CIA Holds Special Annual Hackathons Looking To Undermine Apple Encryption And Privacy
from the the-ijamboree dept
The latest big report from the Intercept is about an annual hackathon, put on by the CIA (which the NSA and others participate in) where they try to hack encrypted systems, with a key focus on Apple products. The CIA calls this its annual "Trusted Computing Base Jamboree." The whole point: how can the CIA undermine trusted computing systems.As in past years, the Jamboree will be an informal and interactive conference with an emphasis on presentations that provide important information to developers trying to circumvent or exploit new security capabilities.In other words, rather than seeking to better protect Americans by making sure the security products they use remain secure, this event was about making everyone less safe -- in particular Apple users. The report notes how researchers have undermined Xcode so that the intelligence community can inject backdoors into lots of apps and to reveal private keys (apparently not caring how that makes everyone less secure):
A year later, at the 2012 Jamboree, researchers described their attacks on the software used by developers to create applications for Apple’s popular App Store. In a talk called “Strawhorse: Attacking the MacOS and iOS Software Development Kit,” a presenter from Sandia Labs described a successful “whacking” of Apple’s Xcode — the software used to create apps for iPhones, iPads and Mac computers. Developers who create Apple-approved and distributed apps overwhelmingly use Xcode, a free piece of software easily downloaded from the App Store.The risks for nearly anyone using an Apple product should become pretty clear when you realize what this "whacked" Xcode can do:
The researchers boasted that they had discovered a way to manipulate Xcode so that it could serve as a conduit for infecting and extracting private data from devices on which users had installed apps that were built with the poisoned Xcode. In other words, by manipulating Xcode, the spies could compromise the devices and private data of anyone with apps made by a poisoned developer — potentially millions of people.
- “Entice” all Mac applications to create a “remote backdoor” allowing undetected access to an Apple computer.
- Secretly embed an app developer’s private key into all iOS applications. (This could potentially allow spies to impersonate the targeted developer.)
- “Force all iOS applications” to send data from an iPhone or iPad back to a U.S. intelligence “listening post.”
- Disable core security features on Apple devices.
Also presented at the Jamboree were successes in the targeting of Microsoft’s disk encryption technology, and the TPM chips that are used to store its encryption keys. Researchers at the CIA conference in 2010 boasted about the ability to extract the encryption keys used by BitLocker and thus decrypt private data stored on the computer. Because the TPM chip is used to protect the system from untrusted software, attacking it could allow the covert installation of malware onto the computer, which could be used to access otherwise encrypted communications and files of consumers.Again, this suggests a serious problem when you have the same government that's supposed to "protect us" in charge of also hacking into systems. With today's modern technology, the communications technologies that "bad people" use are the same ones that everyone uses. The intelligence community has two choices: protect everyone, or undermine the security of everyone. It has chosen the latter.
“The U.S. government is prioritizing its own offensive surveillance needs over the cybersecurity of the millions of Americans who use Apple products,” says Christopher Soghoian, the principal technologist at the American Civil Liberties Union. “If U.S. government-funded researchers can discover these flaws, it is quite likely that Chinese, Russian and Israeli researchers can discover them, too. By quietly exploiting these flaws rather than notifying Apple, the U.S. government leaves Apple’s customers vulnerable to other sophisticated governments.”There's been a lot of talk lately about the growing divide between the intelligence community and Silicon Valley. As more stories come out of projects to undermine those companies and the trust they've built with the public, it's only going to get worse.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: backdoors, cia, encryption, hackathon, ios, jamboree, xcode
Companies: apple
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
Nope. Not illegal under the CFAA.
18 USC Section 1030 - Fraud and related activity in connection with computers (more commonly known as the Computer Fraud and Abuse Act)
Paragraph F has the Law Enforcement/Intelligence Community/Military carve out verbiage (from https://www.law.cornell.edu/uscode/text/18/1030)
This type of carve out is pretty much boilerplate.
[ link to this | view in chronology ]
Re:
And actually, I think what they're doing is nearly a good thing. Of course, subverting XCode helps no-one, but breaking TPM with side-channel attacks does. On one condition: Publication.
That said, without publication, the CIA is of course not helping to make anything more secure, but making everyone less secure, including the rest of the USA.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Not 'can', 'have'
The security flaws they are creating are valuable enough that the odds that not one person at the event can be, or has been bought off to 'share' them is so close to zero as to be indistinguishable. So basically the CIA is hosting an event, paid for by the US taxpayers, to undermine the security of otherwise secure devices, and sharing the results not only with other US agencies, but everyone else as well.
