Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Agrees To Chinese Security Audits of Its Products

Posted by samzenpus on from the looking-behind-the-curtain dept.

itwbennett writes According to a story in the Beijing News, Apple CEO Tim Cook has agreed to let China's State Internet Information Office to run security audits on products the company sells in China in an effort to counter concerns that other governments are using its devices for surveillance. "Apple CEO Tim Cook agreed to the security inspections during a December meeting in the U.S. with information office director Lu Wei, according to a story in the Beijing News. China has become one of Apple’s biggest markets, but the country needs assurances that Apple devices like the iPhone and iPad protect the security and privacy of their users as well as maintain Chinese national security, Lu told Cook, according to an anonymous source cited by the Beijing News."

19 of 114 comments (clear)

  1. Absolutely fair.. by Rick+in+China · · Score: 2, Insightful

    More countries should be doing security audits on more products.

    1. Re:Absolutely fair.. by Anonymous Coward · · Score: 5, Insightful

      "Security Audits" - In other words, making sure these governments have a way to access secure information stored on confiscated iPhones from activists, dissidents, journalists, and other troublemakers.

    2. Re:Absolutely fair.. by bloodhawk · · Score: 2

      It is common practice for most countries, the only thing new here is a western country letting china do it too.

    3. Re:Absolutely fair.. by Anonymous Coward · · Score: 2, Funny

      No, it says "protect the security and privacy of their users". Are you accusing them of lying?

    4. Re:Absolutely fair.. by weilawei · · Score: 3, Informative

      I believe the GP was suggesting that the phrase "security audit" was being used in a euphemistic manner.

    5. Re:Absolutely fair.. by swb · · Score: 2

      This was my first thought -- it's a search not for security of the devices, but a search for exploits of these devices and/or some form of industrial espionage.

      But I wonder -- can Apple set the terms of the audit? Ie, you get to examine whatever it is you examine in our office using our provided systems which aren't connected to the Internet. You may not bring any electronic devices into the audit facility. You may not reproduce any code you review in our facility by any means, including notes, pseudocode, block diagrams, etc.

      I suppose there's still some risk -- ie, deliberate subterfuge involving copying in some way or the use of a memory savant or some error so obvious they know how to attack it without any information exfiltrated.

      I don't know, but I also assume that a truly thorough security audit of a large, novel (ie, you didn't write it) code base is hard and may be dependent on 2nd order effects, like the actual generated object code. Which may make it extremely time-consuming -- didn't the funded audit of TrueCrypt take an extremely long time just to do the initial audit?

    6. Re:Absolutely fair.. by gnasher719 · · Score: 3, Insightful

      Consider that China is legally allowed to do security audits or "security audits" on any open source system. So what would Apple have to be afraid of that Linux or OpenSSL just as examples don't have to be afraid of?

    7. Re:Absolutely fair.. by swb · · Score: 4, Interesting

      Fear one may just be outright industrial espionage.

      I'm guessing that security in Apple products goes above and beyond whatever (likely modified) FOSS libraries they use, but would also include stuff like their whole-disk encryption system, the touch ID sensor and its encodings, etc. So there's a fair amount of proprietary tech in these devices.

      Fear two might be obtaining what amount to currently unknown zero-day exploits that could conceivably open all iDevices to security risks exploitable by Chinese intelligence.

      AFAIK, recent models and OS levels have a generally accepted level of security that makes them difficult to break or exploit and I think this has come to be seen as a competitive advantage. Even if the security is beatable by the NSA in a lab situation, the marketing value is to businesses worried about lost devices or devices used in vertical markets with security compliance regulations.

      Which is why I wondered how much Apple can control the terms of a security audit. Do the the Chinese just get handed a memory stick with ios-82-iphone6-source.tgz they can take back to their office or do they sit in a plain white room with locked down desktops that do a one-way remote console to a machine with source code? Or worse, a plain white room with a bunch of binders of printed source code?

    8. Re:Absolutely fair.. by Minupla · · Score: 4, Interesting

      Hrmm, this might work out well for us non-govt people.

      Consider:

      NSA: "Apple, you must let us 'review' your code. We'll keep our findings to ourselves, you can't tell anyone"
      Apple: "OK"
      NSA digs through code, finds exploits, locks them up for future weaponization ...
      China: "Apple, we'd like to "review" your code. We're going to tell the world about it"
      Apple: "OK"
      NSA: "Crap, now those evyl Chinese will find our exploits. Darn, I guess we'd better tell Apple to fix them after all or the Chinese will be spying on us!

