CIA 'tried to crack security of Apple devices'

The agency tried to create dummy version of development software that would allow it to insert surveillance back doors into apps

The CIA led sophisticated intelligence agency efforts to undermine the encryption used in Apple phones, as well as insert secret surveillance back doors into apps, top-secret documents published by the Intercept online news site have revealed.
The newly disclosed documents from the National Security Agency’s internal systems show surveillance methods were presented at its secret annual conference, known as the “jamboree”.
The most serious of the various attacks disclosed at the event was the creation of a dummy version of Apple’s development software Xcode, which is used by developers to create apps for iOS devices.
The modified version of Xcode would allow the CIA, NSA or other agencies to insert surveillance backdoors into any app created using the compromised development software. The revelation has already provoked a strong backlash among security researchers on Twitter and elsewhere, and is likely to prompt security audits among Apple developers.
The latest revelations of sustained hacking efforts against Apple devices are set to further strain already difficult relations between the technology company and the US government.
Apple had previously been a partner in the Prism programme, in effect a legal backdoor to obtain user information by the NSA and its allies, but in the wake of the Snowden revelations it has stepped up efforts to protect user privacy, including introducing end-to-end encryption on iMessages.
Tim Cook, the CEO of Apple, warned Barack Obama in public remarks this month that history had shown “sacrificing our right to privacy can have dire consequences”.
 
Other efforts showcased at the intelligence agency jamboree included a means of introducing keylogger software – which records and transmits every stroke a compromised user types – into systems through Apple’s software update tool on its laptop and desktop computers.
Analysts were also exploring a sophisticated approach to breaking encryption on individual devices using the activity pattern of its processor while it is encrypting data, known as a “side channel” attack, as part of a bid to gain further access to the core software the devices run.
The presentation notes revealed by the Intercept suggested that at the time of the presentation in March 2012 the technique had not yet been successful in extracting the key.
US academics and security researchers have questioned the legality of the CIA’s efforts to attack Apple’s security.
“If US products are OK to target, that’s news to me,” Matthew Green of the Information Security Institute at John Hopkins University told the Intercept.
“Tearing apart the products of US manufacturers and potentially putting back doors in software distributed by unknowing developers all seems to be going a bit beyond ‘targeting bad guys’. It may be a means to an end, but it’s a hell of a means.”
The exploits revealed by the Intercept are the latest in a long list of stories disclosing intelligence agency activities against Apple and its platforms. In January 2014, the Guardian disclosed a variety of exploits being used by the UK intelligence agency GCHQ and the NSA against mobile phones.
These included bids to extract personal information from data transmitted by apps including Angry Birds, as well as a range of capabilities to activate remotely the microphone on iPhones and Android devices – a project codenamed Nosey Smurf. Guardian http://ow.ly/KfGB1

« GCHQ Spying Wasn't Illegal, it Just ‘Lacked Transparency’…
Europe Could See Beginning Of Two-Tier Internet »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Titus

Titus

Titus is a global leader in enterprise-grade data protection solutions.

Glasswall Solutions

Glasswall Solutions

Glasswall Solutions has developed a disruptive, innovative security technology which provides unique protection against document based cyber threats.

Cambridge Intelligence

Cambridge Intelligence

Cambridge Intelligence are experts in network visualization and finding hidden trends in complex connected data. Applications include cybersecurity.

Maverick Technologies

Maverick Technologies

Maverick is an industrial automation, enterprise integration and operational consulting company. Services include industrial cyber security.

Templar Executives

Templar Executives

Templar Executives is a leading, expert and dynamic Cyber Security company trusted by Governments and multi-national organisations to deliver business transformation.

ExpressVPN

ExpressVPN

ExpressVPN is a Virtual Private Network services provider offering secure encrypted access to the internet.

Infosistem

Infosistem

Infosistem is a Croatian ICT company with extensive expertise and experience in enterprise and SMB ICT projects and solutions.

Haechi Audit

Haechi Audit

Haechi Audit is a leading smart contract security audit firm. We provide the most secure smart contract security audit and smart contract development services to our global clients.

Absa Cybersecurity Academy

Absa Cybersecurity Academy

Absa Cybersecurity Academy is an initiative aimed at empowering marginalised South African youths to become certified cybersecurity specialists.

Gunnison Consulting Group

Gunnison Consulting Group

Gunnison Consulting Group serves the Federal Government with high quality IT consulting services.

Trustifi

Trustifi

Trustifi leads the market with the easiest to use and deploy email security products, providing both inbound and outbound email security from a single vendor.

SPIE Switzerland

SPIE Switzerland

SPIE Switzerland AG, a subsidiary of the SPIE Group, is a Swiss full-service provider of ICT, multi-technical and integral facility services.

Prompt Security

Prompt Security

Prompt Security provides an LLM agnostic approach to ensure security, data privacy and safety across all aspects of Generative AI.

Tausight

Tausight

Tausight is an AI-Powered patient data security startup with a mission of reducing healthcare cyber incidents using a more proactive, risk management philosophy.

Clango

Clango

Clango employs an identity-centric approach to optimizing your cybersecurity investment while minimizing risk.

System360

System360

System360 is one of Houston's top suppliers of network administration, design, security, and support services.