Apple Denies Helping NSA Subvert iPhone

New submitter aissixtir sends word that Apple has responded to allegations that the NSA has backdoor access to iPhones. Apple said, "Apple has never worked with the NSA to create a backdoor in any of our products, including iPhone. Additionally, we have been unaware of this alleged NSA program targeting our products. ... Whenever we hear about attempts to undermine Apple’s industry-leading security, we thoroughly investigate and take appropriate steps to protect our customers. We will continue to use our resources to stay ahead of malicious hackers and defend our customers from security attacks, regardless of who’s behind them."

They can't stop unlockers

What makes you think they could stop the NSA?

Re:They can't stop unlockers

Apple loses every single pwn2own competition, so yeah, it is pretty ridiculous that they claim to have industry leading security.

Re:They can't stop unlockers

[craigminah]

What makes you think Apple would break the law and admit they helped the NSA (sure they signed NDA beforehand)?

Re:They can't stop unlockers

[the_B0fh]

As I had to point out to other people. This was from 2008. The original iPhone, and maybe the iPhone 3G. Do you know what that means? Those did not come with encryption. iPhone 3GS and onwards had encryption. I forgot if the hardware encryption was built in to the 3GS or started with the 4, but it's there.

Do you know what that means? The original iPhone could be mounted as a disk, and everyone knows what happens when you have physical access to a system, and it doesn't have full disk encryption - you get to screw with the file system, and install shit.

What happens on the iPhones with encryption (that is always enabled if you have a passcode - actually it is always enabled, but if you don't have a passcode, it just passes it through)? Even if you have hardware access, you do not have the ability to drop files and screw with it.

The bigger question Android users should ask themselves - why do Androids not come with full device encryption enabled by default? Why are Androids, by default, still vulnerable to the kind of attack that Apple fixed in 2009?

And please don't tell me Android v4 have full device encryption. That's a joke. It takes 45 minutes to enable encryption on my Nexus 4. You have to login twice after a reboot to use your phone. And the encryption is already broken - just ask Cellebrite - they proudly tell you they can do forensics on encrypted Android image.

So - Android users - why do you settle for less?

Re:They can't stop unlockers

[WaffleMonster]

The bigger question Android users should ask themselves - why do Androids not come with full device encryption enabled by default? Why are Androids, by default, still vulnerable to the kind of attack that Apple fixed in 2009?

What good is encryption if Google can remotely install any software it damn well pleases on your handset without your knowledge or approval?

Re:They can't stop unlockers

[mjwx]

The bigger question Android users should ask themselves - why do Androids not come with full device encryption enabled by default? Why are Androids, by default, still vulnerable to the kind of attack that Apple fixed in 2009?

What good is encryption if Google can remotely install any software it damn well pleases on your handset without your knowledge or approval?

The same can be said for Apple and Apple devices. Apple reserve the right to screw with your device without warning or explanation. At the very least Google is open about what it does and why, Apple just says "do not question us".

Beyond this, if you wanted to you can install a non-Google AOSP ROM and you are outside Googles reach. Can you do that with IOS?

Sorry if facts dont agree with your sad sounding Google bash, carry on regardless.

Re:They can't stop unlockers

[Rosyna]

Google has removed apps that are banned from the Google Play store from people's devices remotely. Apple has not.

Is an unknown fear in the future somehow better for you to digest than that fear being played out in the past and present? (Apple's "may" versus Google's "has and does and will continue to do")

I still have the "Asian Boobs" apps I downloaded off the App Store on my iPhone even though it has long, long since been removed from App Store. (Yes, it's actually called "Asian Boobs")

Re:They can't stop unlockers

[knarf]

Google can only do things on Android phones which have Google apps installed. Installing Google apps is optional for anyone with a rooted phone.

I have several devices running Android - tablets and phones. None of them run Google apps, nor the Google framework, nor any other Google-specific software. These devices run self-compiled Android distributions, some of them tailored to the application (eg. removed services from ServiceManager, etc).

Try that with iOS. Nice try.

Re:They can't stop unlockers

[gnasher719]

What makes you think Apple would break the law and admit they helped the NSA (sure they signed NDA beforehand)?

