CIA 'tried to crack security of Apple devices'

The agency tried to create dummy version of development software that would allow it to insert surveillance back doors into apps

The CIA led sophisticated intelligence agency efforts to undermine the encryption used in Apple phones, as well as insert secret surveillance back doors into apps, top-secret documents published by the Intercept online news site have revealed.
The newly disclosed documents from the National Security Agency’s internal systems show surveillance methods were presented at its secret annual conference, known as the “jamboree”.
The most serious of the various attacks disclosed at the event was the creation of a dummy version of Apple’s development software Xcode, which is used by developers to create apps for iOS devices.
The modified version of Xcode would allow the CIA, NSA or other agencies to insert surveillance backdoors into any app created using the compromised development software. The revelation has already provoked a strong backlash among security researchers on Twitter and elsewhere, and is likely to prompt security audits among Apple developers.
The latest revelations of sustained hacking efforts against Apple devices are set to further strain already difficult relations between the technology company and the US government.
Apple had previously been a partner in the Prism programme, in effect a legal backdoor to obtain user information by the NSA and its allies, but in the wake of the Snowden revelations it has stepped up efforts to protect user privacy, including introducing end-to-end encryption on iMessages.
Tim Cook, the CEO of Apple, warned Barack Obama in public remarks this month that history had shown “sacrificing our right to privacy can have dire consequences”.
 
Other efforts showcased at the intelligence agency jamboree included a means of introducing keylogger software – which records and transmits every stroke a compromised user types – into systems through Apple’s software update tool on its laptop and desktop computers.
Analysts were also exploring a sophisticated approach to breaking encryption on individual devices using the activity pattern of its processor while it is encrypting data, known as a “side channel” attack, as part of a bid to gain further access to the core software the devices run.
The presentation notes revealed by the Intercept suggested that at the time of the presentation in March 2012 the technique had not yet been successful in extracting the key.
US academics and security researchers have questioned the legality of the CIA’s efforts to attack Apple’s security.
“If US products are OK to target, that’s news to me,” Matthew Green of the Information Security Institute at John Hopkins University told the Intercept.
“Tearing apart the products of US manufacturers and potentially putting back doors in software distributed by unknowing developers all seems to be going a bit beyond ‘targeting bad guys’. It may be a means to an end, but it’s a hell of a means.”
The exploits revealed by the Intercept are the latest in a long list of stories disclosing intelligence agency activities against Apple and its platforms. In January 2014, the Guardian disclosed a variety of exploits being used by the UK intelligence agency GCHQ and the NSA against mobile phones.
These included bids to extract personal information from data transmitted by apps including Angry Birds, as well as a range of capabilities to activate remotely the microphone on iPhones and Android devices – a project codenamed Nosey Smurf. Guardian http://ow.ly/KfGB1

« GCHQ Spying Wasn't Illegal, it Just ‘Lacked Transparency’…
Europe Could See Beginning Of Two-Tier Internet »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Defense Advanced Research Projects Agency (DARPA)

Defense Advanced Research Projects Agency (DARPA)

DARPA's mission is to develop breakthrough technologies for national security. The Information Innovation Office undertakes cyber security activities.

CQS (Certified Quality Systems)

CQS (Certified Quality Systems)

CQS is an organisation specialising in ISO assessment and certification, including ISO 27001, along with other management system standards.

Intland Software

Intland Software

Intland offer an integrated Application Lifecycle Management platform that offers all-round Requirements, Development, and Testing & Quality Assurance functionality.

KZ-CERT

KZ-CERT

KZ-CERT is the national Computer Emergency Response Team for Kazakhstan.

IT Security Association Germany (TeleTrusT)

IT Security Association Germany (TeleTrusT)

TeleTrusT is an IT Security association and network for IT security comprising members from industry, administration, consultancy and research.

Referentia

Referentia

Referentia leads the development of critical infrastructure solutions that benefit society, including cyber security and network performance management.

Software Engineering Institute (SEI)

Software Engineering Institute (SEI)

At the CERT Division of SEI we study and solve cybersecurity problems, research security vulnerabilities in software, and develop information and training to help improve cybersecurity.

Inogesis

Inogesis

Inogesis helps blue-chip organisations harness disruptive technologies and thinking to drive new revenues or overcome challenges by connecting them with dynamic small companies.

Tehtris

Tehtris

TEHTRIS XDR Platform was developed to control and improve the IT security of private and public companies against advanced cyber threats such as cyber espionage or cyber sabotage activities.

Security Alliance

Security Alliance

Security Alliance provide bespoke cyber intelligence consulting and research services.

Toothpic

Toothpic

ToothPic has invented, designed, developed and patented a solution to enable companies to turn every smartphone into a secure key for a user-friendly online authentication.

BitTrap

BitTrap

BitTrap helps companies worldwide detect attackers and put an early end to breaches, preventing data exfiltration and ransomware altogether.

PreVeil

PreVeil

We started PreVeil to bring radically better security to ordinary business and personal communication and information storage.

Francisco Partners

Francisco Partners

Francisco Partners provide capital, expertise, and support for growth-aspiring technology companies.

Fraud.net

Fraud.net

Fraud.net operates the first end-to-end fraud management and revenue enhancement ecosystem specifically built for digital enterprises and fintechs globally.

CyPro

CyPro

CyPro is a cyber security expert firm that specialises in providing cyber security services tailored for high-growth companies at every stage of their journey.