No surprise: The NSA can hack iPhones

No surprise: The NSA can hack iPhones

Summary: Nobody should find it surprising that the NSA can hack into iPhones and there's no reason to assume Apple is helping them.


As we and everyone else are reporting, the latest poop on the NSA is that they claim to be able to hack into iPhones.


Go back through Apple's log of security updates to their products, including iOS: there have always been many severe vulnerabilities. The general assumption out there is that nobody's exploiting them, but the other possibility is that they are being exploited, but only very rarely in targeted attacks. The NSA would be exactly the sort of agency to do that.

Even since iOS 7 was released, vulnerabilities have been patched which could allow full compromise without the knowledge of the user. Usually you need two vulnerabilities to accomplish this: an arbitrary code execution vulnerability to gain control, and a privilege escalation vulnerability to gain admin or root privileges. Once you have this, you can install what software you want.

This, incidentally, is how jailbreaking works. Every jailbreak is based on at least one security flaw in iOS. We know these work, so we know that what the NSA claims is perfectly possible.

iOS 7.0.1 fixed many security vulnerabilities, including both code execution and privilege escalation, and there have been many others in the past. It only stands to reason that researchers (and their customers, including the NSA) have access to vulnerabilities which have not yet been disclosed to Apple or patched.

Of course none of this is verifiable by us ordinary civilians, but for me the NSA's apparent claim of a 100% success rate in installing malware is a bit fishy. Unless they have an over-the-air, network-based exploit, something which executes automatically, then they still have to socially-engineer the user some. Good, targeted social engineering (sometimes a.k.a. "spear phishing") can get very good results, but 100%? I don't think so. And I very much doubt that they have an auto-executing, over-the-air compromise of iOS; someone else would have found it by now.

So don't assume that Apple must be cooperating. I would assume the contrary. It would be very much against their interests to cooperate. Remember that any super-backdoor built into the OS could be used by anyone who finds it. Not all of them are the good guys, like the NSA ;)

Topics: Security, Apple, Government US, iPhone, iPad

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • 100% is possible

    There is one piece of malware that idevices all connect to. Sneak your payload onto the iTunes client and you have them all.
    • Not without Apple

      The iTunes client in iOS is part of the OS. To do it you'd need to have Apple's cooperation. If you have Apple's cooperation there's no need to involve the iTunes client.
      • To be correct, actual document Snowden revealed tells that NSA has to ...

        ... PHYSICALLY have the iPhone to install spyware on it. It is not a remote thing.
        • no, it doesn't say that

          it says it needs "close access" which could still mean RF. But in any case the same document, dated 2007, says that they will make a fully remote version in the future and obviously they would have by now. It's actually not that hard to do.
          • You are confused.

            You are confusing current capabilities to targeted future capabilities.
          • No, I'm speaking of both

            The original capabilities (2007) required "close access" (whatever that means, either tether or Bluetooth or Wifi) and they said they would have a complete remote solution in a future version. They probably had it by 2008 because it's not that hard. There have been scores of disclosed vulnerabilities in Safari and iOS that could be used for a complete remote compromise. That's how jailbreaks work.
          • And you are talking iOS 1.0.

            How freaking relevant is that given the tether less jail brake with a web page has been closed for many many years ? Again, the presentation used "close access" to capabilities that WILL be available not what IS available. These are different things.

            This is simply bad reporting on a scale that is monumental.
          • The iPhone door is open to the NSA

            Seltzer is talking about possibilities. And the vectors are certainly available to give the NSA access to iOS7.

            You would have to assume that the NSA is using these pathways. If the possibility is there, the NSA will use it. They are a determined bunch, and when they want something they will get it.

            Anyone designing a new phone platform would find a new market if they can design a platform with more robust anti-NSA security built in. Especially for the camera and microphone.

            Is this how the NSA bugs world leaders?
          • Huh?

            iOS7 has an untethered jailbreak right now.
          • Let's take a look at top crimes of Apple in 2013

            They will never toll this to followers of Cult but here are some of the worst:

            - The Environmental & Social Horrors of Mining for its Supply Chain
            - Income Inequality & Gentrification
            - Tax Dodging
            - iBeacon is Watching You
            - Fueling the “Apple Picking” Phenomenon
            - Sucking Los Angeles Schools Dry to the Tune of $1 Billion
            - Ongoing Labor Abuses in China

        • Right

          The guys at blackhat can do it but, not the government.
    • Oh?

      What about the iPhones that are activated that do NOT use an iTunes client on a PC or Mac? Yeah, iPhones have been able to be used and activated without physically connecting to a PC or Mac for years now. Oh, wait, did I just disprove your FUD with a basic fact that is easily found? Whoops.
  • Bullsh*t article because of Larry Seltzer's lack of details

    Other persons and articles have reported that these NSA hacks need physical access to the iPhone in question before the iPhone is compromised.

    In that regard, these Seltzer's revelations amount to little more than a standard wired jailbreak exploit.

    However, to be entirely truthful, other reports that I have read indicate that the NSA is working on iPhone exploits that do not require direct physical access to an iPhone beforehand.

    The NSA may, and probably has, untethered iPhone attack capabilities but Larry didn't indicate that or imply that in this blog.

    He simply said it was no surprise that the iPhone has been 100 percent compromised by the NSA. The devil is in the details, Larry.
    • And he forgot to mention this is for iOS 1.0

      or perhaps iOS 2.0 but, more than likely, iOS 1.0.
    • It's almost a 7 year old document

      Yes, the NSA document cited says "The initial release of DROPOUTJEEP will focus on installing the implant via close access methods. A remote installation capability will be pursued for a future release." If they were actually doing this don't you think they would have accomplished over-the-air infection by now? It's not hard to see how they would do it.
      My point in the column is that it's not hard to to see how they would do all these things and that they don't need Apple's cooperation to do them. So what's the point of your comment?
      • Bluetooth, Wifi...

        BTW, when the NSA says "close access methods" it may mean physical access or it may mean other things like Bluetooth or Wifi.
      • Goals VS capability.

        Desperate the two.

        From a journalistic standpoint, this article borders on outright lies.
        • Wow

          You really are in deep aren't you?

          Do you really think the NSA cannot own your iPhone if they want to?

          I have news for you, our government owned the Nuke Plants in Iran from thousands of miles away! I think that's a little more complicated than breaking into an iPhone.
          • The virus that was implanted in Iran required physical access to

            Computers inside that uranium enrichment facility in order to compromise the security of those systems. Most likely the delivery of that virus was accomplished using a USB flash drive or a USB modified cable connection. From speculation IVe read online, the virus was not remotely delivered to those computer systems.
          • It did not!

            In fact, it actually leaked into wild and was found elsewhere workout physical access to those units either.