Apple, iPhone, and the NSA: A Tale of Sorry Journalism

by Steve Wildstrom   |   December 31st, 2013

Copy of NSA document from Der Spiegel

Watching CNN on New Year’s Eve, I learned that the National Security Agency was able to snoop on everything I did or said on my iPhone. Actually, I had been reading this for a couple of days on an assortment of web sites, whose idea of reporting seems to consist pretty much entirely of reading and borrowing from other web sites, with, or more likely without, attribution.

If you dig back through the sources here, you find a fascinating dump of documents in Der Spiegel (German original) about the NSA’s Tailored Access Operations including a 50-page catalog of snooping devices worthy of MI-6′s fictional Q. One, called DROPOUTJEEP, claimed the ability to compromise an iPhone by replacing altering its built-in software. “The initial release of DROPOUTJEEP will focus on installing the implant via close access methods,” the 2008 document said. “A remote capability will be pursued in a future release.” In other words, before any snooping took place, the NSA first needed to get its hands on your iPhone and replace its software1 .

This extremely important qualification quickly disappeared from subsequent reports. For example, an Associated Press story (which appeared on the Huffington Post under the headline “The NSA Can Use Your iPhone To Spy On You, Expert Says”) said: “One of the slides described how the NSA can plant malicious software onto Apple Inc.’s iPhone, giving American intelligence agents the ability to turn the popular smartphone into a pocket-sized spy.” Forbes.com reported: “The NSA Reportedly Has Total Access to the Apple iPhone.”

Part of the problem is that Jacob Appelbaum, an independent journalist allied with Wikileaks and a co-author of the Spiegel article, went well beyond the cautious printed piece in a speech to the Chaos Computer Club in Heidelberg, Germany. Unlike more circumspect accounts of NSA disclosures such as those by Bart Gelman in The Washington Post ((Very interestingly, the Spiegel articles made no mention of Edward Snowden, the source of the recent flood of NSA revelations.)) , Appelbaum was quite willing to speculate far beyond what was supported by his texts. As quoted by the Daily Dot, he said in his CCC speech: “Either [the NSA] have a huge collection of exploits that work against Apple products, meaning they are hoarding information about critical systems that American companies produce, and sabotaging them, or Apple sabotaged it themselves.”

Apple was typically slow to respond to the charges. In a statement released Dec. 31, after the story has been percolating for a couple of days, it said:

Apple has never worked with the NSA to create a backdoor in any of our products, including iPhone. Additionally, we have been unaware of this alleged NSA program targeting our products. We care deeply about our customers’ privacy and security. Our team is continuously working to make our products even more secure, and we make it easy for customers to keep their software up to date with the latest advancements. Whenever we hear about attempts to undermine Apple’s industry-leading security, we thoroughly investigate and take appropriate steps to protect our customers. We will continue to use our resources to stay ahead of malicious hackers and defend our customers from security attacks, regardless of who’s behind them.

I’m not sure how upset we should be about NSA’s Tailored Access Operations, of which DROPOUTJEEP was a part. A lot of this is the stuff of spy movies and is the sort of thing intelligence agencies are expected to do.2 One the whole, I agree with University of Pennsylvania security expert Matt Blaze, who tweeted:  ”Given a choice, I’d rather force NSA to do expensive TAO stuff to selected targets than let them weaken the infrastructure for all of us.”

But I have no doubts at all about the quality of much of the journalism. The idea that the government can tap into any iPhone anywhere, anytime, makes great clickbait, but sorry reporting. Too many writers, it seems, couldn’t be bothered to track the story back to the original sources or even read the NSA document that many plastered on their sites. There’s no excuse for this.

