GCHQ Used Compromised Hardware To Suck Data And Communications Out Of Exploit-Resistant iPhones

from the it-was-the-WiFi-in-the-library-with-the-backdoor dept

Included in the new Snowden document dump by Der Spiegel is one detailing the GCHQ’s exploitation of iPhones [pdf link]. It isn’t discussed much in the Der Spiegel piece (unsurprising, considering the number of documents revealed) but has picked up press elsewhere.

The GCHQ managed to pull off a bit of coup, considering the iPhone’s general resistance to malware. Instead of deploying an exploit to the target’s phone, the GCHQ used an “endpoint machine” (a compromised computer or other device) to harvest data from the phone whenever it connected and synced. Similar to the NSA’s exploitation of ad-tracking cookies, the GCHQ’s program extracted the iPhone’s UDID (Unique Device Identifier) during certain interactions — like debit card purchases or interactions with AdMob.

The Mobile Theme has invested a large amount of research into iPhone apps and metadata analysis over the last year accumulating with a detailed report done by [redacted] in October 2009 and 29 SEM rules created by ICTR-MCT These rules have used to extract iPhone metadata for a number of apps and in particular the Unique Device Identifier (UDID) from any carrier being processed using DEBIT CARDs. Further TDI rules are being developed by GTE that will in the future extract UDID events from carriers processed through the MVR system. The resulting events have then been used to populate both research and corporate QFDs (Query Focused Datasets) such as MUTANT BROTH and AUTOASSOC and will eventually form the basis of mobile correlations in HARD ASSOC.

The end result of this proxy exploit? A ton of data and communications.

The WARRIORPRIDE exploit has resulted in extraction of the target’s address book, sms, call logs, notes, WLAN logs, bookmarks, map query history, Safari browsing history and some images.

The document notes that this limited deployment resulted in the acquisition of three targets for the NSA, in addition to a number of UDIDs passed on to GCHQ’s Tailored Access Operations, presumably in order to push further exploits to the phones at syncing.

Unfortunately, further information isn’t forthcoming as the accompanying guidance document — the inadvertently hilariously-titled “Good Penetration Guide” — has not been made public.

One particular case was a [redacted] target, [redacted] with yahoo selector that was seen active on a iPhone OS 3_1_2, as shown in Figure 8. The resulting Yahoo-B cookie is [redacted] and as can be seen the target has been active off [redacted]. Running the resulting Yahoo-cookie through MUTANT BROTH resulted in 171 events primarily on case notations GWUKGOOS, and IRUKCO36. The resulting information was then forwarded to the in the [redacted] team for tasking by the standard CNE process as outlined in the Good Penetration Guide.

The document is dated November 2010. Apple began phasing out the UDID system the next year and finally banned app developers from integrating this deprecated identifier into their apps in May of 2013. Considering the dates involved, the GCHQ had at least a two-year window where the end machine exploit provided access to data and content. (Apple began its deprecation of the identifier in 2012.)

Considering this collection was killed off by the unaware company along with its UDID system, the GCHQ is obviously on board with UK Prime Minister David Cameron’s call to forbid the sort of encryption Apple is making available by default. No one likes to see a source dry up, especially one utilizing devices historically resistant to outside exploitation.

Filed Under: , , , ,
Companies: apple

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “GCHQ Used Compromised Hardware To Suck Data And Communications Out Of Exploit-Resistant iPhones”

Subscribe: RSS Leave a comment
26 Comments
Ninja (profile) says:

The question is: do terrorists really use Apple devices and services considering it is a goddamn AMERICAN company? I doubt they use and if they do it’s probably heavily modified to add security layers.

On a lighter note…

the inadvertently hilariously-titled “Good Penetration Guide”

Next on Brazzers: GOOD PENETRATION GUIDE
Description: a love story between a NSA agent and his GCHQ bitch while they discover more haystacks and shades of gray

Anonymous Coward says:

Re: Re:

I doubt they use and if they do it’s probably heavily modified to add security layers.

I take it you’ve never tried to modify an Apple device. Apple is a huge believer in the stupidity and incompetence of everyone outside Cupertino. The very existence of the idea of “jailbreaking” the phone is because they make it unreasonably hard to modify in its retail configuration.

Anonymous Coward says:

Re: Re:

“The question is: do terrorists really use Apple devices and services”

Why not? They wear Timberland boots, reputedly (I refer to some early news reports about the latest bunch of ME zealots). Gotta be cool for those videos! Plus there was the report in the UK press of how one young recruit wanted to go home because his iPod didn’t work and he was made to wash dishes instead of being a front-line hero as he’d been led to believe.

