CIA spends years trying to break Apple security

Security researchers working for the CIA have been poking holes in Apple security as part of a multi-year campaign.
Written by Charlie Osborne, Contributing Writer
CIA/ US government
CIA researchers are targeting security keys used to encrypt data stored on Apple devices in order to break the system.

Documents obtained by The Intercept reveal the security researchers' work, presented at an annual gathering called the "Jamboree" at a Lockheed Martin facility in northern Virginia. Attendees of the CIA-sponsored, secretive event -- which has run for nearly a decade -- discuss the exploitation of vulnerabilities and flaws found in commercial electronics, such as Apple's iPhone and iPad product ranges.

Details of the event were provided by Edward Snowden to The Intercept. Presentations exploring exploits are hosted at the event, which is also attended by representatives of the US National Security Agency (NSA).

The publication says "essential security keys" related to data encryption on Apple devices have become a major target of the research team. Overall, the security researchers are seeking ways to decrypt this data, as well as penetrate Apple's firmware, using both "physical" and "non-invasive" techniques.

The idea of tunneling into an Apple device and potentially injecting malware into an iPad or iPhone might not be far from reality. The security researchers claimed they have managed to create a custom version of Apple's software development tool, Xcode. If true, the tool could act as a pathway to injecting malware and creating surveillance backdoors into iOS apps if programs are unwittingly created using the CIA's version of the free software.

The original version of Xcode, based on Swift, is used to create apps, storyboards, dynamic frameworks and games, among other software. Apps created through Xcode can be submitted to Apple's App Store.

However, the modified version could "force all iOS applications to send embedded data to a listening post," according to The Intercept. In addition, the custom version could be used to spy on users and steal passwords, account information, intercept communications, and disable core security features on devices.

In addition, the security researchers said at the event they had been successful in modifying the OS X update system in order to install keylogging software.

While the documents do not reveal how successful targeting Apple has been, or how the exploits could be used by US intelligence agencies, the efforts of the researchers does highlight how far government agencies are willing to go in the quest for intelligence gathering and surveillance.

Tech giants including Apple and Google have long resisted government pressure to offer backdoors or lower the security standards of their products. Both companies, for example, have pledged to include encryption on their devices by default -- handing over the keys of the kingdom to the consumer instead of hosting the keys themselves. Therefore, even if a court order demands that Apple or Google hand over customer communications data, they are unable to physically do so.

However, in Google's case, the company has reversed the decision -- leaving it up to device makers due to "performance issues" on older devices.

See also: Feds only have themselves to blame for Apple and Google's smartphone encryption efforts

In October last year, FBI Director James Comey said mobile encryption could "lead us to a very dark place." The director said that the sway of public opinion towards encryption -- now provided by more companies in a post-Snowden era -- could have dire consequences for intelligence gathering and national security.

Comey called encryption by default a "marketing pitch," which is no doubt the case, especially as Snowden's NSA revelations have reduced trust in companies to protect our privacy and information. However, whether clever marketing or not, it can be argued that encryption is becoming ever-more important as intelligence agencies have been shown to collect bulk data on the general public -- casting aside privacy in the quest for information.

Last week, CIA Director John Brennan announced one of the largest overhauls to the agency in memory. The intelligence agency is planning to create "mission centers" which bring together various disciplines and specialists to focus on intelligence gathering, as well as a host of new initiatives designed to propel the CIA through the "digital revolution." Brennan said changes to the CIA are necessary due to the constant evolution of technology and a need to prioritize intelligence gathering through modern tools.

Read on: In the world of security

Editorial standards