Yet another example making it crystal clear that US government agencies have absolutely no interest in protecting US security, but only care about destroying it and making their jobs just a little bit easier as a result.
[ link to this | view in chronology ]
Re: Not 'can', 'have'
[ link to this | view in chronology ]
Wait. What?
That "closet" metaphor is exactly why we need privacy.
[ link to this | view in chronology ]
Re: Wait. What?
[ link to this | view in chronology ]
Re: Wait. What?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
As a Linux admin
[ link to this | view in chronology ]
Re: As a Linux admin
- The NSA
[ link to this | view in chronology ]
Re: As a Linux admin
Of course they can, but it all ends up on users' desktop boxes which are practically open, so why bother?
We save the heavy lifting for Putin's FSB network.
[ link to this | view in chronology ]
And now for something completely different...
So...some of the best CompSci minds in the US figured out that if you control the compiler, you can make code compiled with that compiler do what you what you want. And even better, if you put that compiler on the workstation of a developer who builds a popular product, you get a compromised binary installed on lots of systems.
Am I missing something? This attack vector is obvious, and frankly every compiler available, across every computing platform available, is "vulnerable" to this type of manipulation.
This goes all the way back to Ken Thompson's ACM Turing Award Lecture "Reflections on trusting trust" - that he presented in August of 1984, if I'm not mistaken - and was fairly well known and understood back then.
[ link to this | view in chronology ]
Re: And now for something completely different...
[ link to this | view in chronology ]
Re: And now for something completely different...
[ link to this | view in chronology ]
Re: Re: And now for something completely different...
How many developers actually validate their compilers? As far as I'm aware, very few people/organizations expend any effort on the compiler unless it's producing obviously broken object code - particularly when the compiler is delivered pre-built, like XCode is.
When I see phrases like "developers were boasting" that they'd figured out how to manipulate a compiler, it makes it sound like they felt they'd hit on a fresh, new concept.
[ link to this | view in chronology ]
Re: Re: Re: And now for something completely different...
[ link to this | view in chronology ]
Re: Re: Re: Re: And now for something completely different...
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: And now for something completely different...
Not proof against a man in the middle attack, as the connection to both sites can be redirected to a compromised site, especially if the attacker is a government agency. Key distribution, and securing the crypto system are the hardest problems to solve in designing a crypto system. Even public key systems are problematic in this area, as how do you know that the person giving you a public key is who they claim to be?
[ link to this | view in chronology ]
Re: Re: Re: And now for something completely different...
They were talking about an actual exploit, not the concept of compromising a compiler.
[ link to this | view in chronology ]
Re: Re: Re: And now for something completely different...
They probably did. I don't think I've seen a genuinely fresh, new concept in the computer space since the '90s, but not a day goes by that an old concept is trotted out and everyone acts like it's something new. The latest example would be "the cloud". (In fairness, there may have been one or two genuinely new concepts that I just don't remember right now, but still.)
I think this is a function of age and the woeful ignorance the newer crops of engineers have about the history of the field.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Do these guys have absolutely no limits anymore? What the F is that "strong oversight Committee" doing over there??
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
I'm sure you've seen one of those cartoons or shows where the criminal takes a picture from the point of view of the security camera and then places it in front of the security camera so that it looks like everything is normal.
I imagine it's much the same for the oversight committee. They haven't figured out that it's just a picture yet.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
The problem is that they don't publish their findings, so the vulnerabilities can be fixed.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
"But it's the CIA!" many of you may be thinking, "They're supposed to be hacking stuff!" Not quite. Just like the military, most intelligence services have clear "rules of engagement" when it comes to using their tools. One of those ROEs is usually "target is foreign" in varying degrees of specificity. While it's certainly possible they simply marked Apple as "foreign" somehow that seems more than a little bit of a stretch.
