CIA Holds Special Annual Hackathons Looking To Undermine Apple Encryption And Privacy

from the the-ijamboree dept

The latest big report from the Intercept is about an annual hackathon, put on by the CIA (which the NSA and others participate in) where they try to hack encrypted systems, with a key focus on Apple products. The CIA calls this its annual "Trusted Computing Base Jamboree." The whole point: how can the CIA undermine trusted computing systems.
If you can't see that, it notes:
As in past years, the Jamboree will be an informal and interactive conference with an emphasis on presentations that provide important information to developers trying to circumvent or exploit new security capabilities.
In other words, rather than seeking to better protect Americans by making sure the security products they use remain secure, this event was about making everyone less safe -- in particular Apple users. The report notes how researchers have undermined Xcode so that the intelligence community can inject backdoors into lots of apps and to reveal private keys (apparently not caring how that makes everyone less secure):
A year later, at the 2012 Jamboree, researchers described their attacks on the software used by developers to create applications for Apple’s popular App Store. In a talk called “Strawhorse: Attacking the MacOS and iOS Software Development Kit,” a presenter from Sandia Labs described a successful “whacking” of Apple’s Xcode — the software used to create apps for iPhones, iPads and Mac computers. Developers who create Apple-approved and distributed apps overwhelmingly use Xcode, a free piece of software easily downloaded from the App Store.

The researchers boasted that they had discovered a way to manipulate Xcode so that it could serve as a conduit for infecting and extracting private data from devices on which users had installed apps that were built with the poisoned Xcode. In other words, by manipulating Xcode, the spies could compromise the devices and private data of anyone with apps made by a poisoned developer — potentially millions of people.
The risks for nearly anyone using an Apple product should become pretty clear when you realize what this "whacked" Xcode can do:
  • “Entice” all Mac applications to create a “remote backdoor” allowing undetected access to an Apple computer.
  • Secretly embed an app developer’s private key into all iOS applications. (This could potentially allow spies to impersonate the targeted developer.)
  • “Force all iOS applications” to send data from an iPhone or iPad back to a U.S. intelligence “listening post.”
  • Disable core security features on Apple devices.
While the Jamboree appears mostly focused on Apple products, that's not all. Microsoft's BitLocker encryption was also a target:
Also presented at the Jamboree were successes in the targeting of Microsoft’s disk encryption technology, and the TPM chips that are used to store its encryption keys. Researchers at the CIA conference in 2010 boasted about the ability to extract the encryption keys used by BitLocker and thus decrypt private data stored on the computer. Because the TPM chip is used to protect the system from untrusted software, attacking it could allow the covert installation of malware onto the computer, which could be used to access otherwise encrypted communications and files of consumers.
Again, this suggests a serious problem when you have the same government that's supposed to "protect us" in charge of also hacking into systems. With today's modern technology, the communications technologies that "bad people" use are the same ones that everyone uses. The intelligence community has two choices: protect everyone, or undermine the security of everyone. It has chosen the latter.
“The U.S. government is prioritizing its own offensive surveillance needs over the cybersecurity of the millions of Americans who use Apple products,” says Christopher Soghoian, the principal technologist at the American Civil Liberties Union. “If U.S. government-funded researchers can discover these flaws, it is quite likely that Chinese, Russian and Israeli researchers can discover them, too. By quietly exploiting these flaws rather than notifying Apple, the U.S. government leaves Apple’s customers vulnerable to other sophisticated governments.”
There's been a lot of talk lately about the growing divide between the intelligence community and Silicon Valley. As more stories come out of projects to undermine those companies and the trust they've built with the public, it's only going to get worse.

Filed Under: backdoors, cia, encryption, hackathon, ios, jamboree, xcode
Companies: apple

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. icon
    JP Jones (profile), 10 Mar 2015 @ 12:04pm

    It cracks me up that using someone else's password could be a violation of the CFAA, landing you years of prison time, but the CIA can hold "hack-a-thons" which encourage mass CFAA violations. Unless I missed a memo, government employees still have to obey the law. As a government employee, I'd really like to see that law, because right now I have to obey all of them and more (UCMJ).

    "But it's the CIA!" many of you may be thinking, "They're supposed to be hacking stuff!" Not quite. Just like the military, most intelligence services have clear "rules of engagement" when it comes to using their tools. One of those ROEs is usually "target is foreign" in varying degrees of specificity. While it's certainly possible they simply marked Apple as "foreign" somehow that seems more than a little bit of a stretch.

    The weird part about all of this stuff is that it's illegal to mark illegal actions as classified for the purpose of hiding those actions. That's why the NSA made such a big deal about the FISA court making all their shenanigans "legal," without that defense, they literally aren't allowed to classify it (or do it, for that matter). This is strange because EO 13526 is the fundamental order that drives virtually all classification guidelines throughout the government, and it specifically states the following:

    (a) In no case shall information be classified, continue to be maintained as classified, or fail to be declassified in order to:
    (1) conceal violations of law, inefficiency, or administrative error;
    (2) prevent embarrassment to a person, organization, or agency;
    (3) restrain competition; or
    (4) prevent or delay the release of information that does not require protection in the interest of the national security.
    (emphasis mine)

    Laws like the CFAA apply to organizations like the CIA; they don't get a magical free pass because it's their job, just like police don't just get to shoot anyone or break into their houses because it's their job (although it can sometimes be difficult to see). They need specific criteria to work around those laws.

    I'm curious if a group of civilian hackers would be prosecuted for doing the same thing. If so, and the CIA hackers are not using their tools specifically on a foreign intelligence or otherwise suspected criminal element (which Apple is not), they are clearly breaking the law.

    Just like the police, it's amazing what people will do when they have enough lawyers to ignore their violations and they've convinced themselves they're doing it "for our own good."

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.