CIA 'tried to crack security of Apple devices'

The agency tried to create dummy version of development software that would allow it to insert surveillance back doors into apps

The CIA led sophisticated intelligence agency efforts to undermine the encryption used in Apple phones, as well as insert secret surveillance back doors into apps, top-secret documents published by the Intercept online news site have revealed.
The newly disclosed documents from the National Security Agency’s internal systems show surveillance methods were presented at its secret annual conference, known as the “jamboree”.
The most serious of the various attacks disclosed at the event was the creation of a dummy version of Apple’s development software Xcode, which is used by developers to create apps for iOS devices.
The modified version of Xcode would allow the CIA, NSA or other agencies to insert surveillance backdoors into any app created using the compromised development software. The revelation has already provoked a strong backlash among security researchers on Twitter and elsewhere, and is likely to prompt security audits among Apple developers.
The latest revelations of sustained hacking efforts against Apple devices are set to further strain already difficult relations between the technology company and the US government.
Apple had previously been a partner in the Prism programme, in effect a legal backdoor to obtain user information by the NSA and its allies, but in the wake of the Snowden revelations it has stepped up efforts to protect user privacy, including introducing end-to-end encryption on iMessages.
Tim Cook, the CEO of Apple, warned Barack Obama in public remarks this month that history had shown “sacrificing our right to privacy can have dire consequences”.
 
Other efforts showcased at the intelligence agency jamboree included a means of introducing keylogger software – which records and transmits every stroke a compromised user types – into systems through Apple’s software update tool on its laptop and desktop computers.
Analysts were also exploring a sophisticated approach to breaking encryption on individual devices using the activity pattern of its processor while it is encrypting data, known as a “side channel” attack, as part of a bid to gain further access to the core software the devices run.
The presentation notes revealed by the Intercept suggested that at the time of the presentation in March 2012 the technique had not yet been successful in extracting the key.
US academics and security researchers have questioned the legality of the CIA’s efforts to attack Apple’s security.
“If US products are OK to target, that’s news to me,” Matthew Green of the Information Security Institute at John Hopkins University told the Intercept.
“Tearing apart the products of US manufacturers and potentially putting back doors in software distributed by unknowing developers all seems to be going a bit beyond ‘targeting bad guys’. It may be a means to an end, but it’s a hell of a means.”
The exploits revealed by the Intercept are the latest in a long list of stories disclosing intelligence agency activities against Apple and its platforms. In January 2014, the Guardian disclosed a variety of exploits being used by the UK intelligence agency GCHQ and the NSA against mobile phones.
These included bids to extract personal information from data transmitted by apps including Angry Birds, as well as a range of capabilities to activate remotely the microphone on iPhones and Android devices – a project codenamed Nosey Smurf. Guardian http://ow.ly/KfGB1

« GCHQ Spying Wasn't Illegal, it Just ‘Lacked Transparency’…
Europe Could See Beginning Of Two-Tier Internet »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Acutec

Acutec

Acutec is an award winning IT support, services and solutions provider including managed IT Security and backup/disaster recovery.

Rogue Wave Software

Rogue Wave Software

At Rogue Wave, our mission is to simplify your hardest problems, improve software quality and security, and shorten the time it takes to deliver value.

TrainACE

TrainACE

TrainACE, is a professional computer training school offering courses in information technology with a focus on Advanced Security training.

Telecommunications & Digital Government Regulatory Authority (TDRA) - UAE

Telecommunications & Digital Government Regulatory Authority (TDRA) - UAE

TDRA focuses on regulating the telecommunications sector and enabling government entities in the field of smart transformation. It is responsible for the overall digital infrastructure in the UAE.

THEC-Incubator

THEC-Incubator

THEC-Incubator program is designed for international and ambitious tech startups in the Netherlands. Areas of focus include Blockchain and Cyber Security.

N8 Identity

N8 Identity

N8 Identity helps organizations realize the vision of Autonomous Identity Governance™ with AI-driven Identity solutions.

Informer

Informer

Informer provides an Attack Surface Management SaaS platform alongside penetration testing services. We combine machine learning and human intelligence to reduce cyber risk.

Data Storage Corp (DSC)

Data Storage Corp (DSC)

Data Storage Corporation is a provider of data recovery and business continuity services that help organizations protect their data, minimize downtime and recover and restore data.

UK Cyber Security Council (UKCSC)

UK Cyber Security Council (UKCSC)

The role of The UK Cyber Security Council is to champion the cybersecurity profession across the UK, provide representation for the industry, accelerate awareness and promote excellence.

North West Cyber Resilience Centre (NWCRC)

North West Cyber Resilience Centre (NWCRC)

The North West Cyber Resilience Centre is a trusted, not-for-profit venture between Greater Manchester Police and Manchester Digital.

Nemstar

Nemstar

Nemstar is a specialist in Information Security & Cyber Training with over 25 years' industry experience.

Cyware

Cyware

Cyware is the only company building Virtual Cyber Fusion Centers enabling end-to-end threat intelligence automation, sharing, and unprecedented threat response for organizations globally.

BlastWave

BlastWave

BlastWave deliver Operational Technology Cybersecurity solutions that minimize the available attack surface and protect against the rising tide of AI-powered cyber attacks.

Cyber Capital Partners

Cyber Capital Partners

Cyber Capital Partners build strategic and financial partnerships with small and mid-sized cybersecurity companies in highly regulated markets.

Tenchi Security

Tenchi Security

Tenchi Security are specialized in Third-Party Cyber Risk Management (TPCRM) and aim to reduce information asymmetry when it comes to third and Nth-Party security and compliance risk management.

Somos

Somos

From voice to messaging to fraud prevention and beyond, Somos are committed to developing innovative solutions that ensure that our ability to maintain trustworthy connections never stops.