CIA brainiacs at least thought about, or experimented
with, breaking the security of Apple's iPhones, iPads and OS X
computers, it appears from leaked intelligence documents.
The intel agency wanted to crack the encrypted
firmware stored on targeted iThings, and spy on selected users via
poisoned apps, Snowden newsletter The Intercept
reports, having obtained top-secret files on spook research. "Spies gonna spy," as one academic, Steven Bellovin, told the blog.
Team Greenwald reports that the CIA tried tampering
with copies of Apple's Xcode – the iOS and OS X software development
tool – to slip backdoors or key-loggers into selected applications. The
crooked toolchain, inspired by Ken Thompson's description of
a silently evil compiler,
could also build iOS applications that secretly uploaded sensitive
information from iPads and iPhones to a US government-controlled server.
CIA cyber-spies also wanted to find the decryption
keys hidden in Apple's system-on-chip processors that unscramble the
encrypted firmware in iPhones and iPads. Perhaps the spooks wanted to
backdoor a copy of iOS, and encrypt it so that it could be secretly
installed in an intercepted phone and still boot like a legit version.
These surveillance methods were presented at a secret
conference known as the "Trusted Computing Base Jamboree", which takes
place at a Lockheed Martin site in Northern Virginia each year since
almost a decade ago. Attempts to crack Microsoft BitLocker disk
encryption technology were also showcased at the confab.
The Intercept's 5,000-word story has attracted a
degree of skepticism from independent security experts, partly because
the techniques described have been discussed at Black Hat and other
public conferences; there's no magic, here, in other words.
Crucially, though, the leaked documents demonstrate
no evidence that the CIA's hacking efforts actually paid off. It's not
confirmed whether the dodgy builds of Xcode were ever used by developers
to unwittingly distribute backdoored apps to intelligence targets, for
instance.
"There is nothing in the leaked information to
suggest how successful the United States' intelligence agencies were in
cracking Apple's encryption technology, nor how specific exploits might
have been used,"
writes veteran security journalist Graham Cluley.
Previous Snowden leaks have documented how far spies
have gone in achieving their objectives, something notably absent from
the latest leaks. The report's authors Jeremy Scahill and Josh Begley
acknowledge this in a paragraph buried some way through the story:
The documents do not address how successful
the targeting of Apple’s encryption mechanisms have been, nor do they
provide any detail about the specific use of such exploits by US
intelligence.
Other experts claim that the Intercept's report is
based on a misunderstanding of Apple's cryptography: the article (now
corrected) incorrectly claimed the
device group ID (GID) key is used to digitally sign apps as Apple to prove they are legit.
GID keys, built into Apple's processors, are instead
used to decrypt a device's firmware so that it can be booted. This
mechanism is supposed to stop people from running custom operating
systems on iThings. According to The Intercept's sensitive documents,
the CIA wanted to get hold of these GID keys.
"The GID [Group IDentification] key allows you to
decrypt iDevice firmware files. It does not allow you to pretend to be
Apple. For that you need to break RSA," according to iOS security guru
Stefan Esser, who detailed his criticisms in a string of tweets.
"The abstract linked by The Intercept merely says
that [the CIA] are working on extracting the GID key and that it is work
in progress. Several [iOS] jailbreakers also tried hardware attacks to
extract GID keys. Everybody with the capability did. So it's no
surprise," he commented.
Crypto-boffin Thomas Ptacek
added: "I don’t think The Intercept really groks hardware-embedded keys."
Rob Graham of Errata Security is
dismissive of the newsworthiness of the CIA's attempted hacking and
The Intercept's article.
"When CIA drones bomb a terrorist compound, iPhones
will be found among the bodies. Or, when there is a terrorist suspect
coming out of a dance club in Karachi, a CIA agent may punch them in the
face and run away with their phone. However it happens, the CIA gets
phones and wants to decrypt them," Graham added
on his blog.
"Back in 2011 when this conference happened, the
process of decrypting retrieved iPhones was time consuming (taking
months), destructive, and didn't always work. The context of the
presentation wasn't that they wanted to secretly spy on everyone's
phones. The context was that they wanted to decrypt the phones they were
getting."
He continued:
The CIA isn't modifying the Xcode that
everyone uses; that would be impossible. If you have Xcode installed,
no, you don't have to worry about the CIA. Nor is the CIA trying to
sneak something into a popular app like Angry Birds. Instead,
their goal is to target the hundred users of a hawala money transfer app
used almost exclusively by legitimate targets.
Earlier this week it
emerged
that cyber-espionage will be a top priority for the CIA across all its
departments and investigations, something that adds to the timeliness of
The Intercept's report, at least.
