(Mis)Uses of Technology

by Tim Cushing


Filed Under:
gchq, iphones, malware, surveillance, udid

Companies:
apple



GCHQ Used Compromised Hardware To Suck Data And Communications Out Of Exploit-Resistant iPhones

from the it-was-the-WiFi-in-the-library-with-the-backdoor dept

Included in the new Snowden document dump by Der Spiegel is one detailing the GCHQ's exploitation of iPhones [pdf link]. It isn't discussed much in the Der Spiegel piece (unsurprising, considering the number of documents revealed) but has picked up press elsewhere.

The GCHQ managed to pull off a bit of coup, considering the iPhone's general resistance to malware. Instead of deploying an exploit to the target's phone, the GCHQ used an "endpoint machine" (a compromised computer or other device) to harvest data from the phone whenever it connected and synced. Similar to the NSA's exploitation of ad-tracking cookies, the GCHQ's program extracted the iPhone's UDID (Unique Device Identifier) during certain interactions -- like debit card purchases or interactions with AdMob.

The Mobile Theme has invested a large amount of research into iPhone apps and metadata analysis over the last year accumulating with a detailed report done by [redacted] in October 2009 and 29 SEM rules created by ICTR-MCT These rules have used to extract iPhone metadata for a number of apps and in particular the Unique Device Identifier (UDID) from any carrier being processed using DEBIT CARDs. Further TDI rules are being developed by GTE that will in the future extract UDID events from carriers processed through the MVR system. The resulting events have then been used to populate both research and corporate QFDs (Query Focused Datasets) such as MUTANT BROTH and AUTOASSOC and will eventually form the basis of mobile correlations in HARD ASSOC.
The end result of this proxy exploit? A ton of data and communications.
The WARRIORPRIDE exploit has resulted in extraction of the target's address book, sms, call logs, notes, WLAN logs, bookmarks, map query history, Safari browsing history and some images.
The document notes that this limited deployment resulted in the acquisition of three targets for the NSA, in addition to a number of UDIDs passed on to GCHQ's Tailored Access Operations, presumably in order to push further exploits to the phones at syncing.

Unfortunately, further information isn't forthcoming as the accompanying guidance document -- the inadvertently hilariously-titled "Good Penetration Guide" -- has not been made public.
One particular case was a [redacted] target, [redacted] with yahoo selector that was seen active on a iPhone OS 3_1_2, as shown in Figure 8. The resulting Yahoo-B cookie is [redacted] and as can be seen the target has been active off [redacted]. Running the resulting Yahoo-cookie through MUTANT BROTH resulted in 171 events primarily on case notations GWUKGOOS, and IRUKCO36. The resulting information was then forwarded to the in the [redacted] team for tasking by the standard CNE process as outlined in the Good Penetration Guide.
The document is dated November 2010. Apple began phasing out the UDID system the next year and finally banned app developers from integrating this deprecated identifier into their apps in May of 2013. Considering the dates involved, the GCHQ had at least a two-year window where the end machine exploit provided access to data and content. (Apple began its deprecation of the identifier in 2012.)

Considering this collection was killed off by the unaware company along with its UDID system, the GCHQ is obviously on board with UK Prime Minister David Cameron's call to forbid the sort of encryption Apple is making available by default. No one likes to see a source dry up, especially one utilizing devices historically resistant to outside exploitation.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Ninja (profile), 22 Jan 2015 @ 8:04am

    The question is: do terrorists really use Apple devices and services considering it is a goddamn AMERICAN company? I doubt they use and if they do it's probably heavily modified to add security layers.

    On a lighter note...

    the inadvertently hilariously-titled "Good Penetration Guide"

    Next on Brazzers: GOOD PENETRATION GUIDE
    Description: a love story between a NSA agent and his GCHQ bitch while they discover more haystacks and shades of gray

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 22 Jan 2015 @ 10:12am

      Re:

      I doubt they use and if they do it's probably heavily modified to add security layers.
      I take it you've never tried to modify an Apple device. Apple is a huge believer in the stupidity and incompetence of everyone outside Cupertino. The very existence of the idea of "jailbreaking" the phone is because they make it unreasonably hard to modify in its retail configuration.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 22 Jan 2015 @ 10:29am

