The CIA wants to hack your iPhone — but it may be failing in its attempts to do so.
The Intercept, an online magazine, said yesterday (March 10) that the Central Intelligence Agency had targeted the firmware that runs on iPhones and iPads, as well as the software tool with which developers write iOS apps.
Documents provided by former CIA staffer Edward Snowden revealed that the agency has hosted annual "jamborees," secret hacker conferences at which researchers from the CIA, the National Security Agency (NSA) and associated private companies brainstormed and presented the latest cyberespionage tactics.
Despite this group effort, the gist of the Snowden documents posted by The Intercept seems to be that government intelligence agencies have had a lot of trouble cracking iPhone security, and might not be much better at it than anyone else.
"It sounds like the CIA and NSA wait for jailbreaks from the [amateur iPhone hacking] community," Chester Wisniewski, a senior security researcher at the antivirus firm Sophos, told Tom's Guide.
Softening Up the Firmware
CIA researchers tried several methods of attacking iPhone software. The two most promising ones targeted the central processing units (CPUs) of iPhones and iPads, as well as Xcode, the development tool used to create iOS applications.
Each model of CPU that Apple designs is assigned a group ID, or GID, that is used to encrypt the firmware, the low-level software that handles the most basic processes of each device.
A GID is shared by all devices with the same processor. For example, every device that has an A4 chip, whether it's an iPhone, an iPad, an iPod Touch or an Apple TV, will have the same GID. The GID is different from the User ID (UID), which is unique to a single device and is used to encrypt the device user's email and other personal data.
Apple designed its software with this double level of encryption to make sure the user data and the firmware weren't vulnerable to the same attacks, Wisniewski said.
"Whatever you can say about Apple, when they find a problem, they really get into the root cause," Wisniewski said.
The Snowden documents showed that several avenues of attack were to determine a CPU line's GID. One was a "side-channel" attack that analyzed the electromagnetic signals given off by a processor as it encrypted and decrypted information. Another involved physically removing the information from the chip, which Wisniewski said would mean taking apart a processor.
Halfway to Malware
However, discovering the GID does not let you install bogus firmware on an Apple device. You would need to also crack or steal Apple's digital signature, which is a secret private key for the RSA encryption algorithm.
"The reason why the CIA and everybody else is after the GID key is simply because it allows decrypting firmware for reversing purposes," Stefan Esser, a security researcher at SektionEins, a Cologne, Germany-based company, tweeted yesterday. "It does not allow you to pretend to be Apple. For that, you need to break RSA."
"Reversing" translates the binary data of Apple's firmware into legible code that researchers can analyze and modify. That can help decrypt data on an individual device — but is also the first step in creating malicious firmware to be deployed on multiple devices.
The attempt to get into the firmware shows that the CIA may have been looking at bulk data collection, not just tracking individuals, Wisniewski said.
"If you care about following the law, the UID is all you care about," he said.
"The UID key is what you'd want to get if you made an arrest and were looking to scrape data off of a suspect's device," Jonathan Zdziarski, an expert on extracting data from iPhones, wrote on his blog yesterday. "[The CIA] is instead more interested in cooking their own low-level boot firmware to potentially deploy across an entire product line of devices."
Robert Graham, the CEO of Atlanta-based Errata Security, disagreed with that assessment, pointing out on his own blog that the CIA is probably most interested in obtaining information from iPhones seized in counterterrorist operations.
"The context of the [GID] presentation wasn't that they wanted to secretly spy on everyone's phones," Graham wrote. "The context was that they wanted to decrypt the phones they were getting."
Like Wisniewski, Zdziarski doesn't think the research was successful.
"This," he wrote, "was a speculative talk, only citing ongoing research, and not an actual deliverable ready to be put into operation."
Tilting at Straw Horses
There may be another way to get spying tools onto lots of iPhones — modifying the development kits used to create iPhone apps.
If the kits could be altered to secretly insert spyware or "backdoors" into apps, then developers might unwittingly spread that malicious software to thousands or millions of Apple devices. Just such a project, code-named Strawhorse, was presented at one of the CIA jamborees by Sandia Labs, a government-owned but privately managed research organization.
Strawhorse aimed to corrupt Xcode, a free tool that many Apple developers use, to insert spyware onto an iOS device — perhaps a program that pulled personal data, emails or photos.
However, the project may not have been successful. One problem, The Intercept noted, lay in the difficulty in persuading developers to use a "whacked" version of Xcode. Any indication that Xcode was compromised would drive programmers to use something else.
"Based on the wording of the document, this was still in the middle stages of development," Zdziarski wrote. "An injection mechanism (the complicated part) does not appear to have been developed yet, as there was no mention of it."
No Joy for the Spies
All this sounds ominous, and it is.
"The implications of this are very serious," Zdziarski wrote. "We are talking about violating Apple's core mechanism for trusting binary code from developers."
But Wisniewski said that from reading the Snowden documents, it isn't clear that the CIA successfully cracked the iPhones. The fact that the researchers were exploring difficult methods such as side-channel attacks and physically attacking the chips may mean that they failed, and is a credit to the company that made the software.
"Someone [at Apple] did something right," Wisniewski said.
It's also possible, he said, that this shows restraint on the part of the CIA, which could have instead stolen the GIDs directly from Apple's corporate network.
"Maybe they were told to not hack American companies," Wisniewski said. "You can bet if it were [Chinese technology giant] Huawei, they'd try it."
The documents given to The Intercept by Snowden are all years old; the "jamborees" cited were held from 2006 to 2011. Apple engineers are now going to be looking for vulnerabilities, just in case the CIA has made any progress.
"I'd really hate to be a software developer at Apple right now," Wisniewski said. "They're going to have to work extra hard."
- Can the NSA Remotely Turn On Mobile Phones?
- 13 Security and Privacy Tips for the Truly Paranoid
- How Jailbreaking Puts Your iPhone at Risk