This article is more than 1 year old

Cyber-whizs partake in mass eye-roll event over latest leaks: CIA spies 'spying on iPhones'

Plot to subvert Xcode to insert backdoors into apps mulled

CIA brainiacs at least thought about, or experimented with, breaking the security of Apple's iPhones, iPads and OS X computers, it appears from leaked intelligence documents.

The intel agency wanted to crack the encrypted firmware stored on targeted iThings, and spy on selected users via poisoned apps, Snowden newsletter The Intercept reports, having obtained top-secret files on spook research. "Spies gonna spy," as one academic, Steven Bellovin, told the blog.

Team Greenwald reports that the CIA tried tampering with copies of ‪Apple‬'s ‪Xcode‬ – the iOS and OS X software development tool – to slip backdoors or key-loggers into selected applications. The crooked toolchain, inspired by Ken Thompson's description of a silently evil compiler, could also build iOS applications that secretly uploaded sensitive information from iPads and iPhones to a US government-controlled server.

CIA cyber-spies also wanted to find the decryption keys hidden in Apple's system-on-chip processors that unscramble the encrypted firmware in iPhones and iPads. Perhaps the spooks wanted to backdoor a copy of iOS, and encrypt it so that it could be secretly installed in an intercepted phone and still boot like a legit version.

These surveillance methods were presented at a secret conference known as the "Trusted Computing Base Jamboree", which takes place at a Lockheed Martin site in Northern Virginia each year since almost a decade ago. Attempts to crack Microsoft BitLocker disk encryption technology were also showcased at the confab.

The Intercept's 5,000-word story has attracted a degree of skepticism from independent security experts, partly because the techniques described have been discussed at Black Hat and other public conferences; there's no magic, here, in other words.

Crucially, though, the leaked documents demonstrate no evidence that the CIA's hacking efforts actually paid off. It's not confirmed whether the dodgy builds of Xcode were ever used by developers to unwittingly distribute backdoored apps to intelligence targets, for instance.

"There is nothing in the leaked information to suggest how successful the United States' intelligence agencies were in cracking Apple's encryption technology, nor how specific exploits might have been used," writes veteran security journalist Graham Cluley.

Previous Snowden leaks have documented how far spies have gone in achieving their objectives, something notably absent from the latest leaks. The report's authors Jeremy Scahill and Josh Begley acknowledge this in a paragraph buried some way through the story:

The documents do not address how successful the targeting of Apple’s encryption mechanisms have been, nor do they provide any detail about the specific use of such exploits by US intelligence.

Other experts claim that the Intercept's report is based on a misunderstanding of Apple's cryptography: the article (now corrected) incorrectly claimed the device group ID (GID) key is used to digitally sign apps as Apple to prove they are legit.

GID keys, built into Apple's processors, are instead used to decrypt a device's firmware so that it can be booted. This mechanism is supposed to stop people from running custom operating systems on iThings. According to The Intercept's sensitive documents, the CIA wanted to get hold of these GID keys.

"The GID [Group IDentification] key allows you to decrypt iDevice firmware files. It does not allow you to pretend to be Apple. For that you need to break RSA," according to iOS security guru Stefan Esser, who detailed his criticisms in a string of tweets.

"The abstract linked by The Intercept merely says that [the CIA] are working on extracting the GID key and that it is work in progress. Several [iOS] jailbreakers also tried hardware attacks to extract GID keys. Everybody with the capability did. So it's no surprise," he commented.

Crypto-boffin Thomas Ptacek added: "I don’t think The Intercept really groks hardware-embedded keys."

Rob Graham of Errata Security is dismissive of the newsworthiness of the CIA's attempted hacking and The Intercept's article. He also suspects the CIA is trying to decrypt files stored on handsets, and that shouldn't surprise anyone, he said.

"When CIA drones bomb a terrorist compound, iPhones will be found among the bodies. Or, when there is a terrorist suspect coming out of a dance club in Karachi, a CIA agent may punch them in the face and run away with their phone. However it happens, the CIA gets phones and wants to decrypt them," Graham added on his blog.

"Back in 2011 when this conference happened, the process of decrypting retrieved iPhones was time consuming (taking months), destructive, and didn't always work. The context of the presentation wasn't that they wanted to secretly spy on everyone's phones. The context was that they wanted to decrypt the phones they were getting."

He continued:

The CIA isn't modifying the Xcode that everyone uses; that would be impossible. If you have Xcode installed, no, you don't have to worry about the CIA. Nor is the CIA trying to sneak something into a popular app like Angry Birds. Instead, their goal is to target the hundred users of a hawala money transfer app used almost exclusively by legitimate targets.

Earlier this week it emerged that cyber-espionage will be a top priority for the CIA across all its departments and investigations, something that adds to the timeliness of The Intercept's report, at least. ®

More about


Send us news

Other stories you might like