Apple's iOS blocks gov't spying efforts, Gamma's FinSpy useless against iPhone

Apple's iOS blocks gov't spying efforts, Gamma's FinSpy useless against iPhone

Summary: Apple's iPhones are the bane of Gamma Groups' existence, according to leaked documents which say the devices are near impossible to spy upon -- unless jailbroken.

SHARE:
57
Screen Shot 2014-08-12 at 12.37.44

While Android phones are constantly targeted by cybercriminals, the iPhone is considered more secure. Now, leaked documents from one of the world's leading surveillance companies have reaffirmed the idea.

As spotted by the Washington Post, a leaked document from Gamma Group, a secretive seller of surveillance tools, emerged on the Internet last week. Hosted on Netzpolitik, the document (.PDF) reveals interesting information concerning Gamma Groups' extensive range of surveillance tools, but in particular, notes that the iPhone is notoriously difficult to infiltrate -- the only exception being when a user has jailbroken their device.

A particular piece of software is called FinSpy. According to Gamma Groups' FinSpy software specifications hosted by Wikileaks, the spyware can be used to monitor Skype conversations, take screenshots and photos using a device's camera, record microphone use, emails, voice-over-IP and extract files from hard discs. FinSpy can be controlled remotely as soon as the compromised device is connected to the Internet.

Screen Shot 2014-08-12 at 13.14.02
Source: Wikileaks

According to the latest Gamma Group document leak, while FinSpy has the capabilities to infiltrate Android, Blackberry, and older Microsoft handsets, iPhones are out of reach unless the device's core security protocols have changed through jailbreaking.

Dated April 2014, the document states that the spyware "is designed to help law enforcement and intelligence agencies to remotely monitor mobile phones and tablet devices," and get full access to calls, SMS, MMS, address books and make silent calls to remotely listen to microphones. If a user of FinSpy wishes to infiltrate a phone, the support details are as below:

Screen Shot 2014-08-12 at 13.20.49

An iPhone user can jailbreak their device using a number of free tools, and by doing so, they gain root access which the iOS operating system does not allow by default. Doing so allows for unsigned apps to run and heavy customisation of the OS -- something Android allows as an open-source, free ecosystem -- but if unsigned code is permitted to run, then this provides a channel for tools such as FinSpy to enter.

Last year, researchers from The Citizen Lab said the spyware had been discovered in use by 25 countries, including being linked to the monitoring of dissidents in Bahrain. While developed by Gamma Group in Munich, Germany and sold through a UK subsidiary as a law enforcement tool, it is also believed to be used to target opposition groups and activists by governments worldwide.

Topics: Security, Apple, iOS, iPhone, Mobility

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

57 comments
Log in or register to join the discussion
  • There are no impregnable O/S's

    One quick look into black hat activities over the years and especially in recent times will show that every operating system can and has been compromised. And, the only difference between black and white hats in our government is one of purpose and design.

    Remember when many thought IOS free from attacks and believed they didn't require virus protection?....

    Any O/S can be infiltrated and hacked. Obviously some O/S's are easier to attack than others, and less sophisticated criminals will always shoot for the least protected door. When the attack is of a sophisticated nature, we are all susceptible and must use common sense means and strategies to avoid becoming a victim. The marketing hype of virus resilient operating systems belong to bygone years.

    Just as IOS can be degraded and made more prone to attacks, so can Android be bolstered to be more secure. We cannot lay back on our laurels expecting someone else to protect our devices. We must adopt better practices.
    skypilota72
    • Using your logic,

      a paper cut is comparable to the Ebola virus, as they can both be labelled 'health issues'.

      The fact remains that, when it comes to security, Android isn't even in the same ballpark as iOS and won't be anytime soon.
      Englishmole
      • Freedom vs. security...

        As the famous quote from Benjamin Franklin goes, 'Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety."

        To each his own. Many Android users prefer the freedom they enjoy on that OS and to take care of their own security and virus protection. It's not really so hard anyway: don't be stupid; use a secure browser; don't download or install things which you aren't 100% sure of. But it's your choice to follow these guidelines or not.
        moonspeak
        • This is why China and other governments

          Have banned iPhones from their personnel.

          IPhones are so secure that they are not allowed.
          Uralbas
          • Marketing! Marketing! Marketing!

            Totally agree with you.

