The Central Intelligence Agency (CIA) has mounted an all-out offensive on Apple’s security, according to purportedly top-secret documents leaked to well-known whistleblower site, The Intercept. But some say the news simply describes run-of-the-mill security research.
The CIA has “conducted a multi-year, sustained effort to break the security of Apple’s iPhones and iPads,” according to the site. It alleges that further, the spy agency’s top researchers recently met at a secret annual gathering, called the “Jamboree,” to discuss the best tactics for hacking into consumer electronics and household gadgets.
Among other things, the documents say that security researchers have found a way to sneak surveillance backdoors into apps that were developed using Apple’s proprietary tool, Xcode. And, that they have been focused on evading Apple’s encryption, unbeknownst to the tech giant.
“By targeting essential security keys used to encrypt data stored on Apple’s devices, the researchers have sought to thwart the company’s attempts to provide mobile security to hundreds of millions of Apple customers across the globe,” The Intercept reported. “Studying both physical and non-invasive techniques, US government-sponsored research has been aimed at discovering ways to decrypt and ultimately penetrate Apple’s encrypted firmware. This could enable spies to plant malicious code on Apple devices and seek out potential vulnerabilities in other parts of the iPhone and iPad currently masked by encryption.”
And, the documents say that researchers have successfully modified Apple’s OS X updater, which pushes patches to millions of desktop and notebook systems, to install a keylogger.
Unsurprisingly, both the CIA and Apple declined to comment on The Intercept allegations. But Ken Westin, senior security analyst for Tripwire, said that the allegations (or “revelations” as the case may be) may not be as explosive as they seem on the surface.
“The story provided by The Intercept unfortunately does not tell us a whole lot that most security researchers did not already know or assume,” he said, in a blog. “The one document that The Intercept provides only reveals the existence of a CIA-sponsored event where security researchers met to discuss methods and techniques to compromise Trusted Computing systems.”
He pointed out that there’s no evidence of actual successful compromise or active exploits.
“There have been a number of similar programs, such as the NSA’s Dropout Jeep, where the goal was to find ways to compromise devices,” he said. “I think it is a bit naïve to think that these types of programs don’t exist either by the US government or other government agencies for that matter.”
He added, “The question arises however if vulnerabilities were discovered that were not disclosed to Apple or other companies whose systems were potentially exploited, this is where the definition of security research and high tech espionage diverge.”