OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

NSA iPhone hack is uninteresting

Published January 1st, 2014 at 11:39 AM EST , modified January 1st, 2014 at 11:39 AM EST

The story of NSA’s remote access iPhone hack, called DROPOUTJEEP, has been spreading through online news media like wildfire. There is much hand-wringing and anxiety over the NSA getting its fingers into the security of iOS. Some sources are using this as an excuse to attack the security of iOS. The evidence behind these claims is scanty, however.

dropoutjeepAs far as I can tell, the sum total of public knowledge about this hack is the leaked government document shown at right. This is sparse information indeed to be basing any serious news stories on. These days, though, any story containing the “NSA” acronym is pounced on with wild abandon, facts be darned.

There is a great deal of focus on the capabilities listed in this document, and the fact that iOS remote hacks are supposed to be “impossible” (or, at least, not currently known). However, a key piece of information from that document has been completely ignored in every news story I have seen. I’m talking about the following paragraph:

The initial release of DROPOUTJEEP will focus on installing the implant via close access methods. A remote installation capability will be pursued for a future release.

What does this mean, and why is it important? A “close access method” refers to installing the software on a device using physical access. In other words, if a government agent can get his/her hands on your iPhone, then they can install the DROPOUTJEEP software in order to spy on you. This is obviously not something that most people will need to be concerned about. The government is not going to go to the expense of covertly gaining physical access to your phone unless they have good reason to be very interested in you.

There’s really nothing new about installing software in this manner on an iPhone. It has been possible for some time to jailbreak an iPhone, and then hide that jailbreak from the user, for the purpose of installing something undesirable on the phone. I’ve seen scattered reports of such things for a while. The FinFisher spyware, to give a concrete example, has been known to have this capability for some time now. It’s not particularly surprising that the US government has gotten in on the game… rather, it would be surprising if they hadn’t.

Remote installation would be substantially cheaper and a much larger threat. If an iOS device could be compromised by an attacker remotely, without any need for physical access or even proximity, would be a serious security issue. However, there’s no known method for remotely hacking an iOS device at this time, and this document outright states that this capability is not yet a part of DROPOUTJEEP. The fact that the document says this will be “pursued for a future release” does not mean that this was ever actually pursued, or that it was ever achieved if it was pursued.

Lack of evidence is, of course, not proof that remote access isn’t possible. However, it’s important to be realistic here. There is absolutely no reason to believe that the NSA has remote access to every iPhone, as some reports have implied. The NSA is not the mythologically all-powerful organization that it has been made out to be by the popular media. If we begin to assume that anything is possible for the NSA, without requiring any evidence, we might as well begin wearing tinfoil hats.

Tags: , , , ,

3 Comments

This post is more than 90 days old and has been locked. No further comments are allowed.