How the CIA, FBI, and NSA Are Attacking Your iPhone

Photo by Justin Sullivan/Getty Images

Source: Justin Sullivan/Getty Images

Researchers working for the Central Intelligence Agency (CIA) have worked for years to break the hardware encryption of Apple’s iOS devices, according to The Intercept, citing documents obtained from National Security Agency (NSA) whistleblower Edward Snowden. The researchers attempted, and to some degree likely succeeded, in breaking the security of iPhones and iPads, and presented their latest tactics and achievements at an annual gathering called the “Jamboree,” where security researchers discussed strategies for exploiting security flaws in both household and commercial electronics.

The report draws upon top-secret documents obtained by The Intercept, and explains that the CIA-sponsored conferences began nearly a decade ago, with the first taking place the year before Apple unveiled the first iPhone. The Intercept reports that researchers have targeted the security keys used to encrypt the data that millions of Apple customers store on their devices, investigating both tactics that require physical access to the device and remote strategies. Decrypting and penetrating the encrypted firmware could enable researchers to plant malicious code on Apple devices or to seek out vulnerabilities in other parts of the iPhone and iPad. The researchers have also created a modified version of Xcode — software used by thousands of developers to create apps sold through the App Store — which could plant surveillance backdoors into apps or programs, enabling spies to steal passwords or messages, or force all apps to send data to a “listening post.”

Matthew Green, a cryptography expert at Johns Hopkins University, told The Intercept, “Every other manufacturer looks to Apple. If the CIA can undermine Apple’s systems, it’s likely they’ll be able to deploy the same capabilities against everyone else.” He added, “Apple led the way with secure coprocessors in phones, with fingerprint sensors, with encrypted messages. If you can attack Apple, then you can probably attack anyone.”

When the NSA was founded, encryption was an obscure technology. But in the 20 years since, it’s become ubiquitous. The agency considers its ability to decrypt information a vital capability, and it has employed a wide variety of strategies to advance that ability, inserting vulnerabilities into standards, coercing companies into cooperation, or stealing their encryption keys. Researchers’ efforts to break into Apple products began as early as 2006, the year before Apple introduced the original iPhone, and continued through the launch of the iPad in 2010 and beyond.

Read on for a timeline of key events of the past couple years, though which the extent of the CIA, FBI, and NSA’s efforts to undermine the security of your iPhone has begun to be revealed.

June 2013: PRISM targets 9 American tech companies

In June 2013, The Washington Post reported on the program, code-named PRISM, in which the NSA and the Federal Bureau of Investigation (FBI) tap directly into the servers of nine leading American Internet companies to access audio, video chats, photos, emails, documents, and connection logs. According to top-secret documents, such collections targeted the servers of Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube, and Apple. Apple reportedly joined PRISM in 2012, five years after Microsoft became the first to participate in the program. Steve Dowling, a spokesman for Apple, denied the implication and stated, “We have never heard of PRISM. We do not provide any government agency with direct access to our servers, and any government agency requesting customer data must get a court order.”

September 2013: NSA spends billions to circumvent encryption

In September 2013, The New York Times reported that the NSA has invested billions of dollars in efforts to circumvent widely used encryption technologies, to work with tech companies to build entry points into their products, and to leverage its influence as the world’s most experienced code maker to introduce weaknesses into widely followed encryption standards. Documents revealed the agency’s efforts to exploit the Secure Sockets Layer (SSL), virtual private networks (VPN), and the encryption used in 4G phones. The NSA also reportedly spends more than $250 million per year on its Sigint program to covertly influence the design of commercial tech products.

September 2013: NSA builds a back door into encryption products

Also in September 2013, the Times and other publications reported that the NSA created a flawed formula for generating random numbers in order to create a “back door” into encryption products. Reuters later reported that influential computer security firm RSA became the most important distributor of that formula by integrating it into a software tool called Bsafe, that it claimed enhanced security on personal computers and other products.

In December 2013, Reuters reported that the NSA arranged a $10 million contract with RSA, for the firm to set the NSA formula as the default method for number generation in the BSafe software. The deal demonstrated that the NSA was working toward what documents leaked by Snowden describe as a key strategy for enhancing surveillance: the systematic erosion of security tools.

December 2013: NSA can spy on iPhone communications

Also in December 2013, news broke that the NSA has the ability to spy on nearly every communication sent from an iPhone, according to a Daily Dot report on leaked documents shared by security researcher Jacob Appelbaum and German news magazine Der Spiegel. An NSA program called DROPOUTJEEP enables the agency to intercept SMS messages, access contact lists, locate a phone using cell tower data, and even activate the device’s microphone and camera. Data can be removed, or “exfiltrated,” over wireless data connections.

The documents showed NSA claiming a 100% success rate in implanting iOS devices with spyware, but suggested that researchers needed physical access to the device to install the software. A remote version of the exploit was allegedly still in the works. Speaking at the Chaos Communication Conference in Hamburg, Applebaum said he hoped that Apple would clarify whether it helped the NSA to sabotage its devices.

December 2013: Apple denies working with NSA

Not long after, on the last day of December, Apple released a statement to the press saying that it has never worked with the agency to create a backdoor into its devices, and was unaware of DROPOUTJEEP and its targeting of the iPhone, according to AllThingsD. Additionally, the company said, “Whenever we hear about attempts to undermine Apple’s industry-leading security, we thoroughly investigate and take appropriate steps to protect our customers. We will continue to use our resources to stay ahead of malicious hackers and defend our customers from security attacks, regardless of who’s behind them.”

