cia-apple-ios-osx-surveillance-backdoors-snowden

The CIA Has Been Hacking iOS for Years: Report

The CIA Has Been Hacking iOS for Years: Report

Print
Email
By Richard Adhikari
03/12/15 2:09 PM PT

The United States’ Central Intelligence Agency for years has been working to break iOS security, according to a report published Tuesday in The Intercept.

The allegations are based on documents provided by NSA whistle-blower Edward Snowden.

Researchers working with the CIA have presented their tactics and achievements at Trusted Computing Base Jamborees, secret annual gatherings that have been going on for nearly a decade.

They have been using both physical and noninvasive techniques to penetrate Apple’s encrypted firmware — possibly to plant malicious code on Apple devices, as well as to seek out potential vulnerabilities in them.

“If you crack Apple, then you have the ability to get inside the phones of a major portion of the market,” said Eric Cowperthwaite, vice president for advanced security and strategy at Core Security.

Factor in that iOS is “generally considered to be the most secure smartphone operating system,” and iOS is a “very attractive, very large target,” he told TechNewsWorld.

“In the long run, this stuff we see happening with the CIA, NSA, Chinese security agencies and many others polluting the security of these various ecosystems is really bad for trust and for security,” Cowperthwaite added.

The Xcode Factor

The CIA researchers apparently have created a modified version of Apple’s Xcode integrated development environment that lets users sneak surveillance backdoors into apps or programs developed for iOS and OS X.

However, it’s not clear how devs will be lured into using the tainted version of Xcode.

The researchers also have modified the OS X updater to install a keylogger, according to the report.

Microsoft’s BitLocker full disk encryption system has been targeted as well.

Private-Public Sector Cooperation

Sandia National Laboratories researchers are among those who have presented work on cracking Apple security at the jamborees, which are sponsored by the CIA’s Information Operations Center. The center reportedly conducts covert cyberattacks against targets.

NSA personnel participated in at least the 2012 Jamboree, which was held at a facility in northern Virginia belonging to defense contractor Lockheed Martin, according to the leaked information. Sandia is a wholly owned Lockheed subsidiary.

“The use of overt cybersnooping and forced intellectual property disgorgement as an impediment to foreign trade is a unique and innovative strategy, certain to provoke negative responses from companies and governments alike,” said Philip Lieberman, president of Lieberman Software.

Your Tax Dollars at Work

The CIA’s activities are part of a secret U.S. government program — included in the 2013 Congressional Budget Justification — whose goal is to break the authentication and encryption of communications products, according to The Intercept.

Both iOS and the iCloud repeatedly have been hacked.

iOS hacker Jonathan Zdziarski last year unveiled a host of iOS vulnerabilities at the Hope/X hackers’ conference in New York. They included undocumented services that bypassed backup encryption.

Why has the CIA been investing in crypto research instead of just leveraging the attacks published on the Web?

“Intelligence-gathering techniques require the evaluation and use of all types of methods and means to achieve the best information quickly and at the lowest possible cost,” Liebermann told TechNewsWorld. “Even the government is concerned with ROI.”

No Impact on Enterprise Mobility

Should enterprises be concerned?

“Most enterprises won’t be resilient against a nation-state or intelligence community adversary, nor do they really need to be worried about nation-states,” Veracode VP of Security Research Chris Eng told TechNewsWorld.

On the other hand, “How will CISOs secure systems when they don’t know what’s been polluted by government agencies?” asked Core Security’s Cowperthwaite.

What Should Apple Do?

“The ball’s in Apple’s court now,” said Jon Rudolph, principal software engineer at Core Security.

“They have to decide if they are going to sell a product that is CIA-proof — I’d buy two — or make it even easier for the removal of the last drop of my personal data, as was indicated last year,” he told TechNewsWorld.

Apple has to consider the balance between privacy and national defense, remarked Lieberman. “There is no clear or right path — only a daily need to keep every stakeholder equally dissatisfied with privacy and national security needs.

The Micro Bit's Mega Promise

The BBC last week announced that it would give programming PCs to 1 million students through its Make It Digital initiative, an effort to spark greater interest in technology.

The 11- and 12-year-old UK school children will receive Micro Bit, a stripped-down computer that can be worn on a lanyard. Similar to the Raspberry Pi, the Micro Bit is a programming computer designed to serve as an entry point for individuals interested in coding.

Computer Boot Camp

The Micro Bit is preceded by the BBC Micro, a computer placed in classrooms during the 1980s. In the spirit of that effort, and inspired by the positive result it had on so many computer engineers, the BBC launched the current Make It Digital initiative.

