A new report by The Intercept says that researchers working for the CIA have been involved in a “multi-year, sustained effort” to crack Apple security measures on iPhones and iPads. Documents provided by former NSA contractor Edward Snowden detail a number of initiatives, including an attempt to crack encryption keys implanted into Apple’s mobile processor, and a method compromising Xcode — the Apple tool used to create the vast majority of iOS apps.
The ongoing battle between spies and tech companies
Although the report doesn’t include details of any successful operations against Apple, it highlights the ongoing battle between national security agencies and technology companies, as well as the hypocrisy of the US government. It was only in March this year that President Barack Obama criticized China for its plans forcing tech companies to install security backdoors for government surveillance. Instead, as The Intercept notes, China is only following America’s lead.
“If U.S. products are OK to target, that’s news to me,” Matthew Green, a cryptography expert at Johns Hopkins University’s Information Security Institute told The Intercept. “Tearing apart the products of U.S. manufacturers and potentially putting backdoors in software distributed by unknowing developers all seems to be going a bit beyond ‘targeting bad guys.’ It may be a means to an end, but it’s a hell of a means.”
A comprised version of Xcode would allow spies to tap iPhone and iPad data
US researchers’ efforts to target Apple’s products, as well as those from competitors like Microsoft, were presented at a secret annual CIA-sponsored conference known as the “Jamboree.” In a presentation from 2012, researchers from Sandia Labs gave a talk titled “Strawhorse: Attacking the MacOS and iOS Software Development.” In it, they showed how a comprised version of Xcode would allow spies to siphon off iPhone and iPad data, create “remote backdoors” on connected Mac computers, and disable core security features on Apple devices. It’s not clear how spy agencies would get developers to use the comprised version of the software.
A separate presentation showed how a modified OS X updater could be used to install keyloggers on Mac computers. Another from 2011 discussed different methods that could be used to hack Apple’s Group ID (GID) — one of the two encryption keys that Apple places on its mobile devices. One method involved studying the electromagnetic emissions of the GID to extract the encryption key, while another focused on a “method to physically extract the GID key,” according to leaked presentation notes.
“Spies gonna spy.”
The documents do not specify how successful or not these methods have been, nor do they give any examples of specific hacks carried out by the CIA and other US intelligence agencies. “Spies gonna spy,” Steven Bellovin, a computer science professor at Columbia University and former chief technologist for the FTC, told The Intercept. “I’m never surprised by what intelligence agencies do to get information. They’re going to go where the info is, and as it moves, they’ll adjust their tactics. Their attitude is basically amoral: whatever works is OK.”