Quantcast
Connect with us

Was Apple security ‘flaw’ actually a NSA backdoor?

Published

on

Among the first documents leaked by onetime government contractor Edward Snowden was a slide listing companies the National Security Agency tapped into to help them conduct their secret PRISM spying program. Not surprisingly, the list is rich with giant tech firms: Microsoft, Yahoo, Google, Facebook — and Apple. According to the slide, the NSA broke into Apple’s data in October 2012.

ADVERTISEMENT

A month ago, Snowden revealed new documents showing the NSA had conducted espionage on iPhones with a program dubbed DROPOUT JEEP, which allowed the agency access to text messages, voicemails and other personal data. (Video regarding that program appears below.)

Here’s where it gets interesting.

Last week, Apple announced that it had discovered a majority security flaw in its OS operating system. The flaw, called “Gotofail,” allowed hackers or other actors — including spies — to access to theoretically secure data transmitted through wireless connections or along a shared network. Such data included that sent through SSL, a method  employed by websites to protect credit card numbers and other personal information when establishing a connection between a customer and a merchant’s point of sale.

The flaw was a simple one, a mistake in a line of code. Just an “if” clause, nested deep within lines of code.

Over the weekend, coding experts examined the timeline of the NSA’s penetration of Apple’s data and the date the flaw first emerged. They made a curious discovery: that the flaw appeared in Apple’s code just a month before the NSA internally reported success in hacking Apple. Fortune’s Phillip Elmer-DeWitt reports:

ADVERTISEMENT

* Sept. 24, 2012: iOS 6.0 is released
* Oct. 2012: Apple is added to the NSA’s list of penetrated servers
* Dec. 1, 2012 to May 31, 2013: Apple receives 4,000 to 5,000 requests about 9,000 to
10,000 accounts and devices. (Per “Apple’s Commitment to Customer Privacy“.)

One coder, Dancing Fireball‘s John Gruber, got down to the nitty gritty. Taking great pains to note the evidence was circumstantial, he nevertheless drew attention to the following facts. 1) The flaw first emerged in iOS 6.0, 2) iOS 6.0 was released publicly on Sept. 24, 2012, and 3)  Snowden’s NSA slide has the agency tapping into Apple’s customers a month later.



ADVERTISEMENT

“These three facts prove nothing; it’s purely circumstantial,” Gruber wrote. “But the shoe fits.”

“Sure would be interesting to know who added that spurious line of code to the file,” he continued. “Conspiratorially, one could suppose the NSA planted the bug, through an employee mole, perhaps. Innocuously, the Occam’s Razor explanation would be that this was an inadvertent error on the part of an Apple engineer. It looks like the sort of bug that could result from a merge gone bad, duplicating the goto fail; line.

ADVERTISEMENT

But “once the bug was in place, the NSA wouldn’t even have needed to find the bug by manually reading the source code. All they would need are automated tests using spoofed certificates that they run against each new release of every OS. Apple releases iOS, the NSA’s automated spoofed certificate testing finds the vulnerability, and boom, Apple gets “added” to PRISM. ([It] wasn’t even necessarily a fast turnaround — the NSA could have discovered the vulnerability over the summer, while iOS 6 was in developer program beta testing.)”

Highlighting Gruber’s post, another Apple-focused blogger said the timeline for the emergence of the security flaw was puzzling.

“Again, all of this is circumstantial and speculative, and Apple has come out numerous times vehemently denying its involvement in any NSA program,” iDownloadblog’s Cody Lee wrote earlier today. “But the timing is rather odd, and it makes you wonder how such a serious bug went undiscovered for over a year.”

ADVERTISEMENT

As Lee noted, Apple has repeatedly denied cooperating with the NSA in any fashion.

“Apple has never worked with the NSA to create a backdoor in any of our products, including iPhone,” Apple said in a January statement. “Additionally, we have been unaware of this alleged NSA program targeting our products. We care deeply about our customers’ privacy and security.”

Apple released a patch Friday to fix the security bug for iPhones, iPads and iPod touches. It remains open on OS X for the Mac.

More information on the NSA’s DROPOUT JEEP program appears below.

ADVERTISEMENT

 

 


Report typos and corrections to: [email protected].
READ COMMENTS - JOIN THE DISCUSSION
Continue Reading

Breaking Banner

Louisiana judge admits to exchanging racist texts with cop boyfriend about courtroom employees

Published

on

Appearing on a local TV station on Sunday, a district court judge in Assumption Parrish in Louisiana owned up to racist comments she made about African-American employees in her courtroom that she texted to her then-police officer boyfriend.

According to WAFB, Judge Jessie LeBlanc initially denied using the N-word about a black sheriff’s deputy and a black law clerk in her district when texting with former chief deputy, Capt. Bruce Prejean, with whom she was involved while both were married.

Continue Reading

Breaking Banner

Julian Assange lawyer tells court: After pardon fell through, Trump administration resorted to ‘extortion’

Published

on

An attorney for WikiLeaks founder Julian Assange accused the Trump administration of extortion in a London court on Monday.

The WikiLeaks attorney appeared at Woolwich Crown Court along with U.S. prosecutors, who argued that Assange should be extradited the United States, where he faces 18 charges and up to 175 years in jail.

Attorneys for Assange previously told the court that former Congressman Dana Rohrabacher (R-CA) tried to broker a pardon deal between the White House and Assange if he would agree to say that Russia was not the source of hacked Democratic Party emails.

Continue Reading
 

Breaking Banner

Black teens shocked after basketball announcer calls their names ‘disgusting’

Published

on

A longtime announcer at high-school basketball games in Oklahoma sparked outrage last week when he said that black players on the Crooked Oak High School lady's basketball team had "disgusting" names.

Local news station KFOR reports that the announcer made the remarks during a game between Crooked Oak and rival Newkirk High School on Friday.

In a video taken at the game, the announcer can be heard saying, "The Crooked Oak Lady Ruff Necks, now their names are pretty disgusting."

Continue Reading
 
 
close-image