Update: One of the approaches suggested – modifying Xcode to inject malware – has now been used, though we don’t at this stage know who was responsible.
The Central Intelligence Agency has conducted “a multi-year, sustained effort to break the security of Apple’s iPhones and iPads,” claims The Intercept, referencing new Snowden leaks of a document from the CIA’s internal wiki system.
A presentation on the attempts, focusing on breaking Apple’s encryption of iOS devices, was said to have been delivered at an annual CIA conference called the Jamboree.
Studying both “physical” and “non-invasive” techniques, U.S. government-sponsored research has been aimed at discovering ways to decrypt and ultimately penetrate Apple’s encrypted firmware. This could enable spies to plant malicious code on Apple devices and seek out potential vulnerabilities in other parts of the iPhone and iPad currently masked by encryption.
One route reportedly taken by the CIA was to create a modified version of Xcode, which would allow it to compromise apps at the point at which they are created …
The modified version could slip CIA code into any apps created by developers.
The modified version of Xcode, the researchers claimed, could enable spies to steal passwords and grab messages on infected devices. Researchers also claimed the modified Xcode could “force all iOS applications to send embedded data to a listening post.”
However, as Xcode is distributed direct by Apple, it “remains unclear” how they would switch developers to the compromised version.
While most of the presentation focused on iOS, the CIA presenters also claimed to have created a rogue version of the OS X updater, which would install a keylogger on Macs.
Unsurprisingly, the CIA refused to comment on the report, and Apple pointed to its numerous statements on its stance on security and privacy.
Apple last year created a new security page on its website, Tim Cook writing a letter stressing the company’s commitment to data privacy. Cook was also the only tech CEO to speak at a White House cybersecurity summit, taking an uncompromising line in refusing to cooperate with government demands to weaken security.
History has shown us that sacrificing our right to privacy can have dire consequences […] we risk our way of life.
Apple was one of a number of tech companies to last year lobby the government to curb NSA data-collection.