Apple Devices Escape Mention in WikiLeaks’ Latest ‘Vault 7’ CIA Hacking Documents

Wikileaks yesterday published its latest round of allegedly leaked CIA documents, detailing aspects of the U.S. agency's "Cherry Blossom" firmware modification program, which uses modified versions of router firmware to turn networking devices into surveillance tools.

The document is the latest in WikiLeaks' "Vault 7" series of publications on CIA hacking methods. Previous leaks have detailed the agency's targeting of iOS devices and Macs, while this manual relates specifically to network routers: Once installed, the Cherry Blossom program can be used to monitor internet traffic, crawl for passwords, and redirect the target user to a particular website.


The manual also describes how CIA agents might install the modified firmware. "In typical operation, a wireless device of interest is implanted with Cherry Blossom firmware, either using the Claymore tool or via a supply chain operation." While documents have not been made public that detail the "Claymore" tool, the latter tactic refers to the practice of intercepting the target device somewhere between the factory and the end user.

The document lists several network products as susceptible to its hacking protocol, including devices from Asus, Belkin, Buffalo, Dell, DLink, Linksys, Motorola, Netgear, Senao, and US Robotics. Apple's AirPort networking equipment does not appear on the list, however.

The CIA has struggled to penetrate Apple's network router hardware in the past due to a combination of the company's robust encryption and its use of proprietary hardware. Previous Harpy Eagle documents published by Wikileaks show apparently unsuccessful efforts to "gain root access on an Apple Airport Extreme and Time Capsule via local and/or remote means to install a persistent rootkit into the flash storage of the devices".

The Cherry Blossom document dates to 2012, so it's likely CIA methods have moved on in an effort to keep up to date with changing networking hardware. In a response the same day that the iOS device hacking efforts came out, Apple said that many of the vulnerabilities in that leak were already patched. Apple ceased development of its AirPort networking devices last year.

Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.


Discuss this article in our forums

Apple Helped U.K. Investigate Terrorist Attacks, Says CEO Tim Cook

Apple CEO Tim Cook revealed on Monday that the company has been helping the U.K. government investigate terror attacks in the country, despite being criticized by officials for its steadfast support of digital services that use end-to-end encryption.


"We have been cooperating with the U.K. government not only in law enforcement kind of matters but on some of the attacks," Cook said during a Bloomberg Television interview on Monday. "I cannot speak on detail on that. But in cases when we have information and they have gone through the lawful process we don't just give it but we do it very promptly."
Cook went on to suggest that rather than breaking encryption and risking the security of millions of users' private data, technology companies could provide police with metadata – revealing when, where, and who sent and received messages, but not their content – which could be extremely helpful in criminal investigations. "Metadata, if you're putting together a profile, is very important,” said Cook.

The comments follow a third attack in as many months in the U.K., which has reignited the debate surrounding online surveillance in the country. The current Conservative government is demanding new powers that would force technology companies to compromise encryption protocols.

In the wake of Saturday's terrorist attack at London Bridge, Prime Minister Theresa May again called for new laws to regulate the internet, demanding that internet companies do more to remove places online where terrorists can communicate. "We cannot allow this ideology the safe space it needs to breed," she said. "Yet that is precisely what the internet and the big companies that provide internet-based services provide."

Recently the U.K. government passed a bill that could theoretically mean companies are legally bound to do comply with such requests, although the practicalities of such a law have been repeatedly questioned by security experts. Apple's privacy and encryption policy has also been criticized by U.S. law enforcement officials and the company publicly clashed last year in court with the FBI over the issue.

Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.


Discuss this article in our forums

Apple’s Latest Transparency Report Shows Spike in U.S. Government Data Requests

Apple last night released its latest transparency report [PDF] outlining government data requests from July 1 to December 31, 2016. According to the data, which features several new request categories, Apple is making an effort to be as clear as possible about the types of information governments around the world have asked for. Apple's report is the most detailed report the company has produced yet.

Worldwide, Apple received 30,184 device requests, covering 151,105 devices. Apple provided data for 21,737 device requests, which equates to a 72 percent response rate. In the U.S. specifically, Apple responded to 3,335 requests out of 4,268 (78 percent). According to Apple, device-based requests cover fraud investigations as well as customers who have asked law enforcement to help locate lost or stolen devices.

Apple received 2,392 financial identifier requests worldwide, covering 21,249 devices. Apple provided information for 1,821 of the requests, which are related to cases where law enforcement officials are working on behalf of customers who have asked for help with fraudulent credit card activity.

When it comes to worldwide government account requests, Apple received 2,231, rejecting 175 of those, and providing no data for 471. Non-content data was provided for 1,350 requests, and content was offered up in 410 cases. A total of 8,880 accounts were affected.