            This is only a marketing strategy. If not how can they sell their phones!

            Where are the proofs about the code changes?
            How can you check it in these millions of code lines?

            So spare me this kind of music!
            info@...
      • Elaboration on his logic...

        And I believe skypilota72's logic was not to liken the security risks or lessen the gap between the systems, but to point out that no one should feel safe because their system is 'more' secure than others. A good hacker (such as those working for the government) can hack into anything.

        Who knows... maybe this leak is a government conspiracy to make iPhone users feel a false sense of security? #tinfoilhat
        moonspeak
      • skypilota72 is correct.

        Having spent a bit of time working in a government cyber-intelligence facility his statement is utterly correct. There is no security advantage in any single OS as compared to any other when it comes to the government "spying" on users of technology. Brand-new devices are almost invariably accessible prior to launch. Nothing will get attention faster than an unreadable message as that is an instant indicator that the sender and receiver are using custom encryption with the underlying software written on their own. Generally you will find this in al-Queda, and other more sophisticated organizations. That content is routed to a lab that specializes in decryption the "old-fashioned" way.

        Englishmole is trying to equate commercial grade security superiority while the article is specifically addressing protection from government "ears".

        As to the content of the article itself. FinSpy is more of a COTS program and while not in the general public eye is still NOT an application the truly major players in international intelligence would be reliant on. And when it comes to security of an OS did you miss the obvious inference of the very last entry. If this is truly a concern then buy a Windows Phone 8 or higher and you would be considered even more secure than ANY model of Android or iOS device. Article is nothing more than click bait and it worked as intended.
        The Heretic
        • There is an inference, but it may not be on you like

          It reads more as "we can't really be bothered" than any sort of wonderful security that stymied them.
          Mac_PC_FenceSitter
          • Windows Phone 8 *does* have stronger security

            Notice how it has never been jailbroken? It has the same secure boot as Windows 8 on PCs, except that there is no option in the phone's BIOS to disable it. Not saying it's impregnable forever, but it does have stronger basic security than the others currently do. I believe future Android versions will get something similar when some of Samsung Knox technology will be rolled into the base platform.
            CageySee
        • Re: skypilota72 is correct.

          "Nothing will get attention faster than an unreadable message as that is an instant indicator that the sender and receiver are using custom encryption..” — The Heretic

          Golly. Since you’ve worked in the field, I guess we can conclude that "government cyber-intelligence” hasn’t heard of steganography!
          Slurry
        • Fear the cloud

          Yeah, my understanding is , from the snowden leaks, something called "Dropjeep" is what the NSA et al where using. However theres an interesting point here, and I want to address what someone else pointed out about the chinese govts iPhone anxiety.

          Whilst there is no such thing as "impregnable" , some systems are genuinely hard to break into. The old VMS operating system was notoriously hard to get into and I'm not sure a functioning root for it ever existed. The iPhone is not one of those systems. It is however "pretty hard" and its entirely plausible that without jailbreaking the system even the spooks havent fully found a way to easily root them.

          The chinese govt isn't really worried about that. On a fundamental level androids are worse for that sort of thing. What the chinese govt doesn't like is iCloud. Having a readily available database of millions of people, who their contacts are (address book sync!), what they are up to (calendar sync), and myriad other personal details is an intelligence goldmine. iCloud security and iPhone security are not the same thing. You could have a 100% secure phone, but if the govt has a warrant on your cloud theres nothing you can do, even though apple appears to be hostile to govt screwing with their customers, the court is the court and what they say is for all purposes the voice of god.

          The same of course applies to googles services, but what the chinese want is chinese made droid or tizen phones that use CHINESE cloud services so the americans cant spy on them.

          And thats the crux of it. Forget your phone, fear the cloud. illegal spying via finfisher etc can be contained by a concerted effort of hackers and security researchers. Protecting from cloud threats however is the responsibility of the consumer.
          shayne.oneill
      • Trust me

        You're not doing anything interesting enough for anyone to care.
        johnafish
      • I'd argue with that.

