GCHQ Used Compromised Hardware To Suck Data And Communications Out Of Exploit-Resistant iPhones
from the it-was-the-WiFi-in-the-library-with-the-backdoor dept
Included in the new Snowden document dump by Der Spiegel is one detailing the GCHQ's exploitation of iPhones [pdf link]. It isn't discussed much in the Der Spiegel piece (unsurprising, considering the number of documents revealed) but has picked up press elsewhere.
The GCHQ managed to pull off a bit of coup, considering the iPhone's general resistance to malware. Instead of deploying an exploit to the target's phone, the GCHQ used an "endpoint machine" (a compromised computer or other device) to harvest data from the phone whenever it connected and synced. Similar to the NSA's exploitation of ad-tracking cookies, the GCHQ's program extracted the iPhone's UDID (Unique Device Identifier) during certain interactions -- like debit card purchases or interactions with AdMob.
The Mobile Theme has invested a large amount of research into iPhone apps and metadata analysis over the last year accumulating with a detailed report done by [redacted] in October 2009 and 29 SEM rules created by ICTR-MCT These rules have used to extract iPhone metadata for a number of apps and in particular the Unique Device Identifier (UDID) from any carrier being processed using DEBIT CARDs. Further TDI rules are being developed by GTE that will in the future extract UDID events from carriers processed through the MVR system. The resulting events have then been used to populate both research and corporate QFDs (Query Focused Datasets) such as MUTANT BROTH and AUTOASSOC and will eventually form the basis of mobile correlations in HARD ASSOC.The end result of this proxy exploit? A ton of data and communications.
The WARRIORPRIDE exploit has resulted in extraction of the target's address book, sms, call logs, notes, WLAN logs, bookmarks, map query history, Safari browsing history and some images.The document notes that this limited deployment resulted in the acquisition of three targets for the NSA, in addition to a number of UDIDs passed on to GCHQ's Tailored Access Operations, presumably in order to push further exploits to the phones at syncing.
Unfortunately, further information isn't forthcoming as the accompanying guidance document -- the inadvertently hilariously-titled "Good Penetration Guide" -- has not been made public.
One particular case was a [redacted] target, [redacted] with yahoo selector that was seen active on a iPhone OS 3_1_2, as shown in Figure 8. The resulting Yahoo-B cookie is [redacted] and as can be seen the target has been active off [redacted]. Running the resulting Yahoo-cookie through MUTANT BROTH resulted in 171 events primarily on case notations GWUKGOOS, and IRUKCO36. The resulting information was then forwarded to the in the [redacted] team for tasking by the standard CNE process as outlined in the Good Penetration Guide.The document is dated November 2010. Apple began phasing out the UDID system the next year and finally banned app developers from integrating this deprecated identifier into their apps in May of 2013. Considering the dates involved, the GCHQ had at least a two-year window where the end machine exploit provided access to data and content. (Apple began its deprecation of the identifier in 2012.)
Considering this collection was killed off by the unaware company along with its UDID system, the GCHQ is obviously on board with UK Prime Minister David Cameron's call to forbid the sort of encryption Apple is making available by default. No one likes to see a source dry up, especially one utilizing devices historically resistant to outside exploitation.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: gchq, iphones, malware, surveillance, udid
Companies: apple
Reader Comments
Subscribe: RSS
View by: Time | Thread
On a lighter note...
the inadvertently hilariously-titled "Good Penetration Guide"
Next on Brazzers: GOOD PENETRATION GUIDE
Description: a love story between a NSA agent and his GCHQ bitch while they discover more haystacks and shades of gray
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
Why not? They wear Timberland boots, reputedly (I refer to some early news reports about the latest bunch of ME zealots). Gotta be cool for those videos! Plus there was the report in the UK press of how one young recruit wanted to go home because his iPod didn't work and he was made to wash dishes instead of being a front-line hero as he'd been led to believe.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re:
He should have read up on his military history. All militaries engage in this deception. The actual fact is that for every combat troop there are several more supporting them in the less "glamorous" behind-the-scenes roles like that.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
See, I'm your ordinary citizen, not a high profile terrorist.
[ link to this | view in chronology ]
Re:
Description: a love story between a NSA agent and his GCHQ bitch while they discover more haystacks and shades of gray...
That would actually attract an audience!
Make that a gay story to remain un-noticed.
[ link to this | view in chronology ]
Actually hard disk encryption would have no effect on an active hack. IE, the hack was installed by either using a sync exploit or the PDF vulnerability, both of which would have to have access to the filesystem in some sort of unencrypted method to actually work. (The PDF vulnerability was actually used to do untethered jail breaking v4.3.3 and previous) I believe the best thing now is better sand boxing from iOS which has cut a lot of these vulnerabilities, but of course new ones will always pop up as seen with the latest v8.1.2 jailbreak.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
That's going too far. No, all you need to do is look at the Win* related malware front. Win*'s continuing inability to protect itself from malware makes Apple shine in comparison. I'm no Apple fanboi, but to say Apple's worse at basic system security is certainly wrong. MS' reaction to malware all along has been, "Not our problem, and we don't care if the system's design philosophy facilitates malware. It's up to the end user to sort that out as best they can."
[ link to this | view in chronology ]
Re: Re:
I never boycotted Apple, but I never forgave Apple for how they changed with the release of the original Mac. They went from being a company that supported and encouraged hobbyists to one that locked down their systems and told hobbyists they were no longer welcome. That trend only got worse in the years following.
[ link to this | view in chronology ]
There is no resistance.
1. Currently, 80% of all cell phones, from cheap throw-aways to luxury, run android.
2. It's easier to install pirated software on android.
3. Apple has no resistance which has been proven time and time again.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
I think that's far less important than whether Apple or MS are vulnerable to malware, and demonstrably MS is and always has been far less able to protect itself. It didn't care to, and in fact it enabled by bad design many of the worst malware exploit vectors.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
http://www.theguardian.com/uk-news/2015/jan/22/cooperation-british-spies-gaddafi-libya-revealed- official-papers
Im starting to wonder if a big part to the bulk surveilance is to create informants........lieing about it, or just not mentioning the specifics
[ link to this | view in chronology ]
Re: Re:
The Libyans, meanwhile, said that potential recruits could be “intimidated” through threats to arrest relatives in Libya.
The following August, senior MI5 and MI6 officers and two Libyan intelligence officers met at MI5’s headquarters in London. According to the Libyan minutes, MI5 warned the Libyans that individuals could complain to the police if they believed they were being harassed by MI5, and could also expose the British-Libyan joint operations to the media."
[ link to this | view in chronology ]
Re:
I'm beginning to believe that all the shouting from Cameron and Comey is BS. They know they're not going to kill secure crypto. They're just crying wolf to see if they can sucker stupid crooks/terrorists into believing they'll be safe from NSA/GCHQ, while the NSA in truth has no trouble cracking comms one way or another. This is all NSA bait and switch.
The only real solution is Android (hardware) plus Cyanogenmod, perhaps with i2p on top. I'm also beginning to believe tor's been cracked.
[ link to this | view in chronology ]
GPG vs PGP
[ link to this | view in chronology ]
Re: GPG vs PGP
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]