bellovin says he generally supports efforts by U.S. intelligence to “hack” devices — including Apple’s — used by terrorists and criminals, but expressed concern that such capabilities could be abused. “There are bad people out there, and it’s reasonable to seek information on them,” he says, cautioning that “inappropriate use — mass surveillance, targeting Americans without a warrant, probably spying on allies — is another matter entirely.”
Documents provided by Edward Snowden revealed the CIA attacks on Apple software and hardware. The documents also reveal that other tech companies were also attacked. Tim Cook has repeatedly attacked the efforts of the CIA and the NSA and he has called for privacy protection for all Apple customers.
“If I were Tim Cook, I’d be furious,” says the ACLU’s Soghoian. “If Apple is mad at the intelligence community, and they should be, they should put their lawyers to work. Lawsuits speak louder than words.”
* * *
* * *
As corporations increasingly integrate default encryption methods and companies like Apple incorporate their own indigenous encryption technologies into easy-to-use text, voice and video communication platforms, the U.S. and British governments are panicking. “Encryption threatens to lead all of us to a very dark place,” declared FBI Director James Comey in an October 2014 lecture at the Brookings Institution. Citing the recent moves by Apple to strengthen default encryption on its operating systems, and commitments by Google to incorporate such tools, Comey said, “This means the companies themselves won’t be able to unlock phones, laptops, and tablets to reveal photos, documents, e-mail, and recordings stored within.”
Under current U.S. regulations, law enforcement agencies can get a court order to access communications channeled through major tech companies and wireless providers. But if those communications are encrypted through a process not accessible by any involved company, the data is essentially meaningless, garbled gibberish. “In a world in which data is encrypted, and the providers don’t have the keys, suddenly, there is no one to go to when they have a warrant,” says Soghoian. “That is, even if they get a court order, it doesn’t help them. That is what is freaking them out.”
You can read the full, detailed and shocking article here.