Snowden docs show CIA's attempts to defeat Apple device security

10.03.2015
Researchers sponsored by the U.S. government have reportedly tried to defeat the encryption and security of Apple devices for years.

Several presentations given between 2010 and 2012 at a conference sponsored by the U.S. Central Intelligence Agency described attempts to decrypt the firmware in Apple mobile devices or to backdoor Mac OS X and iOS applications by poisoning developer tools.

Abstracts of the secret presentations were among the documents leaked by former U.S. National Security Agency contractor Edward Snowden to journalists and were published Tuesday by The Intercept.

The U.S. intelligence community's interest in hacking Apple products goes as far back as 2010, when a researcher presented possible methods of implanting the iPhone 3GS with malware at an annual conference called the Trusted Computing Base Jamboree, which, according to The Intercept, is sponsored by the CIA's Information Operations Center. The presentation also covered ways to jailbreak the device.

Over the next couple of years, the same conference included more talks on ways to bypass the security of Apple devices. For example, in 2011 researchers presented a technique to "noninvasively" extract the cryptographic key that's used to encrypt the firmware of devices based on Apple's A4 processor, like the iPhone 4, the iPod Touch and the first generation iPad.

The key, which is called the Group ID (GID), is stored inside the physical chip. The researchers tried to recover it by studying the electromagnetic emissions that occur during Advanced Encryption Standard (AES) operations, a technique known as differential power analysis.

"If successful, it would enable decryption and analysis of the boot firmware for vulnerabilities, and development of associated exploits across entire A4-based product-line," they wrote in a description of their presentation.

It's not clear if the researchers ever succeeded in recovering the key, but their presentation covered the progress they had made until then.

A separate talk described methods of determining where the GID key was located on the A4 integrated circuit and how it could be recovered through an invasive technique like the "physical de-processing of the chip."

By the following year the A5 processor used in the iPhone 4S, iPad 2, iPod Touch fifth generation and the iPad mini was also being targeted. Researchers from Sandia National Laboratories, a Federally Funded Research and Development Center (FFRDC) operated by Lockheed Martin subsidiary Sandia Corporation, had a talk entitled "Apple A4/A5 Application Processors Analysis." The presentation had no abstract and attendees looking for more information about it were instead instructed to call or email a CIA official.

It wasn't just Apple's master encryption keys that the U.S. intelligence community was interested in, but also the individual keys used by private developers to sign their iOS or Mac OS X apps.

Researchers from Sandia Labs gave a talk about their efforts to create a modified, or "whacked" version of Xcode, the free tool that developers use to create software for Apple devices. The poisoned version of Xcode could insert a backdoor into any applications created with it, could hide the confirmation prompts when a developer's private key was exported and could embed a developer's key into all iOS apps created with the tool, from where it could be later extracted.

"We also describe how we modified both the Mac OS X updater to install an extra kernel extension (a keylogger) and the Xcode installer to include our SDK [software development kit] whacks," the researchers wrote in their talk's description.

The FBI and U.S. intelligence agencies have voiced concern over the past year that the increased addition of default encryption to mobile devices and Internet communications make lawful electronic surveillance impossible. They call this the Going Dark problem.

Such agencies would like to see an approach where companies could offer encryption, but also be able to comply with government requests for data. Many security experts and privacy advocates believe this would involve building backdoors into encryption implementations that could also be exploited by hackers.

"I want to be absolutely clear that we have never worked with any government agency from any country to create a backdoor in any of our products or services," Apple CEO Tim Cook wrote in an open letter in September. "We have also never allowed access to our servers. And we never will."

Lucian Constantin