 

 

  1. It shouldn’t come as a surprise that a device that falls into the hands of an adversary can be compromised in this way. The ability to jailbreak iPhones is as old as the iPhone itself, and once you can modify the firmware, you can make it do pretty much whatever you want. []
  2. One thing not quite clear from the Spiegel story is whether the NSA was designing the exploits and leaving them to others, such as the FBI, to execute,  or whether NSA was running its own “black bag” operations. The latter would be disturbing, as it appears to be outside the NSA’s charter. []

Steve Wildstrom

Steve Wildstrom is veteran technology reporter, writer, and analyst based in the Washington, D.C. area. He created and wrote BusinessWeek’s Technology & You column for 15 years. Since leaving BusinessWeek in the fall of 2009, he has written his own blog, Wildstrom on Tech and has contributed to corporate blogs, including those of Cisco and AMD and also consults for major technology companies.
  • magnetik

    The stealth fighter was in development for over 30 years before we found out about it. If NSA was needing physical access back in 08′, I wouldn’t doubt they have the ability to do this remotely by now. Heck if they can spy on the Pope, intercept packages from UPS and FedEx for nefarious reasons, influence RSA to use shoddy encryption for $$$, tap fiber lines in between data centers, make shady deals with tech companies for our personal info, tap the cells of presidential allies, look up love interests, etc etc etc.. I don’t doubt they could or would hack phones remotely. They give us no reason to think otherwise.

    • steve_wildstrom

      Of course it is possible, but the fact remains that no one has produced any evidence that this is the case. Yet the various lazy journalists writing about this failed to make the critical distinction.

      In each of these NSA exploits, you have to consider just how it is done. NSA and its predecessors have dealt with complaisant telcos since the invention of the telephone. Intercepting packages requires the cooperation of the shipping companies, but its something they have done for law enforcement forever. The RSA story we still need to know a lot more about.

      But think about what is required for compromising the firmware on an iPhone. This would require a man-in-the-middle attack and I can think of three ways it might be done. All would require getting the phone to accept a face update server as legitimate, but forging the certificates strikes me as the easiest part of this exploit: 1) You could find a way to force an iPhone to accept a system upgrade without any action by the user. I don;t know if this is even theoretically possible though it is probably made somewhat easier by the auto-update feature of iOS 7. 2) You could trick a user into accepting an out-of-cycle system update. This is more social engineering than anything else, but might be hard to pull off against a sophisticated or cautious target. 3) You could do a classic main-in-the-middle in sync with a scheduled system upgrade. Setting up the man-in-the-middle server is the hard part here.

      If your targets are at all wary, particularly if they have some institutional support, there are effective countermeasures against any of these attacks. So I am not taking it for granted that a successful over-the-air compromise of the iPhone exists.

      • tellurad

        Thank you Steve for reason and facts instead of the paranoia and ignorance that some people exhibit.

      • http://facebook.com/FalconFour Matt Falcon

        There’s another layer to the insanity too, that seems to have floated over everyone’s heads… it’s not impossible, it’s just blatantly impractical.

        Too many functions under the control of one “program” that supposedly works without breaking the phone. I just can’t see that. Controlling those functions would be completely obvious to the user, causing battery life drain and weird behavior at the very least, or revealing its presence through inevitable errors and crashes from trying to take top-most functionality and shoving it under the hood. Trying to make a phone call while “hot mic” is in use, for example… or firing up any app that uses the camera while the camera’s being “watched”. There would be MUCH more instability in there than I’ve ever seen to back up these claims. Possible, yes. Practical, no.

    • Glaurung-Quena

      If there was a way to run unauthorized software on an idevice without plugging the phone into a computer and running a program, the jailbreak community would be all over it. Since they haven’t found such a way, I really doubt one exists.

      There was a once way to jailbreak IOS by visiting a website and downloading a special PDF way back in the days of the 3GS and IOS 3 or 4. Apple plugged that hole long ago, and it only ever worked on A4 and older devices, IIRC.

      • steve_wildstrom

        I’m never going to say never about the NSA, which has formidable capacity. However, as another commenter noted, a software load with all the capabilities claimed in the DROPOUTJEEP document would certainly produce anomalies on the iPhone that any but the dimmest user would quickly notice.

  • Jon Hendry

    “One thing not quite clear from the Spiegel story is whether the NSA was designing the exploits and leaving them to others, such as the FBI, to execute, or whether NSA was running its own “black bag” operations. The latter would be disturbing, as it appears to be outside the NSA’s charter.”

    The NSA would be free to do such operations outside the US, I believe. Perhaps they would have the CIA do it. Inside the US, it wouldn’t make it any more legal if the FBI executes the “close access” part of the hack, unless the FBI were collecting the information and the NSA had no involvement other than supplying the tech.