There are laws that prevent companies from saying things. There are no laws that can force a company to lie. Actually, there are laws that make it illegal for a publicly traded company to lie about certain things. So possible things that Apple could do are:

1. Say "we helped the NSA" - illegal and stupid if they did, illegal and stupid if they didn't.
2. Say nothing. Perfectly legal. Possibly a hint that they helped the NSA, because you'd want to tell the world if you didn't.
3. Say "we didn't help the NSA" - illegal if they did, perfectly legal if they didn't.

Sorry Apple.

Don't believe you.
It's now proven most American companies can't be trusted.

Re:Sorry Apple.

[dk20]

Remember when you could jailbreak your iphone by simply going to a website? Industry-leading for sure...

Re:Sorry Apple.

Right, but then, do you remember a time when you couldn't have a windows machine pwned by visiting a web page? There's also plenty of instances of Linux being remotely comprisable this way. Which operating system do you know of that hasn't been exploitable at some point by visiting a web page?

Re:Sorry Apple.

[R3d+M3rcury]

Keep in mind that Apple has a very secretive culture. I could easily believe that there is a group that works with the NSA but that is not generally known.

Hell, most employees hadn't heard of the iPhone before it was announced. How difficult would it be to have a group inside Apple that did these things and not have anybody outside of those employees know about it?

I wish I could believe that

[Sean]

But I can't.

non-denial denial?

They didn't say there was *not* an NSA backdoor. All they said was that they didn't work with the NSA to create one.

Re: non-denial denial?

Even the "news" about what the press is calling a backdoor never stated that Apple helped create it. What the guy (and the docs from Snowden) said was that the NSA was successful installing malware (that included back door access to many, many things) 100% of the time when they had physical access to the device. This should not be surprising to anyone here and should be even easier on devices that allow trivial access to root.

Now, the guy who talked about this on stage stated (while admitting he had absolutely no evidence for this) that he believed Apple probably helped. Given the lack of evidence this claim is almost certainly libelous/slanderous, but so goes life. People should really work harder to examine facts instead of letting their dislike for a company determine what is true or not.

Because, of course...

Because, of course, when your domestic intelligence agency asks you to do something, and you comply, you then also admit to it the first time someone questions your integrity.

It's almost as useful as government departments (esp. intelligence agencies) issuing press releases declaring that they only do what's in their mandate and according to the law.

Trust no one, but assume innocence until proven guilty. So, while nobody should trust Apple devices with sensitive data, any direct accusation must be backed up with evidence. It's then up to Apple to defend itself by attacking the evidence. What we have here is neither.

Denying the wrong thing

They should say there is no backdoor, not that they did not help making one.

Re:This could be true

[AmiMoJo]

Like RSA they will just keep denying it and hope there is nothing to directly contradict them. They may well be telling the truth, but we can't be sure now and maybe even Apple don't know that one of their engineers was compromised and forced to work for the NSA.

We know that iphones kept location logs, for example. Apple claimed it was done in error... Perhaps a deliberate error by an NSA agent in their ranks, but we will probably never know.

Who's the enemy?

[mariox19]

This rogue agency will destroy billions upon billions of dollars worth of American commerce before its done.

Gag Order

[ebonum]

Working with the NSA most likely comes with a caveat: "you follow this gag order or we will put you in jail for interfering with national defense and releasing classified information." In other words, something almost as bad as giving aid to the enemy.

I hate conspiracy theories, but it is plausible that they are under a secret order from a secret court ordering them to deny everything. This is precisely why in the US we should never every have secret courts.

Re:This could be true

Perhaps they are constrained by law and couldn't release the truth if they wanted to.
 

Apple has never worked with the NSA to create a backdoor in any of our products, including iPhone. (Once the NSA backdoored the iPhone, we didn't fix it) Additionally, we have been unaware of this alleged NSA program targeting our products(In this case, 'we' refers to the marketing department and the guy that brings the bagels) ... Whenever we hear about attempts to undermine Apple’s industry-leading security, we thoroughly investigate and take appropriate steps to protect our customers. We will continue to use our resources to stay ahead of malicious hackers and defend our customers from security attacks, regardless of who’s behind them. Securing out products against the non malicious, non attacking survailence by the NSA would be inappropiate, of course.

Ok then, WHY was local sync removed from OS X ?

Prior to OS X 10.9 Mavericks, it was possible to sync an iOS
device completely, via USB cable which connected the iOS
device to the main computer.

Now in Mavericks the iOS local sync is gone. Personally I believe this
has been done because it will make it trivially easy for the NSA to collect the
contents of iOS devices from various central points ( the central points
would be the servers Apple uses for iCloud ).

