Watching CNN on New Year’s Eve, I learned that the National Security Agency was able to snoop on everything I did or said on my iPhone. Actually, I had been reading this for a couple of days on an assortment of web sites, whose idea of reporting seems to consist pretty much entirely of reading and borrowing from other web sites, with, or more likely without, attribution.
If you dig back through the sources here, you find a fascinating dump of documents in Der Spiegel (German original) about the NSA’s Tailored Access Operations including a 50-page catalog of snooping devices worthy of MI-6’s fictional Q. One, called DROPOUTJEEP, claimed the ability to compromise an iPhone by replacing altering its built-in software. “The initial release of DROPOUTJEEP will focus on installing the implant via close access methods,” the 2008 document said. “A remote capability will be pursued in a future release.” In other words, before any snooping took place, the NSA first needed to get its hands on your iPhone and replace its software ((It shouldn’t come as a surprise that a device that falls into the hands of an adversary can be compromised in this way. The ability to jailbreak iPhones is as old as the iPhone itself, and once you can modify the firmware, you can make it do pretty much whatever you want.)) .
This extremely important qualification quickly disappeared from subsequent reports. For example, an Associated Press story (which appeared on the Huffington Post under the headline “The NSA Can Use Your iPhone To Spy On You, Expert Says”) said: “One of the slides described how the NSA can plant malicious software onto Apple Inc.’s iPhone, giving American intelligence agents the ability to turn the popular smartphone into a pocket-sized spy.” Forbes.com reported: “The NSA Reportedly Has Total Access to the Apple iPhone.”
Part of the problem is that Jacob Appelbaum, an independent journalist allied with Wikileaks and a co-author of the Spiegel article, went well beyond the cautious printed piece in a speech to the Chaos Computer Club in Heidelberg, Germany. Unlike more circumspect accounts of NSA disclosures such as those by Bart Gelman in The Washington Post ((Very interestingly, the Spiegel articles made no mention of Edward Snowden, the source of the recent flood of NSA revelations.)) , Appelbaum was quite willing to speculate far beyond what was supported by his texts. As quoted by the Daily Dot, he said in his CCC speech: “Either [the NSA] have a huge collection of exploits that work against Apple products, meaning they are hoarding information about critical systems that American companies produce, and sabotaging them, or Apple sabotaged it themselves.”
Apple was typically slow to respond to the charges. In a statement released Dec. 31, after the story has been percolating for a couple of days, it said:
Apple has never worked with the NSA to create a backdoor in any of our products, including iPhone. Additionally, we have been unaware of this alleged NSA program targeting our products. We care deeply about our customers’ privacy and security. Our team is continuously working to make our products even more secure, and we make it easy for customers to keep their software up to date with the latest advancements. Whenever we hear about attempts to undermine Apple’s industry-leading security, we thoroughly investigate and take appropriate steps to protect our customers. We will continue to use our resources to stay ahead of malicious hackers and defend our customers from security attacks, regardless of who’s behind them.
I’m not sure how upset we should be about NSA’s Tailored Access Operations, of which DROPOUTJEEP was a part. A lot of this is the stuff of spy movies and is the sort of thing intelligence agencies are expected to do. ((One thing not quite clear from the Spiegel story is whether the NSA was designing the exploits and leaving them to others, such as the FBI, to execute, or whether NSA was running its own “black bag” operations. The latter would be disturbing, as it appears to be outside the NSA’s charter.)) One the whole, I agree with University of Pennsylvania security expert Matt Blaze, who tweeted: “Given a choice, I’d rather force NSA to do expensive TAO stuff to selected targets than let them weaken the infrastructure for all of us.”
But I have no doubts at all about the quality of much of the journalism. The idea that the government can tap into any iPhone anywhere, anytime, makes great clickbait, but sorry reporting. Too many writers, it seems, couldn’t be bothered to track the story back to the original sources or even read the NSA document that many plastered on their sites. There’s no excuse for this.
The stealth fighter was in development for over 30 years before we found out about it. If NSA was needing physical access back in 08′, I wouldn’t doubt they have the ability to do this remotely by now. Heck if they can spy on the Pope, intercept packages from UPS and FedEx for nefarious reasons, influence RSA to use shoddy encryption for $$$, tap fiber lines in between data centers, make shady deals with tech companies for our personal info, tap the cells of presidential allies, look up love interests, etc etc etc.. I don’t doubt they could or would hack phones remotely. They give us no reason to think otherwise.
Of course it is possible, but the fact remains that no one has produced any evidence that this is the case. Yet the various lazy journalists writing about this failed to make the critical distinction.
In each of these NSA exploits, you have to consider just how it is done. NSA and its predecessors have dealt with complaisant telcos since the invention of the telephone. Intercepting packages requires the cooperation of the shipping companies, but its something they have done for law enforcement forever. The RSA story we still need to know a lot more about.
But think about what is required for compromising the firmware on an iPhone. This would require a man-in-the-middle attack and I can think of three ways it might be done. All would require getting the phone to accept a face update server as legitimate, but forging the certificates strikes me as the easiest part of this exploit: 1) You could find a way to force an iPhone to accept a system upgrade without any action by the user. I don;t know if this is even theoretically possible though it is probably made somewhat easier by the auto-update feature of iOS 7. 2) You could trick a user into accepting an out-of-cycle system update. This is more social engineering than anything else, but might be hard to pull off against a sophisticated or cautious target. 3) You could do a classic main-in-the-middle in sync with a scheduled system upgrade. Setting up the man-in-the-middle server is the hard part here.
If your targets are at all wary, particularly if they have some institutional support, there are effective countermeasures against any of these attacks. So I am not taking it for granted that a successful over-the-air compromise of the iPhone exists.
Thank you Steve for reason and facts instead of the paranoia and ignorance that some people exhibit.
There’s another layer to the insanity too, that seems to have floated over everyone’s heads… it’s not impossible, it’s just blatantly impractical.
Too many functions under the control of one “program” that supposedly works without breaking the phone. I just can’t see that. Controlling those functions would be completely obvious to the user, causing battery life drain and weird behavior at the very least, or revealing its presence through inevitable errors and crashes from trying to take top-most functionality and shoving it under the hood. Trying to make a phone call while “hot mic” is in use, for example… or firing up any app that uses the camera while the camera’s being “watched”. There would be MUCH more instability in there than I’ve ever seen to back up these claims. Possible, yes. Practical, no.
If there was a way to run unauthorized software on an idevice without plugging the phone into a computer and running a program, the jailbreak community would be all over it. Since they haven’t found such a way, I really doubt one exists.
There was a once way to jailbreak IOS by visiting a website and downloading a special PDF way back in the days of the 3GS and IOS 3 or 4. Apple plugged that hole long ago, and it only ever worked on A4 and older devices, IIRC.
I’m never going to say never about the NSA, which has formidable capacity. However, as another commenter noted, a software load with all the capabilities claimed in the DROPOUTJEEP document would certainly produce anomalies on the iPhone that any but the dimmest user would quickly notice.
“One thing not quite clear from the Spiegel story is whether the NSA was designing the exploits and leaving them to others, such as the FBI, to execute, or whether NSA was running its own “black bag” operations. The latter would be disturbing, as it appears to be outside the NSA’s charter.”
The NSA would be free to do such operations outside the US, I believe. Perhaps they would have the CIA do it. Inside the US, it wouldn’t make it any more legal if the FBI executes the “close access” part of the hack, unless the FBI were collecting the information and the NSA had no involvement other than supplying the tech.
And the FBI would need a warrant for a domestic operation (though probably not if the target were a foreign embassy.) One problem with the NSA running operations, here or abroad, is that they are not supposed to be set up to run operations. But we know they have been doing it anyway.
Given the enormous resources of the NSA it’s certainly not inconceivable that through a series of software exploits, physical intercepts, collusions, etc. any given device could be compromised. Data is not intelligence or knowledge and scraping the airwaves for patterns is incredibly inefficient (successes are unpredictable and often serendipitous). Garbage in-garbage out.
The most concerning aspect is the likelihood of an inside operative using specific data to his/her own advantage. A friend worked for British Telecom in a unit that tapped lines, cracked scams, etc under warrant. Told me that the temptation of insiders to access familial/personal data was so great that everyone with access was routinely audited. This doesn’t scale well.
Two things stand-out about the DROPOUTJEEP slide:
1) It references “Apple iPhone” a term that was commonly used in the early days of the iPhone when discussing its technologies, prior to iPad. Now, “iOS” is the more standard term. There’s no reference to a specific iOS release. Applebaum, in his speech, used “iOS” as the term and w/out merit suggests that this exploit is current. Earlier versions of the iPhone are not as robust with regards to security and protecting user information as current versions of iOS are.
2) GPRS and SMS are referenced as the transport for DROPOUTJEEP. GPRS is not common in the US, anymore, though it is common today in the less-developed telecom world (including China). GPRS was the common data transport when the iPhone was first released. We don’t know when this exploit was written (2008/9?), if it is still active or how it actually works. Very unlikely that it’s large scale efficient hack; more likely a single target and finicky hack. One of the last points of the DROPOUTJEEP slide is that this exploit is covert. However, data and SMS charges can be tracked by the owner of the device/account and could help a target conclude they have been hacked.
Having written my share of slides in my career and knowing the vagaries of mobile software and networks, any claim that a solution works 100% of the time should be greeted with skepticism. A better claim might be that it works 100% of the time, under certain conditions. Just because information is presented on a Powerpoint slide doesn’t make it so. 🙂
Lastly, is there a similar slide for Android? If so, why has that been excluded from the public?
“Why has that been excluded from the public?”
Who says it has been?
My statement is intended to be rhetorical.
The document is dated 2008. Back then, apple was still referring to the iPhone software as a version of iOS. And it’s very unlikely there was an Android version then because there weren’t enough Android phones in use to both with. What would be really interesting is if there was a BlackBerry version.
The journalism is even more terrible than you think. This all regards a 1st ten vulnerability! No one seemed to check the timestamps on the damn slides. See “Cryptopocalypse: Can your iPhone be hacked by the NSA?” http://tinyurl.com/mhu8w8v
When I bought my first iPhone in 2008, I assumed that the government could spy on me in one way, shape or form. I lead a very boring life relatively, and for the NSA, CIA, FSB, MI6, the Chinese Army, Mossad or any other intelligence organization to waste their time on me would be a futile pursuit. Whether any of these spy organizations could compromise my phone’s OS, its hardware or merely latch on to my cellular or WiFi signal is beside the point. Any such efforts would yield juicy secrets such as a honey-do list from my wife, reminders of a conference call at work, stock quotes and baseball scores. Hardly the stuff that spy agencies crave.
All this paranoia makes me shake my head. Yes, we have a right to feel violated. But if I am doing nothing wrong, I have nothing to fear. I don’t see black helicopters or drones hovering overhead, and I don’t hear echoes or scratchy sounds on my phone. Instead, I see a media intent on whipping up hysteria in a shameless attempt to get more clicks and eyeballs.
Meanwhile, millions of us willingly post intimate details of our lives on Facebook, use a grocery store’s loyalty card to get an added discount (while they record booze, junk food and cigarette purchases, the details of which are then sold to your insurance companies), and more. We know that, and we willingly or tacitly oblige.
We humans are such contradictions.
“But if I am doing nothing wrong, I have nothing to fear.” That statement is true only if you assume that the “government” is good. With access to your phone, they can plant all sorts of things on your phone that will make you look like you’ve done plenty wrong.
Thank you for great information. I look forward to the continuation.
Great website. Lots of useful information here. I look forward to the continuation.
Good article with great ideas! Thank you for this important article. Thank you very much for this wonderful information.
Very nice blog post. I definitely love this site. Stick with it!
п»їlegitimate online pharmacies india http://indiaph24.store/# top online pharmacy india
buy medicines online in india
cipro ciprofloxacin generic price cipro for sale
https://nolvadex.life/# tamoxifen men
http://nolvadex.life/# п»їdcis tamoxifen
tamoxifen endometrium tamoxifen joint pain nolvadex steroids
cost cheap propecia pill: get propecia – get generic propecia without rx
https://finasteride.store/# buy generic propecia without prescription
on line order lisinopril 20mg buy lisinopril 20 mg online united states lisinopril 15 mg
tamoxifen dose: tamoxifen hormone therapy – tamoxifen adverse effects
ciprofloxacin over the counter ciprofloxacin mail online cipro for sale
http://finasteride.store/# cost cheap propecia without a prescription
cheapest cialis Buy Tadalafil 10mg Tadalafil Tablet
http://viagras.online/# Viagra online price
Buy Levitra 20mg online Buy Vardenafil 20mg Vardenafil online prescription
Cheap Cialis: Cialis 20mg price in USA – Tadalafil price
https://cialist.pro/# Cialis over the counter
Buy generic Levitra online Levitra generic price п»їLevitra price
cheapest viagra: Buy Viagra online cheap – viagra canada
Levitra 10 mg buy online: Buy Vardenafil online – Levitra online USA fast
http://cenforce.pro/# Cenforce 150 mg online
http://kamagra.win/# sildenafil oral jelly 100mg kamagra
cheapest pharmacy prescription drugs pharm world store cheapest pharmacy prescription drugs
buying prescription drugs online canada: medications online without prescriptions – medications online without prescription
cheap pharmacy no prescription: pharm world store – pharmacy no prescription required
https://pharmnoprescription.icu/# pharmacies without prescriptions
mexican pharmacy mexican drugstore online reputable mexican pharmacies online
top online pharmacy india: online pharmacy india – indian pharmacy online
https://pharmworld.store/# canadian online pharmacy no prescription
buying from online mexican pharmacy medication from mexico pharmacy mexican mail order pharmacies
cheapest pharmacy to fill prescriptions with insurance: pharm world – mail order prescription drugs from canada
canadian pharmacy antibiotics: canadian pharmacy antibiotics – canadian medications
online pharmacy india Online medicine home delivery mail order pharmacy india