In the United States, Apple says it received between 5750 and 5999 National Security Requests under FISA and National Security Letters, which affected 4750 to 4999 accounts. Apple is not allowed to provide specific numbers, but offers up the narrowest range permissible by law.


U.S. National Security requests increased significantly in the second half of 2016 compared to the first half of the year. In its first 2016 transparency report, Apple said it received 2750 to 2999 National Security orders affecting 2000 to 2249 accounts.

According to the data, Apple also received one "declassified" National Security Letter from the FBI. National Security Letters are traditionally kept secret via a gag order that prevents companies from sharing information about them, but following the USA Freedom Act, the rules have been loosened and tech companies are now able to publish National Security Letters when declassified. Apple is able to publish the content of the letter, but has not done so.

Apple's data is broken down into multiple additional categories, covering government requests for emergencies such as missing children, account deletion/restriction requests, and account preservation requests, all of which can be viewed directly in the report. The company also provides more information on government account requests by legal process type, including search warrant, wiretap orders, subpoenas, pen register/trap and trace orders, and other types of court orders.

Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.


Discuss this article in our forums

Third-Party Apps Will Need App-Specific Passwords for iCloud Access From June 15

App-specific passwords are set to become a mandatory requirement for third-party apps that access iCloud user data, according to an Apple Support email sent out today.

Currently, app-specific passwords are used to allow non-native apps like email clients to sign in to iCloud accounts that are protected by two-factor authentication. The security measure ensures that users can still link up their iCloud account to apps and services not provided by Apple, while also avoiding the need to disclose their Apple ID password to third parties.

However, app-specific passwords will become a basic requirement from June 15, according to Apple. The policy change basically means that users who want to continue using third-party apps with their iCloud account will have to enable two-factor authentication and generate individual passwords for each app.
Beginning on 15 June, app-specific passwords will be required to access your iCloud data using third-party apps such as Microsoft Outlook, Mozilla Thunderbird, or other mail, contacts and calendar services not provided by Apple.

If you are already signed in to a third-party app using your primary Apple ID password, you will be signed out automatically when this change takes effect. You will need to generate an app-specific password and sign in again.
Two-factor authentication ensures that you're the only person who can access your Apple account, even if someone knows your password. To turn it on from any iOS device running iOS 10.3 or later, open the Settings app, tap your name at the top, and then tap Password & Security.

If you're using iOS 10.2 or earlier, you can enable it from Settings -> iCloud -> Apple ID -> Password & Security. If you're on a Mac, go to System Preferences -> iCloud -> Account Details, click Security, and enable two-factor authentication from there.

To generate an app-specific password, sign into your Apple ID account page (https://appleid.apple.com), go to App-Specific Passwords under Security, and click Generate Password.


Discuss this article in our forums

Researchers Uncover macOS and Safari Exploits at Pwn2Own 2017

The seventeenth annual CanSecWest security conference is underway in downtown Vancouver, British Columbia, where researchers are competing in the 10th anniversary Pwn2Own computer hacking contest for over $1 million in prizes.

Day one results have already been published over at the Zero Day Initiative website, with a couple of successful Mac-related exploits already appearing in the list of achievements. Independent hackers Samuel Groß and Niklas Baumstark landed a partial success and earned $28,000 after targeting Safari with an escalation to root on macOS, which allowed them to scroll a message on a MacBook Pro Touch Bar.


In a partial win, Samuel Groß (@5aelo) and Niklas Baumstark (@_niklasb) earn some style points by leaving a special message on the touch bar of the Mac. They used a use-after-free (UAF) in Safari combined with three logic bugs and a null pointer dereference to exploit Safari and elevate to root in macOS. They still managed to earn $28,000 USD and 9 Master of Pwn points.
Later in the day, Chaitin Security Research Lab also targeted Safari with an escalation to root on macOS, finding success using a total of six bugs in their exploit chain, including "an info disclosure in Safari, four type confusion bugs in the browser, and a UAF in WindowServer". The combined efforts earned the team $35,000.

The participating teams earned a total of $233,000 in prizes on day one, including a leading $105,000 earned by Tencent Security, according to published details. Other software successfully targeted by contestants include Adobe Reader, Ubuntu Desktop, and Microsoft Edge on Windows.

Apple representatives have attended the Pwn2Own contest in the past, and affected parties are made aware of all security vulnerabilities discovered during the contest in order to patch them. Pwn2Own day two began today at 8:30 a.m. Pacific and will involve additional exploit attempts against macOS and Safari.


Discuss this article in our forums