While the BBC and its partners see value in self-directed learning, they are developing an intensive, structured traineeship program, also part of Make It Digital, that will be launched in the summer.

Up to 5,000 unemployed youth will have the opportunity to engage in a nine-week apprenticeship session at the BBC Academy. The traineeship program will cover basic digital skills and employability skills, two classes that will cover six weeks at the academy.

In the final three weeks of the traineeship, the pupils will engage in work placement program. Some of the best of the bunch will be encouraged to apply for apprenticeships with the BBC.

The Micro Bit

The BBC has partnered with more than 25 technology companies to propel the Make It Digital initiative. Collaborators worked on everything from fabricating the Micro Bit to providing content.

On the hardware side of things, the BBC partnered with companies such as Microsoft and ARM. On the content side, it teamed with organizations such as Decoded and CoderDojo to create supporting curriculum and media for the Micro Bit.

The Micro Bit shouldn’t be viewed as a competitor to programming products like the Raspberry Pi or Arduino, according to the BBC. The stripped-down Micro Bit is designed to help coders transition to more complex and capable hardware.

There will be just 1 million Micro Bit computers given out. Once they’ve been distributed, that’s it, according to the BBC.

Enduring Value

It’s imperative that the technology industry engage youth and help cultivate the next generation of computer scientists, said Charles King, principal analyst for Pund-IT.

“You can see the value that an active, engaged, innovative developer culture brought to platforms like smartphones, for example,” he told TechNewWorld, “but you can also see where the industry has run into trouble in training staff for legacy products — such as the IBM mainframe.”

The public seems to have lost interest in scientific topics over the last few generations, King said.

Consumers enjoy the rosy tech picture of sleeker hardware and more robust apps being delivered at increasingly faster rates, but the technology industry still has to cope with a loss of interest in employment in science and technology fields, he said.

“I think that the BBC is recognizing the danger of that,” said King, “and this what you might call a proactive attempt to engage youngsters and point them in what I think many people would believe is a positive direction.

Jacob & co watches

En Garde, Apple! The Luxe Android Smartwatch Is Coming!

Inside its domed sapphire case, a spinning 288-sided diamond represents the moon, which orbits around a hand-painted model of the earth as they both rotate around the centre once every 20 minutes.

Meanwhile, the brains of the watch – a part known as the tourbillon – projects out in another direction, spinning across three axes simultaneously, while a revolving watch face on a fourth arm completes the celestial choreography.

Such showmanship doesn’t come cheap, costing more than half a million dollars (£370,000), but it illustrates how independent watchmakers are attempting to push the boundaries of a centuries-old craft.

“To achieve this movement required engineering involving CAD [computer aided design] to see if everything works,” says Maurizio Mazzocchi, managing director of the watch’s creator Jacob&Co.

“Without today’s technology we could not do a watch like this, it would be impossible.

“But then everything is made by hand.”

Jacob & Co is also showing off lower-priced creations in Basel

Smarter watches

Jacob & Co is one of the biggest privately-owned firms at this year’s Baselworld trade show.

At the other end of the scale is 4N – a one-man operation consisting of Francois Quentin, a former designer for Louis Vuitton and Tissot.

He calls his watches “digital” because they tell the time by displaying digits in a central rectangular box.

But the mechanical mechanism he uses to achieve this is brain-achingly complex, requiring 540 components, each finished and fitted together by hand.

4n watchMr Quentin says he wanted to create a complex watch that made it easy to read the time

“Collectors want very complicated watches with high finishing,” Mr Quentin explains.

“To make each watch I need two months to assemble it and one month to test its 10-day power reserve.”

A combination of new materials, PC software and Computerised Numerical Control (CNC) manufacturing machines – which use lathes, mills, grinders and other tools to convert graphic files into physical parts – let today’s watchmakers do things their predecessors could only dream of.

But it’s the smaller firms that appear to be taking fullest advantage of the opportunities.

“The independents are able to do things that haven’t been previously tested because they don’t have as much to lose,” states Ariel Adams, editor of ablogtowatch.com.

“The large brands have core consumer bases that are oftentimes not as receptive to new ideas.

“So, they are concerned about putting too much money into research and development or changing the nature of how people perceive their brand.

“But the independents really assert themselves with innovation and that is how they stand out.”

Sci-fi designs

Geneva-based MB&F – which describes its products as “machines that happen to give the time” – has played a leading role in this movement.