        My HTC M8 has been rooted so I could install Adaway, turns out it couldn't be installed anyway because the HTC doesn't allow read/write to the system partition, even from root.. The only way to access it was to flash it from recovery and good luck convincing someone to do that to install spyware. Phones like the M8 also have SELINUX turned on and not in permissive mode, which means that access to file types is limited to the files that a particular service should be able to access and no more. I'd argue that once that stuff gets more main stream as phones age, things are going to get much harder on the Android side of things.
        frankieh
    • That's ONE tool

      ...and one approach among many that could be used by a government, a hacker or whoever wants to gain access to someone's information, legally or illegally (and remember that "legally" is also relative - for example, in Iran it is perfectly legal to stone "adulterous" women to death, and "adulterous" may mean just being seen in the company of a man that's not her husband). There are other pieces of software for which the picture may be different, and they may not be commercial products like this one, but in-house developments by government agencies or criminal organizations. There can be hardware backdoors (though if they exist, Apple will deny it to death, of course) and there are also techniques of spying that don't rely on compromising the device, but rather on signals listening or access at the carrier, for example. So, jumping to the conclusion that iOS is inherently more secure because one specific product can't hack it under normal circumstances is totally misleading.
      goyta
      • Re: That's ONE tool

        "There can be hardware backdoors (though if they exist, Apple will deny it to death, of course) and there are also techniques of spying that don't rely on compromising the device, but rather on signals listening or access at the carrier, for example.”

        There *could* also be hardware backdoors in Android and Windows phones "though if they exist, [Android/Microsoft] will deny it to death, of course”

        There *could* also be "techniques of spying that don't rely on compromising the device, but rather on signals listening or access at the carrier,” but these would be system agnostic and would apply equally to Apple, Android and Microsoft phones.

        “..jumping to the conclusion that iOS is inherently more secure because one specific product can't hack it .. is totally misleading.”

        No, it’s not *totally* misleading. From your arguments, we can still conclude that - all things being equal (carrier, ISP, etc.) - the Apple iPhone is more secure than the listed competitors.
        Slurry
    • skypilota72

      Very well said and agree 100%; especially the end of your comment.
      Cicuta2011
    • Only an Idiot

      Only an idiot expects any security when using any network. If you are involved in criminal or "terrorist" activities, you must assume that any conversation held on or in the presence of a cell phone, tablet, etc is subject to eavesdropping, as is your landline. If you have anything with GPS, it is signaling your location at all times through your cellular connection....... every phone, and many tablets. Unless your phone is turned off, your location data is recorded, and unless the device it is turned off, the microphone or camera can be activated remotely. It may even be advisable to pull the battery out. You had also better expect that your driver's license will soon incorporate and RFID chip, as will your credit cards, and already your passport. That means that when you walk into Walmart, Whole Foods, Sears, MacDonalds, any convenience store or gas station, etc, there will be a record that you were there and when you were there. Soon there will be sensors everywhere, and your only protection will be to carry everything in a lead lined case, or Faraday cage. License plates are being imaged in the UK, and increasingly in the US, and cameras are everywhere. Even the clothes you wear often have RFID chips, that supposedly are neutralized when you buy them. Each has a unique ID. They want genetic material on every human being....... the excuse being that it makes it possible to identify stolen children....... do you believe it? It is about as believable as the song and dance about cell phone GPS being for 911 location use ONLY.
      There is no privacy, and no security, and almost any group you are associated with may be considered "subversive". Are you a Mason? How about a member of the Moose Club or Odd Fellows? Sierra Club, NAACP, or Audobon Society? Are you a Democrat? Republican?

      Imagine saying something "politically incorrect"........... Use the word "nigger" for example, and being prosecuted or persecuted for it because an NSA dragnet picked the word up and labeled you a racist!!

      H.W.
      **owly**
  • Yea, okay

    If that doesn't scream viral marketing I don't know what does.
    Buster Friendly
    • My exact first impression

      A "super secret" surveillance technology seller just happens to "leak" a report with two interesting findings:

      1. iOS is so much more difficult to hack
      2. jailbreaking makes it easier to hack

      Convenient, no? Buy an iPhone and never never jailbreak it and you'll be safe as a newborn babe from the clutches of Big Brother. Lots of luck with that.
      josephmartins
      • Safe

        Nothing is completely safe. If you don't maintain good physical security over your iPhone, then it could be jailbroken, and the app loaded on it, without you seeing any change, or doing it wouldn't make sense. Keep it under your control at all times, and it will be much more secure. Of course nothing is perfect.
        rphunter1242