The CIA has been working with security researchers to hack into Apple’s technology since long before we all carried Apple devices around in our pockets.
That’s according to a new report from The Intercept, based on documents supplied by National Security Agency whistleblower Edward Snowden.
The story lays out in detail how, for nearly a decade now, the CIA has been working on ways to penetrate Apple’s iPhones and iPads, in order to collect data on Apple customers, which Apple CEO Tim Cook has publicly and repeatedly vowed to protect. According to the report, researchers have been targeting Apple’s security keys, which encrypt user data, as well as working on their own version of Xcode, Apple’s software development tool, which would give the intelligence community access to any apps developed using the modified tool—access which Apple does not otherwise allow. One document cited in the report notes that this tool could “force all iOS applications to send embedded data to a listening post.” These and other findings have been presented annually at the CIA’s Trusted Computing Base Jamboree conference.
The goal of this research, according to the documents, was to make the CIA less dependent on “a very small number of internet security flaws, many of which are public, which Apple eventually patches.” The new methods researchers have been pursuing were designed to go undetected. And yet, none of the documents indicate whether or not these methods have been proven to work.
If successful, however, the implications of such breaches would be immense, because, as Matthew Green, a cryptography expert at Johns Hopkins University’s Information Security Institute told, “Every other manufacturer looks to Apple. If the CIA can undermine Apple’s systems, it’s likely they’ll be able to deploy the same capabilities against everyone else.”
This report comes less than a year after Apple launched a new website, detailing the lengths the company goes to protect user data. In an open letter, CEO Tim Cook wrote that Apple had never allowed government agencies access to a “backdoor” to its products and services. “And we never will,” he added. The site also noted that on iOS 8, all user data is protected by users’ own passwords, which Apple cannot bypass. These default encryption settings earned high praise from privacy advocates but spurred widespread criticism from government officials, including U.S. Attorney General Eric Holder and FBI Director James Comey, who said such protections could cripple law enforcement investigations.
According to one American Civil Liberties Union technologist quoted in The Intercept, these changes have only served to fuel the intelligence community’s desire to seek out vulnerabilities in Apple’s encryption technology. It’s an effort that is well funded, and not limited to Apple’s products. According to one classified budget, a 2012 project designed to infiltrate “strong commercial data security systems” received $35 million in funding.
The projects are part of an overarching shift at the CIA toward cyberespionage. Just last week, CIA director John Brennan issued a memo stating that digital technology must be “at the very center of all our mission endeavors.” Brennan’s memo seemed to suggest that this shift was a reaction to intelligence officers’ dwindling involvement in armed conflict in Iraq and Afghanistan. “Now they have to go back to old-school spying, recruiting agents, getting people to tell you secrets in a peaceful environment,” he wrote. And yet, the Agency’s heightened interest in infiltrating American companies on American soil seems to tell a different story.
It’s a strategy that Green believes could not only threaten American privacy, but also the US economy. “US tech companies have already suffered overseas due to foreign concerns about our products’ security,” he told. “The last thing any of us need is for the US government to actively undermine our own technology industry.”