Space Pirate watchThe crystal spheres at the front of the Space Pirate watch are used to display the hours and minutes of the current time

Its Space Pirate watch, for example, looks more like a futuristic interplanetary vehicle than your typical timepiece, with five bulbous growths rising out of its curved metallic shell.

The company says it’s not by chance that its creations don’t resemble those of the mainstream watch groups.

“Today watchmaking is primarily led by engineers,” says its chief communications officer Charris Yadigaroglou.

“It’s about optimising a movement, adding a new function or whatever.

“Once that movement has been designed they call in the designers who put a nice case around the movement and they might call in the marketing teams to sell the piece.

MB&F watchesThe hour and minute domes of MB&F’s Megawind watch are made out of aluminium to be light and thus minimise its energy requirements

“At MB&F we do exactly the opposite.

“We start with an idea, and from that idea stems a design, and last but not least the engineering serves the design.

“That’s why the pieces turn out so different.”

Oiled time

Ressence, a Belgian watchmaker, takes a similar approach.

It’s just launched a new version of its oil-filled Type 3 Watch, which features a temperature gauge to warn the wearer if the liquid inside is too hot or too cold.

oil watchThe Type 3 watch bathes its indicators in fluid to make them seem as if they are being projected onto a screen

The use of black oil creates the illusion that the dials are floating on the outside of the device’s crystal case, somewhat like the graphics of a high definition smartwatch, when in fact they are mechanical parts.

Temperature is important, because at lower than -5C (23F) or higher than 60C (140F) the tiny bellows that regulate the liquid’s flow stop working.

Ressence’s founder Benoit Mintiens says the distinctive design was a consequence of his background as an industrial designer.

Oil watchA thermal valve adjusts for any expansion or contraction of the oil inside

“A watchmaker will always start with a technical issue related to movement that they want to solve mechanically,” says Mr Mintiens.

“But an industrial designer will think who is going to wear it and what should it do for them, and then will steadily build something to make the functions the user needs.

“So, you start from the outside going inward, while the watchmaker would start from the inside and then go to the outside.”

Liquid skulls

HYT is another indie experimenting with liquids.

Its limited edition watches use tiny reservoirs of coloured oil and water that are forced into thin tubes, which it calls capillaries, to provide an unique way of displaying the time.

WATCH: See the watch that tells the time using bright oils

“The fluidic module system is sealed 10,000 times stronger than the waterproofing of a regular watch,” explains its chief executive Vincent Perriard.

“That is crazy. Why? Because we don’t want to have any micro-liquid evaporate.”

To be successful, such indies do not need to sell huge numbers of their product.

HYT skull watchThis watch from HYT solely relies on liquid to tell the time

HYT sold 450 watches last year – its entire production run.

Another indie, Christophe Claret, operates a successful business making even fewer timepieces.

The Swiss firm is best known for its “novelties”.

poker watchThree players can compete against each other using Christophe Claret’s Poker Watch

They include mechanical watches on which you can play Texas Hold’em poker, Blackjack and Baccarat.

Its latest, Aventicum, uses mirrors to create the illusion of a gold bust of the roman emperor Marcus Aurelius rising up out of the watch on one side, and five mechanical chariots that race against each other on its reverse.

Caesar watchA micro-engraved bust of Marcus Aurelius appears to rise out of the Aventicum watch

“When you are a little brand it’s not easy sometimes because we make a very low quantity – perhaps only 100 pieces a year,” says Mr Claret.

“It’s as if we are the mouse and the other brands are elephants.

But the mouse can do many things and move fast, and sometimes the elephant gets afraid of the mouse because what we do can be very strong.”

Other indie watchmakers unafraid to do things differently include Fiona Kruger from Scotland.

Her Celebration Skull watch is inspired by Mexico’s Day of the Dead festival, and features tubing that glows in the dark.

day of the dead watchThe Celebration Skull watch uses sunlight to recharge its “superluminova” tubes

“My design process is quite selfish, as I design something that speaks to me first and foremost,” she tells the BBC.

“Why not have fun and express your personality?”

Cabestan takes a different approach, asking its customers to customise its atypical designs.

cabestan watchThe Cabestan Winch Tourbillon Vertical was designed to resemble sailing boat gear

Recent examples include a buyer who requested his watch be made in a yellow theme, and another who asked for his name to appear on the parts.

This time-intensive process means Cabestan only makes about 40 watches a year, but it can carve out a profitable niche by charging £140,000 for the unique pieces.