June 2014: Court rules that phone searches require warrants

In June 2014, the Supreme Court ruled that police must obtain a warrant before searching the cell phone of someone whom they arrest, according to The Washington Post. Chief Justice John G. Roberts Jr. wrote that modern mobile phones “hold for many Americans the privacies of life.” He explained the court’s decision, “The fact that technology now allows an individual to carry such information in his hand does not make the information any less worthy of the protection for which the Founders fought.” While the ruling has no impact on the NSA’s data collection programs, or law enforcement agencies’ use of aggregated digital information, lawyers said that the declarations signaled the justices’ interest in the dangers of government overreach.

September 2014: Apple steps up encryption on iPhones, iPads

In September 2014, The Washington Post reported that Apple was taking a more aggressive stance on privacy. The company announced that it would no longer be feasible for law enforcement to unlock encrypted iPhones and iPads (PDF) because these devices would no longer allow the user’s passcode to be bypassed. Apple’s privacy site explained, “Unlike our competitors, Apple cannot bypass your passcode and therefore cannot access this data. So it’s not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS 8.”

The Post characterized the move as “an engineering solution to a legal quandary,” in that the new encryption method prevents anyone but a device’s owner from accessing the data stored on an iPhone or iPad. While Apple still has the technical ability and the legal responsibility to turn over user data stored elsewhere, such as in its iCloud service, where users often back up photos, videos, emails, music, and more, users who wish to prevent law enforcement access to all of their information thus can adjust settings to prevent data from being stored in iCloud.

September 2014: FBI head criticizes Apple’s privacy features

In September 2014, FBI director James Comey shared his concerns about Apple’s privacy features. As The Huffington Post reported at the time, Comey explained, “I am a huge believer in the rule of law, but I also believe that no one in this country is beyond the law,”speaking to journalists at the FBI’s headquarters in Washington. “What concerns me about this is companies marketing something expressly to allow people to place themselves beyond the law.”

Comey said that FBI officials had had conversations with both Apple and Google about the privacy-conscious marketing for their devices, which, in his words, makes the claim, “Buy our phone and law-enforcement, even with legal process, can never get access to it.” He also noted, “I get that the post-Snowden world has started an understandable pendulum swing. What I’m worried about is, this is an indication to us as a country and as a people that, boy, maybe that pendulum swung too far.”

October 2014: FBI head says encryption puts users beyond the law

In October 2014, Comey continued this line of criticism against Apple’s encryption of iPhone data, telling 60 Minutes, “The notion that we would market devices that would allow someone to place themselves beyond the law, troubles me a lot. As a country, I don’t know why we would want to put people beyond the law… The notion that people have devices, again, that with court orders, based on a showing of probable cause in a case involving kidnapping or child exploitation or terrorism, we could never open that phone? My sense is that we’ve gone too far when we’ve gone there.”

But in 2004, as deputy attorney general, Comey challenged President George W. Bush on warrantless wiretapping. He also told 60 Minutes, “I believe that Americans should be deeply skeptical of government power. You cannot trust people in power. The founders knew that. That’s why they divided power among three branches, to set interest against interest.” In the same story where CBS reported on Comey’s comments, the network reported that the FBI had established a new cybercrime headquarters, called “cywatch,” which draws on resources from the CIA, NSA and others.

January 2015: Snowden chooses not to use an iPhone

In January 2015, Sputnik reported that whistleblower Snowden himself chooses not to use an iPhone, as the device has software capable of collecting personal information about its owner. Snowden’s lawyer, Anatoly Kucherena, stated, “Edward never uses an iPhone, he’s got a simple phone… The iPhone has special software that can activate itself without the owner, having to press a button and gather information about him, that’s why on security grounds he refused to have this phone.”

March 2015: Agencies have spent years targeting Apple’s encryption

The Intercept’s latest report on the CIA’s efforts draws on documents that cover a period from 2006 to 2013, but stop short of providing any certainty as to whether researchers have succeeded in breaking Apple’s encryption. Over the years, as Apple updates its hardware, software, and encryption methods, CIA researchers have studied ways to exploit them. The attempts to target Apple products are part of a multi-agency effort to attack commercial encryption and security systems used on billions of devices worldwide.

A joint task force of operatives from the NSA and Britain’s Government Communications Headquarters successfully implanted malware on iPhones as part of WARRIOR PRIDE, a GCHQ framework for accessing private communications. A plugin called NOSEY SMURF enabled spies to remotely access and activate a phone’s microphone, while one called DREAMY SMURF enabled agents to manage the phone’s power system to avoid detection, PARANOID SMURF concealed the malware in other ways, and TRACKER SMURF enabled precise geolocating of a phone. All of this malware requires the agencies to bypass the security controls built in to iOS by hacking the phone or sneaking a backdoor into an app that the user has voluntarily installed.

At the CIA’s 2011 Jamboree, researchers revealed the specifics of their efforts to attack the privacy of Apple’s mobile devices. These devices use two separate keys to encrypt data and software: the user ID, which is unique to the device and not stored by Apple, and the Group ID, which is known to Apple, is identical across Apple devices that use the same processor, and is used to encrypt essential system software. Researchers targeted the GID key because once extracted, it would be useful in compromising any device that uses that key.

Apple and other U.S. tech companies have recently sought to restore trust among their customers that their products have not become tools for widespread government surveillance. That’s becoming a more difficult assertion to sell. Apple chief executive Tim Cook recently stated, “None of us should accept that the government or a company or anybody should have access to all of our private information. This is a basic human right. We all have a right to privacy. We shouldn’t give it up. We shouldn’t give in to scare-mongering.”

More from Tech Cheat Sheet: