--This post is to draw attention to a report out today from The Gaurdian that the US CIA hacked together a corrupt version of Apple's XCode development software that allowed the insertion of surveillance backdoors into the resulting developed programs.
CIA 'tried to crack security of Apple devices'
Agency tried to create dummy version of development software that would allow it to insert surveillance back doors into apps
The modified version of Xcode would allow the CIA, NSA or other agencies to insert surveillance backdoors into any app created using the compromised development software. The revelation has already provoked a strong backlash among security researchers on Twitter and elsewhere, and is likely to prompt security audits among Apple developers.The original report of this situation was published on The Intercept website earlier today:
The latest revelations of sustained hacking efforts against Apple devices are set to further strain already difficult relations between the technology company and the US government.
Apple had previously been a partner in the Prism programme, in effect a legal backdoor to obtain user information by the NSA and its allies, but in the wake of the Snowden revelations it has stepped up efforts to protect user privacy, including introducing end-to-end encryption on iMessages.
Tim Cook, the CEO of Apple, warned Barack Obama in public remarks this month that history had shown “sacrificing our right to privacy can have dire consequences”.
THE CIA CAMPAIGN TO STEAL APPLE’S SECRETS
BY JEREMY SCAHILL AND JOSH BEGLEY
RESEARCHERS WORKING with the Central Intelligence Agency have conducted a multi-year, sustained effort to break the security of Apple’s iPhones and iPads, according to top-secret documents obtained by The Intercept.
The security researchers presented their latest tactics and achievements at a secret annual gathering, called the “Jamboree,” where attendees discussed strategies for exploiting security flaws in household and commercial electronics. The conferences have spanned nearly a decade, with the first CIA-sponsored meeting taking place a year before the first iPhone was released.
By targeting essential security keys used to encrypt data stored on Apple’s devices, the researchers have sought to thwart the company’s attempts to provide mobile security to hundreds of millions of Apple customers across the globe. Studying both “physical” and “non-invasive” techniques, U.S. government-sponsored research has been aimed at discovering ways to decrypt and ultimately penetrate Apple’s encrypted firmware. This could enable spies to plant malicious code on Apple devices and seek out potential vulnerabilities in other parts of the iPhone and iPad currently masked by encryption.
. . . .
The security researchers also claimed they had created a modified version of Apple’s proprietary software development tool, Xcode, which could sneak surveillance backdoors into any apps or programs created using the tool. Xcode, which is distributed by Apple to hundreds of thousands of developers, is used to create apps that are sold through Apple’s App Store.[All bolding above is mine, added for the emphasis of key information.]
The modified version of Xcode, the researchers claimed, could enable spies to steal passwords and grab messages on infected devices. Researchers also claimed the modified Xcode could “force all iOS applications to send embedded data to a listening post.” It remains unclear how intelligence agencies would get developers to use the poisoned version of Xcode.
Researchers also claimed they had successfully modified the OS X updater, a program used to deliver updates to laptop and desktop computers, to install a “keylogger.”
The depth of success of the CIA's Apple gear hacking strategies is unclear. But it is evident that a corrupt version of Xcode was successfully created with the intention of distributing it to unsuspecting software developers. Presumably, back-doored Mac and iOS software resulting from the use of this corrupt version of Xcode exist in the wild. No doubt there will now be efforts to determine exactly what software is affected.
My point of view regarding the incessant hacking of computer technology by the US CIA, NSA, etc. is mixed.
We already know that the CIA and NSA have illegally spied on US citizens on US soil without a legal warrant or justified cause specified in the Fourth Amendment to the US Constitution. All such acts must be prosecuted, without question. It makes no difference if the resulting impeachments reach the top of the executive office or US Congress. These are treasonous crimes. Trials for treason are required.
The legality of secretly damaging/hacking copyrighted and patented software for the purpose of surveillance is out of the scope of my knowledge. However, I find it difficult to imagine these acts could be found to be legally justified.
Whether these acts have been and continue to be in pursuit of the protection and defense of US citizens remains significantly unanswered. There has been to this point extremely little publicly released data that indicates these efforts by the US CIA, NSA, etc. have resulted in useful information. We may never know. We're stuck having to hear statements asserting that governmental hacking has been useful and important from the mouths of proven liars such as James R. Clapper, the current US Director of National Intelligence. I've heard retired General Clapper speak publicly. He appears to be an intelligent, serious and earnest defender of US citizens. And yet he is guilty of knowingly lying under oath to the US Congress. He is also a vehement critic of whistle-blower and patriot Edward Snowden. With such people representing US intelligence strategies, clearly the credibility of the ongoing damaging/hacking of computer technology is extremely dubious. That's shameful.
All US citizens of course would like to believe their government behaves legally in their best interests, instead of against them. We are left instead with a government that has severely damaged its credibility. New information further damaging that credibility continues to be published on a consistent basis. No evidence of reform of US intelligence gathering agencies or their methods has been forthcoming. The phrase 'hell bent' comes to my mind. I'm not interested in 'hell' anything. I personally demand that my government be 100% accountable to, loyal to and in the defense of its citizens at all times within the framework of the US Constitution and laws.
If the US intelligence agencies can work within their mandatory legal framework, then I support them. If not, then I want those responsible tried and punished for their crimes against US citizens, We The People, even if that includes impeachment of the current and past Presidents of the USA.
I've stated my views regarding government surveillance crimes in public on many occasions. My statements here are nothing new to those concerned and I am glad to report that there have been thus far no obvious repercussions. I wish and hope that every US citizen speaks up against illegal government surveillance of US citizens on US soil. If we don't, the obvious consequence is a totalitarian police state, as history has consistently proven. That would be a very bad and criminal thing.