      Re:

      "The question is: do terrorists really use Apple devices and services"

      Why not? They wear Timberland boots, reputedly (I refer to some early news reports about the latest bunch of ME zealots). Gotta be cool for those videos! Plus there was the report in the UK press of how one young recruit wanted to go home because his iPod didn't work and he was made to wash dishes instead of being a front-line hero as he'd been led to believe.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 22 Jan 2015 @ 11:11am

        Re: Re:

        I guess then that must mean all apple users are terrorists

        reply to this | link to this | view in chronology ]

      • icon
        John Fenderson (profile), 22 Jan 2015 @ 11:12am

        Re: Re:

        "he was made to wash dishes instead of being a front-line hero as he'd been led to believe"

        He should have read up on his military history. All militaries engage in this deception. The actual fact is that for every combat troop there are several more supporting them in the less "glamorous" behind-the-scenes roles like that.

        reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 22 Jan 2015 @ 3:06pm

        Re: Re:

        The easily led are the ideal marketing target for Apple devices and designer boots etc. That makes also makes them ideal cannon fodder for the real terrorists to to use. I would bet the leaders of ISIS are much more careful about what technology they use, and how they use it.

        reply to this | link to this | view in chronology ]

      • icon
        Ninja (profile), 23 Jan 2015 @ 2:59am

        Re: Re:

        Some wannabes maybe but the hardcore terrorists? I'm neither a terrorist nor an expert at technology and I would avoid doing anything criminal involving smartphones or at least use some havy encryption in the form of apps (ie: https://whispersystems.org/). In fact if I'm gonna have a conversation I really don't want people listening I will use it anyway even if it's not criminal. Because we don't know anymore if our calls and communications are private.

        See, I'm your ordinary citizen, not a high profile terrorist.

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 22 Jan 2015 @ 1:23pm

      Re:

      ...Next on Brazzers: GOOD PENETRATION GUIDE
      Description: a love story between a NSA agent and his GCHQ bitch while they discover more haystacks and shades of gray...



      That would actually attract an audience!

      Make that a gay story to remain un-noticed.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 22 Jan 2015 @ 9:57am

    "UK Prime Minister David Cameron's call to forbid the sort of encryption Apple is making available by default"
    Actually hard disk encryption would have no effect on an active hack. IE, the hack was installed by either using a sync exploit or the PDF vulnerability, both of which would have to have access to the filesystem in some sort of unencrypted method to actually work. (The PDF vulnerability was actually used to do untethered jail breaking v4.3.3 and previous) I believe the best thing now is better sand boxing from iOS which has cut a lot of these vulnerabilities, but of course new ones will always pop up as seen with the latest v8.1.2 jailbreak.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 22 Jan 2015 @ 10:24am

    I'm proud to say that I've been boycotting Apple products since 1999. Not because it's apple(I grew up on an apple and played the oregon trail and number munchers during free time in computer science) but because they've become no better than Microsoft. In fact, they're better than Microsoft at doing things worse since apparently they have successfully created an environment in which to fuck us all...Which MS has failed to achieve time and time again.

    reply to this | link to this | view in chronology ]

    • icon
      tqk (profile), 22 Jan 2015 @ 12:48pm

      Re:

      In fact, they're better than Microsoft at doing things worse since apparently they have successfully created an environment in which to fuck us all...Which MS has failed to achieve time and time again.

      That's going too far. No, all you need to do is look at the Win* related malware front. Win*'s continuing inability to protect itself from malware makes Apple shine in comparison. I'm no Apple fanboi, but to say Apple's worse at basic system security is certainly wrong. MS' reaction to malware all along has been, "Not our problem, and we don't care if the system's design philosophy facilitates malware. It's up to the end user to sort that out as best they can."

      reply to this | link to this | view in chronology ]

      • icon
        John Fenderson (profile), 22 Jan 2015 @ 1:22pm

        Re: Re:

        I assumed that he was talking more about Apple's business practices than code quality. IN which case he is 100% correct. Apple and Microsoft are two peas in a pod in terms of their corporate behavior. The only reason that Microsoft gets more criticism is that Apple has a much smaller and more fanatical user base.

