Tuesday, March 10, 2015

No, the CIA isn't stealing Apple's secrets

The Intercept news site by Glenn Greenwald is activism rather than journalism. Their stories don't reference experts knowledgeable about subjects, but only activists who are concerned about the subjects. This was demonstrated yet against in their piece claiming "The CIA Campaign to Steal Apple's Secrets". Yes, the Snowden documents are real, but pretty much everything else is made up.

Here's the deal. Terrorist leaders use iPhones. They are a status symbol, and status symbols are important to leaders. Moreover, since Apple's security is actually pretty good, terrorists use the phones for good reason (most Android devices suck at security, even the Blackphone). Getting software onto terrorist's phones, or basebands, is an important goal of intelligence.

When CIA drones bomb a terrorist compound, iPhones will be found among the bodies. Or, when there is a terrorist suspect coming out of a dance club in Karachi, a CIA agent may punch them in the face and run away with their phone. However, it happens, the CIA gets phones and wants to decrypt them.

Back in 2011 when this conference happened, the process of decrypting retrieved iPhones was time consuming (months), destructive, and didn't always work. The context of the presentation wasn't that they wanted to secretly spy on everyone's phones. The context was that they wanted to decrypt the phones they were getting.

Yes, they want to get into specific iPhones. But they aren't succeeding in subverting the entire system as the Intercept story implies.

The Intercept's article quotes Chris Soghoian, a technologist from the ACLU, saying “If I were Tim Cook, I’d be furious". Soghoian doesn't know what he's talking about -- if anything, the reverse is true. If Tim Cook cares at all, it's glee over the CIA's difficulties, because Apple is winning the fight. Apple made is prohibitively expensive to reverse engineer secrets back with the iPhone 4 except in the direst of circumstances (like picking up phones from Bin Laden's compound). They've likely made it completely impossible with the iPhone 6. When the CIA comes for me, I doubt they will be able to lift any information from my iPhone.

The Intercept doesn't quote people who actually know what they are talking about. As I repeat over and over, for every Snowden document, there's some expert who has presented on that topic at BlackHat, DefCon, or similar hacking/cybersec conference. There's no excuse for writing a story on these topics and quoting only activists like Soghoian rather than technical experts from these conferences. For example, a quick search of "BlackHat reverse engineering chips" quickly lead to this presentation.

I point this out because another subject of that Intercept article was about trojaning XCode, the Apple development tool used to compile iOS apps. A quick search would have come up with a BlackHat presentation by Errata Security's own David Maynor where he trojaned Microsoft's compiler, GCC, and a lesser known compiler called LCC. There's no excuse for writing this story without reaching out to Maynor, or even Ken Thompson, the co-creator of C/Unix who inspired compiler-trojaning.

Again with compilers, there's context that is carefully hidden by the Intercept story. The CIA isn't modifying the XCode that everyone uses, that would be impossible. They aren't trojaning the version Apple ships to developers. If you have XCode installed, no you don't have to worry about the CIA. Nor is the CIA trying to sneak something into a popular app like Angry Birds. Instead, their goal is to target the hundred users of a hawala money transfer app used almost exclusively by legitimate targets. The idea is a black bag operation to break into the teenager's apartment who wrote the app in order to backdoor his/her XCode, so that all users can be identified.

I mention this because when real journalists pick up the story, they give The Intercept credit as if they were real journalists who did their job reporting on the issue. That's improper. These journalists should either do their own reporting based on the raw documents themselves, find independent sources to analyze the data, or just report "activists are yet again upset over CIA/NSA activities", and leave out their manufactured message.

Update: Here is a better description of the technology:


Sergio Arcos said...

"Moreover, since Apple's security is actually pretty good, terrorists use the phones for good reason (most Android devices suck at security, even the Blackphone)."

You should be kidding. Do you really think that a closed-source will be anytime better than a open-source?? The difference is that you don't know the bugs inside Apple, but they do.

Mike said...

Sergio, seriously, get off the OSS cross. iOS is better because of architecture - code signing, signed memory pages etc. it's a more secure design. That's why jailbreaks can take months, even years to get done. As opposed to Anroid rooting, which can take hours to days to be released.

Nice try

dre said...

CIA or not, jailed iOS has been found by many pure-breed pentest boutiques to be insecure (everything reversable and patch-out candidates). You can Firewire Inception. You can use the official Apple USB Camera Lightning (or 30-pin) to official Apple USB to Ethernet and any MDM password recovery replay. You can acquire a C10C-serial Lightning. You can circumvent a variety of device authentications using a huge variety of methods. You can live patch hardware onto hardware and read off the SoC or any traces with a BusPirate. I could dizzy-0.8.2 my Fancedancer all over that USB. With an improved version of Masque and CydiaSubstrate on jailed iOS, I really don't think there isn't anything you can't do against the iOS platform. Doesn't Elcomsoft support all devices, all iOS flavors/versions? Yes.

@fowlslegs said...

You're right, "the CIA trying to sneak something into a popular app like Angry Birds." The NSA already did that for them http://www.theguardian.com/world/2014/jan/27/nsa-gchq-smartphone-app-angry-birds-personal-data .

Don Melón said...

So what youre saying is: what the CIA does is okay cause "Terrorist leaders actually use iPhones" and Intercept didnt ask you for experts opinion?

Yes, its clearly _really_ bad by Intercept to not get technical details right. Thats actually a pretty legitimate critic that could be expanded to older articles of them aswell.

But as conclusion fall down to a Black/White-Argumentation, where you completely adapt the CIA/NSA-Speak about "we are only targeting Terrorists" is _really_ bad by you. Weaking Security Systems everyone uses only to target a fraction of its userbase is bad - thats the point we have to insist on.

If the agencys are by law not allowed to talk about their operations, clearly saying "they target only terrorists" is a lie by definition or they would break said law. What, say, prevents InQTel from feeding the borked XCode into "the next Facebook(however that may look like)" ?

Unknown said...

I'm surprised that Don Melon's comment hasn't been deleted by now.

Brian Hysell said...

Microsoft's compiler, GCC