Was Apple security ‘flaw’ actually a NSA backdoor?
Among the first documents leaked by onetime government contractor Edward Snowden was a slide listing companies the National Security Agency tapped into to help them conduct their secret PRISM spying program. Not surprisingly, the list is rich with giant tech firms: Microsoft, Yahoo, Google, Facebook — and Apple. According to the slide, the NSA broke into Apple’s data in October 2012.
A month ago, Snowden revealed new documents showing the NSA had conducted espionage on iPhones with a program dubbed DROPOUT JEEP, which allowed the agency access to text messages, voicemails and other personal data. (Video regarding that program appears below.)
Here’s where it gets interesting.
Last week, Apple announced that it had discovered a majority security flaw in its OS operating system. The flaw, called “Gotofail,” allowed hackers or other actors — including spies — to access to theoretically secure data transmitted through wireless connections or along a shared network. Such data included that sent through SSL, a method employed by websites to protect credit card numbers and other personal information when establishing a connection between a customer and a merchant’s point of sale.
The flaw was a simple one, a mistake in a line of code. Just an “if” clause, nested deep within lines of code.
Over the weekend, coding experts examined the timeline of the NSA’s penetration of Apple’s data and the date the flaw first emerged. They made a curious discovery: that the flaw appeared in Apple’s code just a month before the NSA internally reported success in hacking Apple. Fortune’s Phillip Elmer-DeWitt reports:
* Sept. 24, 2012: iOS 6.0 is released
* Oct. 2012: Apple is added to the NSA’s list of penetrated servers
* Dec. 1, 2012 to May 31, 2013: Apple receives 4,000 to 5,000 requests about 9,000 to
10,000 accounts and devices. (Per “Apple’s Commitment to Customer Privacy“.)
One coder, Dancing Fireball‘s John Gruber, got down to the nitty gritty. Taking great pains to note the evidence was circumstantial, he nevertheless drew attention to the following facts. 1) The flaw first emerged in iOS 6.0, 2) iOS 6.0 was released publicly on Sept. 24, 2012, and 3) Snowden’s NSA slide has the agency tapping into Apple’s customers a month later.
“These three facts prove nothing; it’s purely circumstantial,” Gruber wrote. “But the shoe fits.”
“Sure would be interesting to know who added that spurious line of code to the file,” he continued. “Conspiratorially, one could suppose the NSA planted the bug, through an employee mole, perhaps. Innocuously, the Occam’s Razor explanation would be that this was an inadvertent error on the part of an Apple engineer. It looks like the sort of bug that could result from a merge gone bad, duplicating the
goto fail; line.
But “once the bug was in place, the NSA wouldn’t even have needed to find the bug by manually reading the source code. All they would need are automated tests using spoofed certificates that they run against each new release of every OS. Apple releases iOS, the NSA’s automated spoofed certificate testing finds the vulnerability, and boom, Apple gets “added” to PRISM. ([It] wasn’t even necessarily a fast turnaround — the NSA could have discovered the vulnerability over the summer, while iOS 6 was in developer program beta testing.)”
Highlighting Gruber’s post, another Apple-focused blogger said the timeline for the emergence of the security flaw was puzzling.
“Again, all of this is circumstantial and speculative, and Apple has come out numerous times vehemently denying its involvement in any NSA program,” iDownloadblog’s Cody Lee wrote earlier today. “But the timing is rather odd, and it makes you wonder how such a serious bug went undiscovered for over a year.”
As Lee noted, Apple has repeatedly denied cooperating with the NSA in any fashion.
“Apple has never worked with the NSA to create a backdoor in any of our products, including iPhone,” Apple said in a January statement. “Additionally, we have been unaware of this alleged NSA program targeting our products. We care deeply about our customers’ privacy and security.”
Apple released a patch Friday to fix the security bug for iPhones, iPads and iPod touches. It remains open on OS X for the Mac.
More information on the NSA’s DROPOUT JEEP program appears below.