“We have a CNC machine, we have everything in-house, so we can do everything – and we are proud to do everything,” declares the firm’s marketing director Carine Masson-Barillot.

Cabestan luna nera watchCabestan’s Luna Nera watch shows the moon phase as well as the time

If there were an award for being the noisiest indie at Baselworld, US-based Devon Works could lay claim to the prize.

The clicks, ticks and whirrs of its watches are produced by the motor-driven movements of the glass-reinforced nylon belts that whizz in different directions inside them.

WATCH: Devon Works’ watch uses nylon belts to tell the time

The electrical-powered devices use a microchip and optical recognition sensors to ensure the equipment shows the right time, making quite a statement.

The firm’s acknowledges that, like many of the indies, its designs might not appeal to mainstream tastes, but is unapologetic about the fact.

“It’s very similar to modern art,” states Scott Devon.

“High concept art isn’t for everyone, just like our watch isn’t for everyone.

“But it influences the future of what’s possible in watchmaking design and engineering.”

Basis Peak

10 Waterproof Activity Trackers You Can Swim With

Most fitness trackers are splash-resistant, but not all are safe to wear in the pool. If you’re looking for an activity tracker that counts your daily steps, helps you estimate your calorie burns, and that you can leave on your wrists when you go for a dip, the list below will point you to several great options. Next to each product, you’ll see a price and star rating based on our in-house testing.

For more shopping advice, see my list of the best activity trackers for fitness, as well as some tips on how to choose a fitness tracker that’s right for you.

 

FEATURED IN THIS ROUNDUP

Basis Peak

$199.99
The Basis Peak, our Editors’ Choice among fitness trackers, is an updated version of the Basis Carbon Steel Edition. It’s a wristwatch style band that includes a built-in heart rate monitor and other sensors for collecting physiological data, such as skin temperature. The new Peak is fully safe for swimming at depths of up to 50 meters (5ATM water resistant). Read the full review ››



Garmin Vivosmart

Garmin Vivosmart

$169.99
Garmin’s Vivosmart activity tracker counts steps, measures sleep, reminds you to move, and sends notifications (iOS only), including text messages, to your wrist. Its midrange price point makes it an attractive option. Swimmers will be happy to hear it has a water resistant rating of 5ATM. It’s elegant, unobtrusive, and has some great functionality. Read the full review ››



Runtastic Orbit

Runtastic Orbit

$119.99
This waterproof activity tracker from fitness app and device maker Runtastic reminds me a lot of the Fitbit Force, which was an excellent activity tracker, except that it was recalled earlier this year (and the Force wasn’t swim-safe). The Orbit, however, is fully waterproof up to 100 meters, meaning you can both swim and shower with it. The price is great for anyone looking for an entry-level product. Read the full review ››



Garmin Vivofit activity tracker

Garmin Vivofit

$129.99; $169.99 bundled with heart rate monitor
The wrist-worn Garmin Vivofit is a well-thought-out device, balancing features and design with price and value, and it’s safe to wear it in the water. It’s water resistant up to 50 meters. Vivofit uses a coin-cell battery that lasts about a year, and the display is not always on, which helps preserve the battery. Read the full review ››



Misfit Flash

Misfit Flash

$49.95
At $49, Misfit Flash is the best entry-level activity tracker you can buy for less than $99. Self-quantification enthusiasts will be disappointed in the lack of features that are part and parcel of more expensive trackers, but first-timers and swimmers will find a lot to love in this elegant and inexpensive waterproof device. Read the full review ››



Misfit Shine

Misfit Shine

$99.99
The sleek and subtle Misfit Shine, available in nine colors, isn’t the easiest fitness tracker to use (its display is a circle of lights that you have to learn to read). But it can go in the pool without a problem. It comes with a wrist strap and a magnetic clip, letting you choose between wearing it like a watch and snapping it to your swimsuit. Misfit will have a new, less expensive waterproof tracker soon called the Misfit Flash—see below.Read the full review ››



TomTom Multi-Sport GPS Watch

TomTom Multi-Sport GPS Watch

$199.99
My personal favorite swim-safe tracker is the TomTom Multi-Sport GPS Watch, in part because it actually has a specific swim mode, which most other activity trackers do not. But it’s more of a runner’s watch (or triathlete’s watch, really) than your average, entry-level activity tracker. The TomTom Multi-Sport tracks running, swimming, and bicycling, both indoors and out. Since TomTom made the device, you can be sure the GPS functionality is solid, but it isn’t actually used when swimming is selected as an activity. Instead, it uses a motion sensor to count your strokes, and it calculates your SWOLF score. You can also adjust the length of the pool in the settings before you start your swim. TomTom tracks a lot of data, too—so much that there’s a 30-page user’s guide to wade through if you want to learn to use all the features. Read the full review ››



