The CIA campaign to steal Apple's secrets

Posted on March 11, 2015

Jeremy Scahill and Josh Begley, from The Intercept:

Researchers working with the Central Intelligence Agency have conducted a multi-year, sustained effort to break the security of Apple’s iPhones and iPads, according to top-secret documents obtained by The Intercept. […] By targeting essential security keys used to encrypt data stored on Apple’s devices, the researchers have sought to thwart the company’s attempts to provide mobile security to hundreds of millions of Apple customers across the globe. Studying both “physical” and “non-invasive” techniques, U.S. government-sponsored research has been aimed at discovering ways to decrypt and ultimately penetrate Apple’s encrypted firmware. This could enable spies to plant malicious code on Apple devices and seek out potential vulnerabilities in other parts of the iPhone and iPad currently masked by encryption.

This isn’t an unexpected revelation, with programs like XKeyScore and Prism, you could expect that the NSA or the CIA would target a company like Apple. What is more surprising is how they did it, and mostly one of the tool they used : XCode

The security researchers also claimed they had created a modified version of Apple’s proprietary software development tool, Xcode, which could sneak surveillance backdoors into any apps or programs created using the tool. Xcode, which is distributed by Apple to hundreds of thousands of developers, is used to create apps that are sold through Apple’s App Store. The modified version of Xcode, the researchers claimed, could enable spies to steal passwords and grab messages on infected devices. Researchers also claimed the modified Xcode could “force all iOS applications to send embedded data to a listening post.” It remains unclear how intelligence agencies would get developers to use the poisoned version of Xcode.

You can expect the reaction of iOS and MacOS developers. This is from Marco Arment:

Unpatriotic? Absolutely. Terrorism? Maybe. But those don’t quite capture what this really is: war. The United States intelligence agencies are at war against all U.S. citizens. President Obama, “the Constitutional Law president,” not only lets it happen, but supports it. Edward Snowden continues to be much more of national hero and a true American patriot than the President. And I see no future Presidential candidates in either party who are likely to be any better. I’ve said it before: history will not be kind to Obama on this.

But this kind of policy doesn’t lead to the CIA goal of making all of the information be easily readable by them:

As corporations increasingly integrate default encryption methods and companies like Apple incorporate their own indigenous encryption technologies into easy-to-use text, voice and video communication platforms, the U.S. and British governments are panicking. “Encryption threatens to lead all of us to a very dark place,” declared FBI Director James Comey in an October 2014 lecture at the Brookings Institution. Citing the recent moves by Apple to strengthen default encryption on its operating systems, and commitments by Google to incorporate such tools, Comey said, “This means the companies themselves won’t be able to unlock phones, laptops, and tablets to reveal photos, documents, e-mail, and recordings stored within.”

What led to this situation is the previous attacks made by the U.S. Government to illegally access the private data of millions (Apple said on Monday that it has sold more than 700 millions iPhones) of people, making no distinction between U.S. Citizens & its allies, and “terrorists”. The information that could previously be read when needed (a police investigation, a imminent threat to the National Security) by a simple warrant delivered by a judge now cannot be read at all, no matter what the urgency and the will of Apple.

“Encryption isn’t just a technical feature; it’s a marketing pitch,” Comey added. “But it will have very serious consequences for law enforcement and national security agencies at all levels. Sophisticated criminals will come to count on these means of evading detection. It’s the equivalent of a closet that can’t be opened. A safe that can’t be cracked.”

You can ask Tim Cook if that’s what he wanted when he revealed the new security features in iOS 8. I’m sure you know his answer.

“Obama’s comments were dripping with hypocrisy,” says Trevor Timm, executive director of the Freedom of the Press Foundation. “Don’t get me wrong, his actual criticism of China for attempting to force tech companies to install backdoors was spot on — now if only he would apply what he said to his own government. Since he now knows backdooring encryption is a terrible policy that will damage cybersecurity, privacy, and the economy, why won’t he order the FBI and NSA to stop pushing for it as well?”

This is what seems to be a good advice.