CIA Holds Special Annual Hackathons Looking To Undermine Apple Encryption And Privacy

from the the-ijamboree dept

The latest big report from the Intercept is about an annual hackathon, put on by the CIA (which the NSA and others participate in) where they try to hack encrypted systems, with a key focus on Apple products. The CIA calls this its annual "Trusted Computing Base Jamboree." The whole point: how can the CIA undermine trusted computing systems.
If you can't see that, it notes:
As in past years, the Jamboree will be an informal and interactive conference with an emphasis on presentations that provide important information to developers trying to circumvent or exploit new security capabilities.
In other words, rather than seeking to better protect Americans by making sure the security products they use remain secure, this event was about making everyone less safe -- in particular Apple users. The report notes how researchers have undermined Xcode so that the intelligence community can inject backdoors into lots of apps and to reveal private keys (apparently not caring how that makes everyone less secure):
A year later, at the 2012 Jamboree, researchers described their attacks on the software used by developers to create applications for Apple’s popular App Store. In a talk called “Strawhorse: Attacking the MacOS and iOS Software Development Kit,” a presenter from Sandia Labs described a successful “whacking” of Apple’s Xcode — the software used to create apps for iPhones, iPads and Mac computers. Developers who create Apple-approved and distributed apps overwhelmingly use Xcode, a free piece of software easily downloaded from the App Store.

The researchers boasted that they had discovered a way to manipulate Xcode so that it could serve as a conduit for infecting and extracting private data from devices on which users had installed apps that were built with the poisoned Xcode. In other words, by manipulating Xcode, the spies could compromise the devices and private data of anyone with apps made by a poisoned developer — potentially millions of people.
The risks for nearly anyone using an Apple product should become pretty clear when you realize what this "whacked" Xcode can do:
  • “Entice” all Mac applications to create a “remote backdoor” allowing undetected access to an Apple computer.
  • Secretly embed an app developer’s private key into all iOS applications. (This could potentially allow spies to impersonate the targeted developer.)
  • “Force all iOS applications” to send data from an iPhone or iPad back to a U.S. intelligence “listening post.”
  • Disable core security features on Apple devices.
While the Jamboree appears mostly focused on Apple products, that's not all. Microsoft's BitLocker encryption was also a target:
Also presented at the Jamboree were successes in the targeting of Microsoft’s disk encryption technology, and the TPM chips that are used to store its encryption keys. Researchers at the CIA conference in 2010 boasted about the ability to extract the encryption keys used by BitLocker and thus decrypt private data stored on the computer. Because the TPM chip is used to protect the system from untrusted software, attacking it could allow the covert installation of malware onto the computer, which could be used to access otherwise encrypted communications and files of consumers.
Again, this suggests a serious problem when you have the same government that's supposed to "protect us" in charge of also hacking into systems. With today's modern technology, the communications technologies that "bad people" use are the same ones that everyone uses. The intelligence community has two choices: protect everyone, or undermine the security of everyone. It has chosen the latter.
“The U.S. government is prioritizing its own offensive surveillance needs over the cybersecurity of the millions of Americans who use Apple products,” says Christopher Soghoian, the principal technologist at the American Civil Liberties Union. “If U.S. government-funded researchers can discover these flaws, it is quite likely that Chinese, Russian and Israeli researchers can discover them, too. By quietly exploiting these flaws rather than notifying Apple, the U.S. government leaves Apple’s customers vulnerable to other sophisticated governments.”
There's been a lot of talk lately about the growing divide between the intelligence community and Silicon Valley. As more stories come out of projects to undermine those companies and the trust they've built with the public, it's only going to get worse.

Filed Under: backdoors, cia, encryption, hackathon, ios, jamboree, xcode
Companies: apple


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Anonymous Coward, 10 Mar 2015 @ 12:43pm

    Re:

    "Unless I missed a memo, government employees still have to obey the law."
    In theory yes but who would enforce the law? I highly doubt that the police will raid the CIA. But that would mean someone has the guts to prosecute the CIA in the first place. Would you go after someone who knows everything about you and can place evidence on your or your friends computers (i.e. child pron or money trace to some terror group) which destroys your/their life?

    "just like police don't just get to shoot anyone or break into their houses because it's their job (although it can sometimes be difficult to see)."
    Recent events show that they can shoot anyone and say "I felt threatend". Breaking into a house only requires someone to lie and say they heard a gunshot and/or someone is holding a person hostage (i.e. Twitch SWATing). How long till they catch on and that "someone" is a police officer from a payphone or something like that?


    "I'm curious if a group of civilian hackers would be prosecuted for doing the same thing."
    There are other hackathons so technicly civilian hackers aren't prosecuted at least as long as they disclose their find to the company.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.