LifeTrak Move C300

LifeTrak Move C300

$59.99
The selling point of the LifeTrak Move C300, a watch-style activity tracker, is its remarkably low price. For $60, it offers quite a lot, including a built-in heart rate monitor. Instead of having a rechargeable battery, the LifeTrak Move C300 uses a coin cell battery, like most traditional watches do, which you’ll have to replace every so often. It’s waterproof up to 30 meters. Read the full review ››



Jaybird Reign

Jaybird Reign

$199.95
The Jaybird Reign is a waterproof wristband activity tracker with some neat features for not only keeping tabs on how much exercise you get, but also prompting you to improve your habits. It can tell you, for example, how much sleep you got last night plus how much sleep you should get tonight. Another interesting feature is that it reads heart rate variability (HRV), which is an indicator of whether your body can handle the stress of a workout today or if you need a of rest. While those features are interesting, the Jaybird Reign is missing several basic features found in similarly priced competing fitness trackers. Read the full review ››



Wellograph

Wellograph

$349
We didn’t rate the Wellograph highly overall, but we’re including it in this particular roundup anyway, as it has a 5ATM water resistance rating (up to 50 meters), and it’s also one of the best looking activity-tracking watches you’ll find. You won’t want to jump right in the pool with the Wellograph, though, because you don’t want to get its leather band wet. Luckily, you can swap out the band, but that will drive up the cost even more, and it’s already pretty expensive. And while you can wear it in the pool, it doesn’t actually track your laps—only swimming as an activity, which is the case with many fitness trackers. Read the full review ››



COMING SOON



Mio Fuse

Mio Fuse
$149
Mio Fuse, which will be shipping this month, is a sleek all-in-one performance wristband that’s water-resistant up to 30 meters (3ATM rating). Mio is known for making wrist-worn heart rate monitors (check out the MIO Link), and the Fuse has one built-in, too. Fuse is like a combination sports watch and activity tracker that will track heart rate, distance, pace (for running), steps, calories burned, and progress toward meeting your daily goal. A red dot-matrix display shows your key information right on the device, which is also touch capacitive (meaning you can touch it to cycle through the display, even though it doesn’t have a glass screen). All the data syncs to the Mio GO app via Bluetooth, but the Fuse also supports ANT+, opening it up to compatibility with other apps and devices you might use while working out.

Chromecast Gets (Ultrasonic) Guest Mode

You’ve probably encountered this problem before: You want to give someone access to one of your streaming devices, but they have to be on your home or apartment’s Wi-Fi. You’re a little more apprehensive about giving them the key to your network or, worse, you’re super security-focused and your key is 30+ characters long.

Solution? Nothing. At least, not until now. If you have a GoogleChromecast, then a new update adds a new mode.

With guest mode, you don’t have to be on the same Wi-Fi network as a Chromecast device in order to gain access to it. You don’t have to be on a Wi-Fi network at all, in fact. As long as you’re running the latest version of Chromecast on your mobile device, and that update has rolled out to your friend’s Chromecast streaming stick, anyone with access to the Chromecast can flip on its guest mode feature.

“Your Chromecast then generates a random 4-digit PIN that is required to cast to it using guest mode. When a device nearby tries to connect, the Chromecast automatically transfers that PIN using short, inaudible audio tones. If the audio tone pairing fails, your guest will be given the option to connect manually by entering the 4-digit PIN found on your Chromecast backdrop and in the Chromecast app,” Google writes.

View all Photos in Gallery

The Chromecast’s audio pairing bit uses ultrasonic tones to connect the streaming stick to guests’ devices. Not only are these tones inaudible to humans, but they also don’t really go farther than the room in which your Chromecast is located. So, no, your neighbor won’t be able to stream anything to your device unless he or she knows your Wi-Fi password. Google is pretty clear that the pairing process only works when the Chromecast is in the same room as the devices you’re trying to pair to it via guest mode.

Other Chromecast tweaks arriving as part of the update include some design changes, a new app icon, and screencasting for all devices running at least Android version 4.4.2 (KitKat). That last bit is a beta feature, though screencasting has been available for some devices prior to this update. This is a larger pool of supported devices and, as a beta, the entire feature might not work as well as you’d expect when you go to give it a whirl.