      At the end of the day, the best we can hope for is that the various spooks keep each other honest.

      Min

      --
      On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
    9. Re:Absolutely fair.. by stealth_finger · · Score: 2

      In a world where several BILLION up-and-coming wage earners are ripe to purchase their products, which, incidentally, wouldn't exist if not for the cheap labor still extant in that very same country.

      Maybe their regional ads will say 'Designed in California. Made in China'

      --
      Wanna buy a shirt?
      https://www.redbubble.com/people/stealthfinger/shop?asc=u
    10. Re:Absolutely fair.. by phayes · · Score: 4, Insightful

      What better way to learn what undiscovered security holes there are in a product than to be able to see the source code?

      Oh, you thought that the reason China wants to audit the code is so that they can "protect" their citizens. Yes, because not at all well known for targeting dissent, no, not at all...

      --
      Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
    11. Re:Absolutely fair.. by Etherwalk · · Score: 2

      Here in America, we don't even audit our damn voting machines.

      Because of, you know, whatever you vote, your slavery is totally determined by your EFFing "United States Electoral College".

      Unless you're in one of the few states that either has proportional representation or is a swing state. I have seriously considered moving to a swing state for that reason.

    12. Re:Absolutely fair.. by rtb61 · · Score: 2

      It depends what they are actually saying when they say they want to security audit the devices. I take that to mean complete access to the source code for all software supplied with the device and complete access to detailed hardware designs. So yep, a security audit will allow the Government of China to hunt down bugs and make use of them "to access secure information stored on confiscated iPhones from activists, dissidents, journalists, and other troublemakers". Likely it goes deeper than this and they want to access all possible associated Apple devices with or without the users permission upon a global basis and Apple is like 'meh' profits first. Apple users in the US better watch out, it's not like the Government of China's investigatory agencies are even slightly free of corruption and many of the 'er' hidden features they find are pretty much guaranteed to become available to organised crime.

      --
      Chaos - everything, everywhere, everywhen
  2. Of Course by theshowmecanuck · · Score: 3, Insightful

    Since most of their operations are in China (even if de facto), they are essentially a Chinese company. They have to agree.

    --
    -- I ignore anonymous replies to my comments and postings.
  3. Wait a second by codeButcher · · Score: 2

    I thought Apple products were assembled in China? (By chinese spies masquerading as low-wage workers, etc. etc. etc.)

    Also, Lenovo.

    --
    Free, as in your money being freed from the confines of your account.
  4. this proves nothing whatsoever. by Anonymous Coward · · Score: 4, Insightful

    If Apple cooperates then how do they know the devices and software are exactly the same thing that Apple sells in China. The thing to do would be to acquire random samples in China and elsewhere jailbreak and then analyze. Never mind that Apple may not include obvious back doors but instead subtle behaviors that can be exploited and also explained away if discovered by outsiders.

    When push comes to shove it is all bullshit to use enemy technology. If I was in their shoes I would go for my own hardware and software developed without any input from the outside.

    They are probably more interested into breaking into existing I-devices so don't use these things what you want neither the US-G or the CN-G to know. That simple. Nobody is your friend here.

    1. Re:this proves nothing whatsoever. by Rick+in+China · · Score: 4, Funny

      If I was in their shoes

      You probably are in their shoes.

  5. Exploitable flaws by Anonymous Coward · · Score: 2, Interesting

    Nokia failed in design and marketing. Why would "Europe" regret that? It's not like "Europe" could have helped a bit. That's just how market works. Besides, the same people are still making phones, only they run MS software now. Nice phones, I have one, good exchange sync, works as a phone, WhatsApp works, nice camera. UI looks better imho compared to iOS and android. Software ecosystem may lack a bit, but everything I need in a phone is available. I have android phone also, but it's sitting on a desk at home because I have no use for it.

    Doesn't really matter who spies my phone. I only live for a couple of decades anyways, if someone wants to waste their time spying on me I say good riddance, hope they found it interesting. I'm also sure it doesn't matter one bit who actually made the phone. If some entitity with sufficient funds wants to spy on them they will. IT's not like the information security is too strong on any of those.

  6. Better Chinese Clones by Hasaf · · Score: 2

    I was chatting with friends in China about this article. The immediate and unprompted comment was that this will allow the Chinese clone makers direct access to the coding in the Apple products