Fake iTunes updates demolish the idea that Apple iOS is secure

According to a report in the Wall Street Journal, the firm - Gamma International – claims it can send a fake iTunes update that can infect computers with surveillance software.

This is no proof-of-concept issue, Infosecurity notes, as Gamma reportedly makes this bold claim in one of its marketing videos.

Gamma, says the WSJ, is one of three companies marketing its skill at the kind of techniques usually used in black hat hacking.

“All of the hacking companies say they sell their tools to law enforcement and governments to help them track down criminals. People in this new industry say their tools are necessary because terrorists and criminals are communicating online and hiding behind encryption and other techniques”, notes the paper.

“Perhaps the most extensive marketing materials came from Gamma’s FinFisher  brand, which says it works by `sending fake software updates for popular software, from Apple, Adobe and others. The FinFisher documentation included brochures in several languages, as well as videos touting the tools”, adds the paper.

As you might expect, the existence of this technology has gone down badly with Apple, as well in other quarters – the WSJ quotes Eric King of Privacy International as being less than impressed.

“The use of this technology represents a huge encroachment on civil rights and could only be justified during the most serious national security investigations”, he told the paper.

Brian Krebs, a researcher with the Krebs on Security newswire, meanwhile, says that FinFisher is actually a remote spying trojan that is marketed to the governments of Egypt, Germany and other nations to permit surreptitious PC and mobile phone surveillance by law enforcement officials.

“But the WSJ series and other media coverage of the story have overlooked one small but crucial detail: A prominent security researcher warned Apple about this dangerous vulnerability in mid-2008, yet the company waited more than 1,200 days to fix the flaw”, says Krebs in his latest security posting.

The disclosure, he notes, raises questions about whether and when Apple knew about the trojan offering, and its timing in choosing to sew up the security hole in this ubiquitous software title.

Krebs claims he first wrote about this vulnerability for The Washington Post in July 2008 - after interviewing Argentinean security researcher Francisco Amato about Evilgrade, a devious new penetration-testing tool he had developed.

“The toolkit was designed to let anyone send out bogus automatic update alerts to users of software titles that don’t sign their updates”, he said, adding that Evilgrade tapped a flaw in the updater mechanism for iTunes that could be exploited on Windows systems.

What’s Hot on Infosecurity Magazine?