So no, I don't believe that Apple will do anything to
protect the people who buy hardware from Apple. I've been one
of those buyers but I won't spend any more of my money with
Apple, because even if they aren't helping out the spooks
they are selling shit that doesn't work well without even bothering to
let users know about the loss of important features in their operating
system before those poor users "upgrade". That is inexcusable behavior
on the part of a company which pretends to care about how its products work. ///

Re:And the careful parsing continues...

[bill_mcgonigle]

With all the deliberatedly worded non-denial denials we've seen in response to NSA revelations, you'd think that Apple's PR firms would know to make an absolute denial if that was their intent.

I see these overly-specific denials as a signal that they're under a gag order.

Breakdown of what was actually said.

I work in a relationship role for a large firm that most people have heard of. Let me fill all of you in on exactly what was said here.
First time poster as I am normally not interested however I felt that most of the comments were not addressing the whole verbiage of the defense.

"Apple has never worked with the NSA" ----- We did not have a contract with or resources sharing agreement with the NSA. We have friends though.
"to create a backdoor in any of our products, including iPhone" ----- Whatever was created was not called a backdoor or we did not create it. Someone else did.
"Additionally, we have been unaware of this alleged NSA program targeting our products..." ----- THIS alleged program. We were given a different name or aware of others.
" ... Whenever we hear about attempts to undermine Apple’s industry-leading security, we thoroughly investigate and take appropriate steps to protect our customers.
----- Apple will and probably does investigate breach attempts. But this is not a breach. It was a voluntary. So we aren't doing anything.

"We will continue to use our resources to stay ahead of malicious hackers and defend our customers from security attacks, regardless of who’s behind them." ------ Malicious hackers, Security Attacks, as stated above this was voluntary. We will continue not using resources to patch the vulnerabilities.

In summary Apple did not deny. It is simply used double speak/meaning to say, it was not officially worked, we didn't refer to it by this name, we did not personally create the vulnerabilities and we aren't going to fix them. The NSA would be like a vendor to a large company in this instance. The company can sit back and say they did not personally take malicious action. However, they can't get away from the fact that it happened under their watch so they must respond and deny, which as pointed out by others can be proven by subsequent revelation by Snowden or others, or they can type a paragraph which is true and doesn't admit guilt while misguiding others into making their own conclusion.

Remember, you are the one they have to convince, not themselves. The executives are not going to let someone like government or shareholders just waltz in and destroy what they've spent years building. They will lie or mislead and if caught, after years of arbitration and lawsuits, can settle for a small lump sum that pales in comparison to the money they could have made in the meantime. Look at BP and the trust fund they setup for the Gulf Oil Spill Cleanup. They made a profit on the interest and reinvestment of that money.

Believe me or not it's entirely up to you. I work in an area who has written quite a few of these and trust me it works to divide and conquer individuals who have different interpretations of literary/writing style. Either way, most people are not paying attention... and that's a fact.

Re:Totalitarian Business Model for Totalitarians

[dugancent]

It's not even in the same ballpark. Likening a the idea of a company checking out apps before you install them is nothing like having a government entity, with no accountability, recoding you every time you take a shit.

Get real.

Uh-yup

[ApplePy]

Additionally, we have been unaware of this alleged NSA program

How could they be aware? I mean, it's only been widespread news for the last year or so!

Their statement is 100% lawyer-drafted weasel language crafted to tell enough truth that they don't get in trouble, while still lying about whatever it is they're lying about. Next it'll be something like "We're really sorry you think there are security flaws in our product, and we're working hard to change that perception."

Meh

[swillden]

Per the video, the NSA iPhone compromise requires the NSA to obtain physical access to the device, and suggests they did this by rerouting shipping.

To me, that says that what they've done is exploited holes in iOS -- of which there have been many, that's how jailbreaks are possible -- and used them to install their own spyware. There's not only no need for them to involve Apple to do such a thing, involving Apple would actually be a bad idea, because it increases the number of people who know about it and might leak it.

I believe Apple had nothing to do with it. I believe the NSA has spyware for every version of iOS ever made, as well as Windows, OS X, Android, Linux (well fragmentation of the last two means there might be some versions which are safe -- but not the major ones), AIX, etc. If they don't, they're not doing their jobs. I don't think anyone should be the slightest bit surprised by any of this.