https://pharmmexico.online/# pharmacies in mexico that ship to usa
indian pharmacies safe: indianpharmacy com – top 10 online pharmacy in india
canadian online drugstore: onlinecanadianpharmacy – vipps canadian pharmacy
canada drugs without prescription: online prescription canada – buy prescription online
mexican online pharmacies prescription drugs medicine in mexico pharmacies mexican pharmacy
https://pharmnoprescription.icu/# no prescription needed pharmacy
canadian pharmacy coupon: pharm world store – canadian pharmacy world coupon code
http://pharmworld.store/# non prescription medicine pharmacy
neurontin 300 medicine neurontin capsules neurontin sale
can you buy amoxicillin over the counter: amoxicillin script – buy amoxicillin without prescription
where can i buy prednisone: prednisone otc uk – buy prednisone online australia
doxycycline buy doxycycline hyclate 100mg without a rx doxy 200
http://gabapentinneurontin.pro/# neurontin 200 mg capsules
prednisone cream over the counter: prednisone 60 mg tablet – 20 mg of prednisone
where to get doxycycline: doxycycline tablets – order doxycycline 100mg without prescription
ampicillin amoxicillin amoxicillin 500 tablet amoxicillin 875 mg tablet
https://gabapentinneurontin.pro/# buying neurontin online
price of amoxicillin without insurance amoxicillin from canada amoxicillin 500mg cost
100mg doxycycline: buy doxycycline 100mg – doxycycline 100 mg
order doxycycline: doxycycline hyclate 100 mg cap – how to buy doxycycline online
https://prednisoned.online/# prednisone 54
neurontin medication neurontin 800 mg tablet cost of brand name neurontin
doxycycline tetracycline: generic doxycycline – doxycycline without a prescription
http://doxycyclinea.online/# order doxycycline 100mg without prescription
buy zithromax without presc zithromax over the counter zithromax prescription in canada
https://doxycyclinea.online/# doxycycline hydrochloride 100mg
can you buy zithromax over the counter in mexico: buy azithromycin zithromax – zithromax capsules price
http://amoxila.pro/# buy cheap amoxicillin
amoxicillin without a doctors prescription: amoxicillin 500 mg brand name – how to get amoxicillin
zithromax 250mg generic zithromax medicine zithromax coupon
http://zithromaxa.store/# generic zithromax india
neurontin 1800 mg neurontin price comparison 2000 mg neurontin
http://doxycyclinea.online/# doxycycline 50mg
neurontin 200 mg tablets: neurontin 100mg capsule price – neurontin online usa
buy zithromax online fast shipping buy zithromax online fast shipping zithromax canadian pharmacy
neurontin 50 mg: neurontin tablets 100mg – neurontin prices
prednisone 1 tablet prednisone 10mg tablet cost prednisone otc uk
amoxicillin 500 mg tablet: where to buy amoxicillin 500mg – amoxicillin 775 mg
zithromax 250 mg pill: average cost of generic zithromax – zithromax 250 price
mexico drug stores pharmacies: mexican border pharmacies shipping to usa – buying prescription drugs in mexico
mexico pharmacy: mexico drug stores pharmacies – mexico drug stores pharmacies
purple pharmacy mexico price list mexican online pharmacies prescription drugs п»їbest mexican online pharmacies
pharmacies in mexico that ship to usa: mexico drug stores pharmacies – mexico drug stores pharmacies
medicine in mexico pharmacies: purple pharmacy mexico price list – purple pharmacy mexico price list
mexican online pharmacies prescription drugs reputable mexican pharmacies online medicine in mexico pharmacies
http://mexicanpharmacy1st.com/# buying prescription drugs in mexico online
mexican online pharmacies prescription drugs: best online pharmacies in mexico – reputable mexican pharmacies online
best online pharmacies in mexico best online pharmacies in mexico medicine in mexico pharmacies
п»їbest mexican online pharmacies: mexico drug stores pharmacies – mexico pharmacies prescription drugs
https://mexicanpharmacy1st.online/# reputable mexican pharmacies online
medication from mexico pharmacy: mexico drug stores pharmacies – mexican border pharmacies shipping to usa
buying from online mexican pharmacy mexican pharmaceuticals online mexican online pharmacies prescription drugs
https://mexicanpharmacy1st.shop/# buying from online mexican pharmacy
mexican pharmacy: medicine in mexico pharmacies – mexican drugstore online
pharmacies in mexico that ship to usa mexican border pharmacies shipping to usa п»їbest mexican online pharmacies
buying prescription drugs in mexico: mexico drug stores pharmacies – purple pharmacy mexico price list
https://mexicanpharmacy1st.shop/# mexican border pharmacies shipping to usa
mexican online pharmacies prescription drugs: mexican pharmaceuticals online – mexican drugstore online
https://propeciaf.online/# buy generic propecia
neurontin from canada neurontin price india medicine neurontin 300 mg
http://36and6health.com/# cheapest pharmacy for prescriptions without insurance
https://cheapestcanada.com/# canada discount pharmacy