John Fenderson (profile) says:

Re: Re: Re:

“he was made to wash dishes instead of being a front-line hero as he’d been led to believe”

He should have read up on his military history. All militaries engage in this deception. The actual fact is that for every combat troop there are several more supporting them in the less “glamorous” behind-the-scenes roles like that.

Ninja (profile) says:

Re: Re: Re:

Some wannabes maybe but the hardcore terrorists? I’m neither a terrorist nor an expert at technology and I would avoid doing anything criminal involving smartphones or at least use some havy encryption in the form of apps (ie: https://whispersystems.org/). In fact if I’m gonna have a conversation I really don’t want people listening I will use it anyway even if it’s not criminal. Because we don’t know anymore if our calls and communications are private.

See, I’m your ordinary citizen, not a high profile terrorist.

Anonymous Coward says:

“UK Prime Minister David Cameron’s call to forbid the sort of encryption Apple is making available by default”
Actually hard disk encryption would have no effect on an active hack. IE, the hack was installed by either using a sync exploit or the PDF vulnerability, both of which would have to have access to the filesystem in some sort of unencrypted method to actually work. (The PDF vulnerability was actually used to do untethered jail breaking v4.3.3 and previous) I believe the best thing now is better sand boxing from iOS which has cut a lot of these vulnerabilities, but of course new ones will always pop up as seen with the latest v8.1.2 jailbreak.

Anonymous Coward says:

I’m proud to say that I’ve been boycotting Apple products since 1999. Not because it’s apple(I grew up on an apple and played the oregon trail and number munchers during free time in computer science) but because they’ve become no better than Microsoft. In fact, they’re better than Microsoft at doing things worse since apparently they have successfully created an environment in which to fuck us all…Which MS has failed to achieve time and time again.

tqk (profile) says:

Re: Re:

In fact, they’re better than Microsoft at doing things worse since apparently they have successfully created an environment in which to fuck us all…Which MS has failed to achieve time and time again.

That’s going too far. No, all you need to do is look at the Win* related malware front. Win*’s continuing inability to protect itself from malware makes Apple shine in comparison. I’m no Apple fanboi, but to say Apple’s worse at basic system security is certainly wrong. MS’ reaction to malware all along has been, “Not our problem, and we don’t care if the system’s design philosophy facilitates malware. It’s up to the end user to sort that out as best they can.”

John Fenderson (profile) says:

Re: Re: Re:

I assumed that he was talking more about Apple’s business practices than code quality. IN which case he is 100% correct. Apple and Microsoft are two peas in a pod in terms of their corporate behavior. The only reason that Microsoft gets more criticism is that Apple has a much smaller and more fanatical user base.

I never boycotted Apple, but I never forgave Apple for how they changed with the release of the original Mac. They went from being a company that supported and encouraged hobbyists to one that locked down their systems and told hobbyists they were no longer welcome. That trend only got worse in the years following.

Anonymous Coward says:

it seems as if the UK government want to use the terrorist threat to get stronger surveillance laws in place, enabling GCHQ to do whatever the hell it likes. so, can someone tell me why it’s ok to do the same thing the terrorists threaten to do, just because the name is different? both are going to remove freedom and privacy, but just one is trying to do so underhandedly and under false pretenses!!

Anonymous Coward says:

Re: Re: Re:

“The Libyan minutes of the meeting also say that the British told them: “With your co-operation we should be able to target specific individuals.”
The Libyans, meanwhile, said that potential recruits could be “intimidated” through threats to arrest relatives in Libya.

The following August, senior MI5 and MI6 officers and two Libyan intelligence officers met at MI5’s headquarters in London. According to the Libyan minutes, MI5 warned the Libyans that individuals could complain to the police if they believed they were being harassed by MI5, and could also expose the British-Libyan joint operations to the media.”

tqk (profile) says:

Re: Re:

it seems as if the UK government want to use the terrorist threat to get stronger surveillance laws in place, enabling GCHQ to do whatever the hell it likes.

I’m beginning to believe that all the shouting from Cameron and Comey is BS. They know they’re not going to kill secure crypto. They’re just crying wolf to see if they can sucker stupid crooks/terrorists into believing they’ll be safe from NSA/GCHQ, while the NSA in truth has no trouble cracking comms one way or another. This is all NSA bait and switch.

The only real solution is Android (hardware) plus Cyanogenmod, perhaps with i2p on top. I’m also beginning to believe tor’s been cracked.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...