GCHQ Used Compromised Hardware To Suck Data And Communications Out Of Exploit-Resistant iPhones

(Mis)Uses of Technology

from the it-was-the-WiFi-in-the-library-with-the-backdoor dept

Included in the new Snowden document dump by Der Spiegel is one detailing the GCHQ’s exploitation of iPhones [pdf link]. It isn’t discussed much in the Der Spiegel piece (unsurprising, considering the number of documents revealed) but has picked up press elsewhere.

The GCHQ managed to pull off a bit of coup, considering the iPhone’s general resistance to malware. Instead of deploying an exploit to the target’s phone, the GCHQ used an “endpoint machine” (a compromised computer or other device) to harvest data from the phone whenever it connected and synced. Similar to the NSA’s exploitation of ad-tracking cookies, the GCHQ’s program extracted the iPhone’s UDID (Unique Device Identifier) during certain interactions — like debit card purchases or interactions with AdMob.

The Mobile Theme has invested a large amount of research into iPhone apps and metadata analysis over the last year accumulating with a detailed report done by [redacted] in October 2009 and 29 SEM rules created by ICTR-MCT These rules have used to extract iPhone metadata for a number of apps and in particular the Unique Device Identifier (UDID) from any carrier being processed using DEBIT CARDs. Further TDI rules are being developed by GTE that will in the future extract UDID events from carriers processed through the MVR system. The resulting events have then been used to populate both research and corporate QFDs (Query Focused Datasets) such as MUTANT BROTH and AUTOASSOC and will eventually form the basis of mobile correlations in HARD ASSOC.

The end result of this proxy exploit? A ton of data and communications.

The WARRIORPRIDE exploit has resulted in extraction of the target’s address book, sms, call logs, notes, WLAN logs, bookmarks, map query history, Safari browsing history and some images.

The document notes that this limited deployment resulted in the acquisition of three targets for the NSA, in addition to a number of UDIDs passed on to GCHQ’s Tailored Access Operations, presumably in order to push further exploits to the phones at syncing.

Unfortunately, further information isn’t forthcoming as the accompanying guidance document — the inadvertently hilariously-titled “Good Penetration Guide” — has not been made public.

One particular case was a [redacted] target, [redacted] with yahoo selector that was seen active on a iPhone OS 3_1_2, as shown in Figure 8. The resulting Yahoo-B cookie is [redacted] and as can be seen the target has been active off [redacted]. Running the resulting Yahoo-cookie through MUTANT BROTH resulted in 171 events primarily on case notations GWUKGOOS, and IRUKCO36. The resulting information was then forwarded to the in the [redacted] team for tasking by the standard CNE process as outlined in the Good Penetration Guide.

The document is dated November 2010. Apple began phasing out the UDID system the next year and finally banned app developers from integrating this deprecated identifier into their apps in May of 2013. Considering the dates involved, the GCHQ had at least a two-year window where the end machine exploit provided access to data and content. (Apple began its deprecation of the identifier in 2012.)

Considering this collection was killed off by the unaware company along with its UDID system, the GCHQ is obviously on board with UK Prime Minister David Cameron’s call to forbid the sort of encryption Apple is making available by default. No one likes to see a source dry up, especially one utilizing devices historically resistant to outside exploitation.

Filed Under: gchq, iphones, malware, surveillance, udid
Companies: apple