By Jim Karpen on Fri, 01/03/2014
As you likely know, a ton of documents pilfered and leaked by Edward Snowden, a former contractor for the US National Security Agency (NSA), have shown that that agency's surveillance has been shockingly widespread, including having access to the phone records of you and me. In recent days, the leaked documents have brought the NSA's snooping even closer to home, with the release of documents that say the agency had the ability in 2008 to take control of an iPhone. They were able to "remotely push/pull files from the device, SMS retrieval, contact list retrieval, voicemail, geolocation, hot mic, camera capture, cell tower location, etc. Command, control, and data exfiltration can occur over SMS messaging or a GPRS data connection. All communications with the implant will be covert and encrypted."
In other words, they're able to have complete control of your phone, and you won't have any idea it's happening. It's scary, and the news reports were startling. But a little context is in order. First of all, the documents say that close physical contact with the phone is required in order to compromise it. That is, they had to have the phone in hand to install the malware, or they had to somehow induce the user to install the malware. The documents say that in the future they intended to develop the ability to remotely install malware, but it's not known if they succeeded at that.
What does all this mean to you? Here are some caveats. First, it's unlikely you're a target of the NSA (and certainly they don't have the capacity or the intention to access everyone's phone). Second, they would have needed to have physical contact with your phone. Third, the iPhone back in 2008 was much less secure than the iPhone today, and hence easier to compromise. Fourth, it's not known whether subsequently the NSA developed the ability to have remote "back door access" to the iPhone. Fifth, "back door access" to a smartphone would almost necessarily entail the complicity of the manufacturer, and Apple immediately released a strongly worded statement in which they said they've never worked with the agency to create any back doors to the iPhone. Plus, they said they're continuing to make the phone ever more secure, implying that they'll do everything they can to disallow the NSA or anyone else to gain access to it.
Here's Apple's full statement:
Apple has never worked with the NSA to create a backdoor in any of our products, including iPhone. Additionally, we have been unaware of this alleged NSA program targeting our products. We care deeply about our customers' privacy and security. Our team is continuously working to make our products even more secure, and we make it easy for customers to keep their software up to date with the latest advancements.
Whenever we hear about attempts to undermine Apple's industry-leading security, we thoroughly investigate and take appropriate steps to protect our customers. We will continue to use our resources to stay ahead of malicious hackers and defend our customers from security attacks, regardless of who's behind them.
The software implant developed by the NSA was called Dropout Jeep. The leaked document that describes it is pasted below.
At this point, that's about as much as we know. A great article on Mashable gives more background information. To summarize, it appears that as of 2008 the NSA could compromise the original iPhone if they were able to get their hands on it in order to install some malware. It's not known if they ever developed the capability to remotely install malware on an iPhone.
What about the larger issues? I'll leave that for the privacy advocates and policymakers to sort out. But two court decisions so far have found that the NSA exceeded its authority, although a third found that it hadn't. Certainly no one imagined the widespread surveillance that has come to light. We want to be safe from terrorists, but at the same time, we don't want to our lives to be a complete open book to agency operatives.