Apple’s iPhone is one of the most popular devices on the planet, and its popularity has made it a target for exploitation by the U.S. National Security Agency. In a presentation at the Chaos Communications Congress in Hamburg, Germany, on Dec. 30, security researcher Jacob Appelbaum discussed multiple exploits in the NSA’s catalog of vulnerable devices and systems.
Appelbaum’s talk complemented a report he helped to author in the German publication Der Spiegel over the weekend. The report includes new revelations from NSA whistleblower Edward Snowden about U.S. surveillance operations and capabilities.
The report details the NSA’s Tailored Operations Unit (TAO) as well as a listing of vulnerable technologies. According to the report, a program referred to as “DROPOUTJEEP” is available to NSA agents to surveil Apple iOS users. The program enables the government to both send files to and receive files from the exploited devices as well as gain access to the devices’ contact lists, cameras and microphones.
During his presentation, Appelbaum raised the question of how the Apple devices were exploited.
“The NSA claims that anytime they target an iOS device, it will succeed,” Appelbaum said. “So either they have a huge collection of exploits against Apple products, meaning they are hoarding information about critical systems that American companies produce and sabotaging them, or Apple sabotaged it themselves.”
Appelbaum added that he’s not sure what the answer is and it could just well be that Apple writes buggy software. Apple’s iOS does have a history of security bugs throughout its existence.
Apple is publicly denying the accusation that it has directly worked with the NSA. In a statement sent to media outlets, Apple stated that it has never worked with the NSA to create a backdoor in any of its products, including the iPhone.
“We have been unaware of this alleged NSA program targeting our products,” Apple stated. “We care deeply about our customers’ privacy and security. Our team is continuously working to make our products even more secure, and we make it easy for customers to keep their software up to date with the latest advancements. Whenever we hear about attempts to undermine Apple’s industry-leading security, we thoroughly investigate and take appropriate steps to protect our customers. We will continue to use our resources to stay ahead of malicious hackers and defend our customers from security attacks, regardless of who’s behind them.”
The DROPOUTJEEP data slide that Appelbaum presented is dated from October 2008. Multiple researchers in the security community have been able to publicly demonstrate exploits against iOS both before and after 2008.
At the Black Hat USA 2007 event, security researcher Charlie Miller publicly presented a batch of Apple iPhone vulnerabilities. In 2009, Miller returned to Black Hat USA to demonstrate an exploitable SMS flaw in iOS.
Concerns about U.S technology vendors working directly to facilitate the NSA spying efforts have had an impact on business. Apple joined with AOL, Facebook, Google, Microsoft and Yahoo in an open letter sent to the U.S. Congress on Oct. 31 asking for more transparency into government surveillance.
The requests from the tech vendors have not fallen entirely on deaf ears either. A Presidential Task Force report titled “Liberty and Security in a Changing World” released on Dec. 18 calls for sweeping reform in U.S. intelligence agency operations.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.