    • steve_wildstrom

      And the FBI would need a warrant for a domestic operation (though probably not if the target were a foreign embassy.) One problem with the NSA running operations, here or abroad, is that they are not supposed to be set up to run operations. But we know they have been doing it anyway.

  • Canucker

    Given the enormous resources of the NSA it’s certainly not inconceivable that through a series of software exploits, physical intercepts, collusions, etc. any given device could be compromised. Data is not intelligence or knowledge and scraping the airwaves for patterns is incredibly inefficient (successes are unpredictable and often serendipitous). Garbage in-garbage out.

    The most concerning aspect is the likelihood of an inside operative using specific data to his/her own advantage. A friend worked for British Telecom in a unit that tapped lines, cracked scams, etc under warrant. Told me that the temptation of insiders to access familial/personal data was so great that everyone with access was routinely audited. This doesn’t scale well.

  • Dave Smiddy

    Two things stand-out about the DROPOUTJEEP slide:

    1) It references “Apple iPhone” a term that was commonly used in the early days of the iPhone when discussing its technologies, prior to iPad. Now, “iOS” is the more standard term. There’s no reference to a specific iOS release. Applebaum, in his speech, used “iOS” as the term and w/out merit suggests that this exploit is current. Earlier versions of the iPhone are not as robust with regards to security and protecting user information as current versions of iOS are.

    2) GPRS and SMS are referenced as the transport for DROPOUTJEEP. GPRS is not common in the US, anymore, though it is common today in the less-developed telecom world (including China). GPRS was the common data transport when the iPhone was first released. We don’t know when this exploit was written (2008/9?), if it is still active or how it actually works. Very unlikely that it’s large scale efficient hack; more likely a single target and finicky hack. One of the last points of the DROPOUTJEEP slide is that this exploit is covert. However, data and SMS charges can be tracked by the owner of the device/account and could help a target conclude they have been hacked.

    Having written my share of slides in my career and knowing the vagaries of mobile software and networks, any claim that a solution works 100% of the time should be greeted with skepticism. A better claim might be that it works 100% of the time, under certain conditions. Just because information is presented on a Powerpoint slide doesn’t make it so. :)

    Lastly, is there a similar slide for Android? If so, why has that been excluded from the public?

    • tellurad

      “Why has that been excluded from the public?”

      Who says it has been?

      • Dave Smiddy

        My statement is intended to be rhetorical.

        • steve_wildstrom

          The document is dated 2008. Back then, apple was still referring to the iPhone software as a version of iOS. And it’s very unlikely there was an Android version then because there weren’t enough Android phones in use to both with. What would be really interesting is if there was a BlackBerry version.

  • sjinsjca

    The journalism is even more terrible than you think. This all regards a 1st ten vulnerability! No one seemed to check the timestamps on the damn slides. See “Cryptopocalypse: Can your iPhone be hacked by the NSA?” http://tinyurl.com/mhu8w8v

  • Brian

    When I bought my first iPhone in 2008, I assumed that the government could spy on me in one way, shape or form. I lead a very boring life relatively, and for the NSA, CIA, FSB, MI6, the Chinese Army, Mossad or any other intelligence organization to waste their time on me would be a futile pursuit. Whether any of these spy organizations could compromise my phone’s OS, its hardware or merely latch on to my cellular or WiFi signal is beside the point. Any such efforts would yield juicy secrets such as a honey-do list from my wife, reminders of a conference call at work, stock quotes and baseball scores. Hardly the stuff that spy agencies crave.

    All this paranoia makes me shake my head. Yes, we have a right to feel violated. But if I am doing nothing wrong, I have nothing to fear. I don’t see black helicopters or drones hovering overhead, and I don’t hear echoes or scratchy sounds on my phone. Instead, I see a media intent on whipping up hysteria in a shameless attempt to get more clicks and eyeballs.

    Meanwhile, millions of us willingly post intimate details of our lives on Facebook, use a grocery store’s loyalty card to get an added discount (while they record booze, junk food and cigarette purchases, the details of which are then sold to your insurance companies), and more. We know that, and we willingly or tacitly oblige.

    We humans are such contradictions.

    • Mark Jones

      “But if I am doing nothing wrong, I have nothing to fear.” That statement is true only if you assume that the “government” is good. With access to your phone, they can plant all sorts of things on your phone that will make you look like you’ve done plenty wrong.