The weird part about all of this stuff is that it's illegal to mark illegal actions as classified for the purpose of hiding those actions. That's why the NSA made such a big deal about the FISA court making all their shenanigans "legal," without that defense, they literally aren't allowed to classify it (or do it, for that matter). This is strange because EO 13526 is the fundamental order that drives virtually all classification guidelines throughout the government, and it specifically states the following:
(a) In no case shall information be classified, continue to be maintained as classified, or fail to be declassified in order to:
(1) conceal violations of law, inefficiency, or administrative error;
(2) prevent embarrassment to a person, organization, or agency;
(3) restrain competition; or
(4) prevent or delay the release of information that does not require protection in the interest of the national security. (emphasis mine)
Laws like the CFAA apply to organizations like the CIA; they don't get a magical free pass because it's their job, just like police don't just get to shoot anyone or break into their houses because it's their job (although it can sometimes be difficult to see). They need specific criteria to work around those laws.
I'm curious if a group of civilian hackers would be prosecuted for doing the same thing. If so, and the CIA hackers are not using their tools specifically on a foreign intelligence or otherwise suspected criminal element (which Apple is not), they are clearly breaking the law.
Just like the police, it's amazing what people will do when they have enough lawyers to ignore their violations and they've convinced themselves they're doing it "for our own good."
[ link to this | view in chronology ]
Re:
In theory yes but who would enforce the law? I highly doubt that the police will raid the CIA. But that would mean someone has the guts to prosecute the CIA in the first place. Would you go after someone who knows everything about you and can place evidence on your or your friends computers (i.e. child pron or money trace to some terror group) which destroys your/their life?
"just like police don't just get to shoot anyone or break into their houses because it's their job (although it can sometimes be difficult to see)."
Recent events show that they can shoot anyone and say "I felt threatend". Breaking into a house only requires someone to lie and say they heard a gunshot and/or someone is holding a person hostage (i.e. Twitch SWATing). How long till they catch on and that "someone" is a police officer from a payphone or something like that?
"I'm curious if a group of civilian hackers would be prosecuted for doing the same thing."
There are other hackathons so technicly civilian hackers aren't prosecuted at least as long as they disclose their find to the company.
[ link to this | view in chronology ]
Re: Re:
...And this is why "Congressional Oversight" has failed so miserably, and will continue to do so.
[ link to this | view in chronology ]
Re: Re:
Most houses don't have an armed security force with guns including automatic arms in them.
(Yes, I'd like to see that raid!)
[ link to this | view in chronology ]
Re: Re:
There are other hackathons so technicly civilian hackers aren't prosecuted at least as long as they disclose their find to the company.
Sorry, this was a rhetorical question. The "hackathons" you're talking about are programming expos; nothing that would constitute a computer crime happens there (at least, not without risking prosecution). While illegal hackathons certainly exist they can also be legally prosecuted. Likewise, disclosing your finds may not protect you from prosecution.
This all goes back to the horror of what Snowden revealed. It's bad enough that it was happening. The real tragedy, however, is that it was all considered legal. You know there's a problem when the American public is outraged over something that, for all practical purposes, broke no law. If that doesn't reveal the size of the schism between what the people want and our government's actions I don't know what does.
[ link to this | view in chronology ]
Re:
Most US Federal laws around this type of activity include explicit exceptions for LE/IC/Military organizations.
Easy way to check: Pull up the specific law in question in a browser, and search repeatedly for the word "intelligence". When you get to the phrase "intelligence community", you have arrived. That's where the LE and Military exemptions will be as well.
[ link to this | view in chronology ]
Re: Re:
In this case, it's safe to assume that CIA legal counsel has a set of orders stashed way which "authorizes" the activity for the purposes of compliance with the CFAA. And if they don't, well, it's fairly trivial (in practice) to generate such paperwork retroactively.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Apple Pay = CIA Pay ?
http://www.washingtonpost.com/blogs/the-switch/wp/2015/02/13/apple-pay-gets-a-big-vote-of -confidence-from-the-u-s-government/
Hmmmm....
[ link to this | view in chronology ]
hacking is ok if the government does it
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Teaching the old dog new tricks.
Disgruntled employee hacks roller-coaster ride, killing 1 - (then 2 more later from injuries) - and wounding many, by copying current employees cards using a fake card reader, and then using one of the stolen card-keys to open the control room where he inserts a perfect piece of code that spoofs the system's accident prevention mechanisms into believing nothing is amiss while the cars roll off the rails.
One of the hackers is a caught criminal coerced into working for the fed in return for not going to prison for his cyber crimes.
Its a truly toss-your-cookies piece of public propaganda pablum.
----
[ link to this | view in chronology ]