        I never boycotted Apple, but I never forgave Apple for how they changed with the release of the original Mac. They went from being a company that supported and encouraged hobbyists to one that locked down their systems and told hobbyists they were no longer welcome. That trend only got worse in the years following.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 22 Jan 2015 @ 10:37am

    " the iPhone's general resistance to malware. "

    There is no resistance.

    1. Currently, 80% of all cell phones, from cheap throw-aways to luxury, run android.
    2. It's easier to install pirated software on android.
    3. Apple has no resistance which has been proven time and time again.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 22 Jan 2015 @ 10:38am

      Re:

      Because they're within the %20 margin people like yourself automatically assume that there's less of a chance of getting phished...Does ICloud ring any bells?

      reply to this | link to this | view in chronology ]

    • identicon
      Just Another Anonymous Troll, 22 Jan 2015 @ 11:18am

      Re:

      The virus resistance of iCrap is achieved via obscurity. Malware authors prefer to make viruses that hit the OS actually used by any large section of the population. You're less likely to be infected because no one likes your OS.

      reply to this | link to this | view in chronology ]

      • icon
        tqk (profile), 22 Jan 2015 @ 12:54pm

        Re: Re:

        You're less likely to be infected because no one likes your OS.

        I think that's far less important than whether Apple or MS are vulnerable to malware, and demonstrably MS is and always has been far less able to protect itself. It didn't care to, and in fact it enabled by bad design many of the worst malware exploit vectors.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 22 Jan 2015 @ 10:37am

    it seems as if the UK government want to use the terrorist threat to get stronger surveillance laws in place, enabling GCHQ to do whatever the hell it likes. so, can someone tell me why it's ok to do the same thing the terrorists threaten to do, just because the name is different? both are going to remove freedom and privacy, but just one is trying to do so underhandedly and under false pretenses!!

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 22 Jan 2015 @ 11:16am

      Re:

      With news like this

      http://www.theguardian.com/uk-news/2015/jan/22/cooperation-british-spies-gaddafi-libya-revealed- official-papers

      Im starting to wonder if a big part to the bulk surveilance is to create informants........lieing about it, or just not mentioning the specifics

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 22 Jan 2015 @ 11:19am

        Re: Re:

        "The Libyan minutes of the meeting also say that the British told them: “With your co-operation we should be able to target specific individuals.”
        The Libyans, meanwhile, said that potential recruits could be “intimidated” through threats to arrest relatives in Libya.

        The following August, senior MI5 and MI6 officers and two Libyan intelligence officers met at MI5’s headquarters in London. According to the Libyan minutes, MI5 warned the Libyans that individuals could complain to the police if they believed they were being harassed by MI5, and could also expose the British-Libyan joint operations to the media."

        reply to this | link to this | view in chronology ]

    • icon
      tqk (profile), 22 Jan 2015 @ 1:02pm

      Re:

      it seems as if the UK government want to use the terrorist threat to get stronger surveillance laws in place, enabling GCHQ to do whatever the hell it likes.

      I'm beginning to believe that all the shouting from Cameron and Comey is BS. They know they're not going to kill secure crypto. They're just crying wolf to see if they can sucker stupid crooks/terrorists into believing they'll be safe from NSA/GCHQ, while the NSA in truth has no trouble cracking comms one way or another. This is all NSA bait and switch.

      The only real solution is Android (hardware) plus Cyanogenmod, perhaps with i2p on top. I'm also beginning to believe tor's been cracked.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 22 Jan 2015 @ 4:17pm

    GPG vs PGP

    Hmmmm.... I think that the report title Good Penetration Guide is named that way to pay homage to PGP... same letters just juxtaposed.

    reply to this | link to this | view in chronology ]

  • icon
    Padpaw (profile), 22 Jan 2015 @ 8:28pm

    Thank you sir may I have another

    reply to this | link to this | view in chronology ]

  • identicon
    correction, 22 Jan 2015 @ 8:34pm

    GCHQ uses.

    reply to this | link to this | view in chronology ]

  • icon
    toyotabedzrock (profile), 23 Jan 2015 @ 5:44pm

    This is just metadata matching made possible by direct monitoring of internet traffic.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: Techdirt Logo Gear
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.