Snowden docs show CIA's attempts to defeat Apple device security

A secret CIA-sponsored conference reportedly hosted talks on stealing encryption keys from Apple devices and infecting them with malware

Researchers sponsored by the U.S. government have reportedly tried to defeat the encryption and security of Apple devices for years.

Several presentations given between 2010 and 2012 at a conference sponsored by the U.S. Central Intelligence Agency described attempts to decrypt the firmware in Apple mobile devices or to backdoor Mac OS X and iOS applications by poisoning developer tools.

Abstracts of the secret presentations were among the documents leaked by former U.S. National Security Agency contractor Edward Snowden to journalists and were published Tuesday by The Intercept.

The U.S. intelligence community's interest in hacking Apple products goes as far back as 2010, when a researcher presented possible methods of implanting the iPhone 3GS with malware at an annual conference called the Trusted Computing Base Jamboree, which, according to The Intercept, is sponsored by the CIA's Information Operations Center. The presentation also covered ways to jailbreak the device.

Over the next couple of years, the same conference included more talks on ways to bypass the security of Apple devices. For example, in 2011 researchers presented a technique to "noninvasively" extract the cryptographic key that's used to encrypt the firmware of devices based on Apple's A4 processor, like the iPhone 4, the iPod Touch and the first generation iPad.

The key, which is called the Group ID (GID), is stored inside the physical chip. The researchers tried to recover it by studying the electromagnetic emissions that occur during Advanced Encryption Standard (AES) operations, a technique known as differential power analysis.

"If successful, it would enable decryption and analysis of the boot firmware for vulnerabilities, and development of associated exploits across entire A4-based product-line," they wrote in a description of their presentation.

It's not clear if the researchers ever succeeded in recovering the key, but their presentation covered the progress they had made until then.

A separate talk described methods of determining where the GID key was located on the A4 integrated circuit and how it could be recovered through an invasive technique like the "physical de-processing of the chip."

By the following year the A5 processor used in the iPhone 4S, iPad 2, iPod Touch fifth generation and the iPad mini was also being targeted. Researchers from Sandia National Laboratories, a Federally Funded Research and Development Center (FFRDC) operated by Lockheed Martin subsidiary Sandia Corporation, had a talk entitled "Apple A4/A5 Application Processors Analysis." The presentation had no abstract and attendees looking for more information about it were instead instructed to call or email a CIA official.

It wasn't just Apple's master encryption keys that the U.S. intelligence community was interested in, but also the individual keys used by private developers to sign their iOS or Mac OS X apps.

Researchers from Sandia Labs gave a talk about their efforts to create a modified, or "whacked" version of Xcode, the free tool that developers use to create software for Apple devices. The poisoned version of Xcode could insert a backdoor into any applications created with it, could hide the confirmation prompts when a developer's private key was exported and could embed a developer's key into all iOS apps created with the tool, from where it could be later extracted.

"We also describe how we modified both the Mac OS X updater to install an extra kernel extension (a keylogger) and the Xcode installer to include our SDK [software development kit] whacks," the researchers wrote in their talk's description.

The FBI and U.S. intelligence agencies have voiced concern over the past year that the increased addition of default encryption to mobile devices and Internet communications make lawful electronic surveillance impossible. They call this the Going Dark problem.

Such agencies would like to see an approach where companies could offer encryption, but also be able to comply with government requests for data. Many security experts and privacy advocates believe this would involve building backdoors into encryption implementations that could also be exploited by hackers.

"I want to be absolutely clear that we have never worked with any government agency from any country to create a backdoor in any of our products or services," Apple CEO Tim Cook wrote in an open letter in September. "We have also never allowed access to our servers. And we never will."

Join the CSO newsletter!

Error: Please check your email address.

Tags AppleCentral Intelligence AgencysecurityencryptionExploits / vulnerabilitiesdata protectionmalware

More about AdvancedAdvanced Encryption StandardAppleFBILockheed MartinNational Security Agency

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place