Are Apple iOS, OS X ‘bugs’ really backdoors for government spooks?

“Two recently-discovered flaws in Apple iOS and Mac OS X have security experts openly asking whether the software vulnerabilities represent backdoors inserted for purposes of cyber-espionage,” Ellen Messmer reports for Network World. “There’s no clear answer so far, but it just shows that anxiety about state-sponsored surveillance is running high.”

“‘One line of code — was it an accident or enemy action? I don’t know, but it’s the kind of bug I’d put in,’ remarked Bruce Schneier, chief technology officer at Co3 Systems, about the flaw in Apple OS X SSL encryption that was revealed last week,” Messmer reports. “Schneier, a cryptography expert, alluded to the Apple SSL flaw during his presentation on government surveillance Tuesday at the RSA Conference in San Francisco. The point, he says, is that the U.S. National Security Agency as well as other governments involved in aggressive mass surveillance are going to take any means necessary, including finding ways to put backdoors into commercial products, such as by code tampering.”

“Security vendor FireEye Tuesday revealed yet another Apple software flaw that it says allows for key-logging of iOS devices such as iPhones,” Messmer reports. “Was this just a simple coding mistake or something more sinister, such as a backdoor purposefully put into iOS 7.0?”

Read more in the full article here.

Related articles:
Rush Limbaugh explains OS X ‘GotoFail’ security flaw, says Apple ‘played it just right’ – February 25, 2014
Apple fixes OS X ‘GotoFail’ security flaw after four days of snowballing criticism – February 25, 2014
Apple releases OS X Mavericks 10.9.2 – February 25, 2014
Apple on OS X ‘GotoFail’ flaw: – February 25, 2014
Security expert captures all SSL traffic via Apple’s OS X ‘GotoFail’ flaw – February 25, 2014
Apple’s deafening silence on ‘GotoFail’ security flaw – February 24, 2014
8 ways to stay safe online while Apple works to fix ‘Gotofail’ flaw – February 24, 2014
Reasons for delay in SSL fix to OS X unclear as a single line of code found responsible – February 24, 2014
Single line of code, but still no fix; former Apple security engineer Paget to Apple: ‘FIX. YOUR. SHIT.’ – February 24, 2014
Apple promises to fix OS X encryption flaw ‘very soon’ – February 23, 2014
Behind iPhone’s critical ‘GotoFail’ security bug, a single bad, really bad ‘goto’ – February 22, 2014
Protect a Mac from the SSL / TLS security bug (until fix arrives) – February 22, 2014

62 Comments

    1. I continue to be surprised by the level of paranoia. If Apple was going to install a backdoor for the NSA (and I do *not* believe that they have done so or will do so in the future), then it would not be so obvious.

      This was, plain and simple, a stupid coding error that should have been caught at some point of the code review/quality control process. Apple screwed up. It happens.

      1. This could be stupid coding error, and could be not.

        Remember that Apple can unlock passworded iPhone, they have queue for authorities for that.

        This is only possible because Apple intentionally left backdoor (they would call that “bug” if it will be found). Sometimes those backdoor are so intricate — for example, you have to perform totally weird sequence of physical and touch buttons presses/touches, that it could be never found.

        Code is not open source, so this is the way to do it.

    1. Well, I’m not sure it’s accurate to say ‘most malware are key loggers’. Most tend to be Trojan horse botware that turn your machine into a spambot.

      Having said that, however, once a Mac is owned, key logging is dirt easy.

      Note that there are A LOT of ‘legal’ key loggers for Mac, commonly used on commercial/enterprise computers to keep track of workers. They’re also very common among other networks where there is a considerable ‘LUSER’ factor, clients on the network that attract malware and other problems via their behavior. This can include home computer surveillance by mummy and duddy.

  1. 1) How sick that we have to be paranoid about our own US government. Well done #MyStupidGovernment. You raped yourselves, destroying the Fourth Amendment to the US Constitution. Telling you to go frack yourselves is now redundant. Next step: Impeachment.

    2) The crap-coding that caused the Apple SSL flaw is very recent, within the past year. Therefore, I tend to consider the justified paranoia factor to be very low. But we’ll never know, no doubt, unless we have another patriot whistleblower bring this further treasonous crime into public view.

    ∑ = There are more important problems to consider. What’s with this key logging thingy? Back to research mode…

        1. OMF, it just keeps getting more surreal:

          The Obama administration asked a federal surveillance court on Wednesday for permission to hold millions of phone records longer than the current five-year limit.

          A five-year limit on holding ILLEGAL, UNCONSTITUTIONAL mass surveillance records of US citizens on US soil.

          No Obama administration, you get a ZERO-year limit to hold Fourth Amendment destroying mass surveillance records of US citizens on US soil. GO TO JAIL, go directly to jail. Do not pass Go. Do not collect $200. You blithering idiots.

          #MyStupidGovernment at work. 😛

      1. The OBAMA administration asked a federal surveillance court on Wednesday for permission to hold millions of phone records longer than the current five-year limit.

        OBAMA Team: Help Us Spy On You Better
        NSA Tries–but Fails–to Collect Data on Most Calls
        Secret Court Approves OBAMA’s Changes to NSA Phone Sweeps

        The Justice Department argued that data needs to be maintained as evidence for the slew of privacy lawsuits filed in the wake of the Edward Snowden’s leaks about National Security Agency surveillance. The American Civil Liberties Union, the Electronic Frontier Foundation, and other groups are suing to shut the program down, claiming it violates the constitutional rights of millions of Americans.

            1. I like seeing as many POVs as possible in order to get a 3D view of anything. My beef with Snowden is that Iceland repeatedly offered him asylum, and he ignored them repeatedly. He chose to remain in China (albeit Hong Kong) then fly off to Russia. Both countries are criminal nations I would NEVER wish anyone to live. They are scum next to the USA, even now. So Snowden offers them some sort of legitimacy by going there? EXTREMELY bad judgement, IMHO.

              That garbage aside, thank goodness for Snowden’s bravery, insight and sacrifice. He has been an EXCELLENT spokesman and has handled this issue brilliantly. I wish he could simply return to the USA without prosecution and live a life worthy of a loyal US citizen.

            2. I forgot to add my usual line that: I’m sure there’s more to all of this than I can comprehend. I don’t know his motivation. I simply can’t approve of his choice of havens. They were choices, albeit with unknown other forces in force.

    1. >>> 1) How sick that we have to be paranoid about our own US government. Well done #MyStupidGovernment. You raped yourselves, destroying the Fourth Amendment to the US Constitution. Telling you to go frack yourselves is now redundant. Next step: Impeachment.

      Correct me if I’m wrong, but aren’t the people that are doing this the same people that would implement the “impeachment”, and the same people that wrote the laws making all of this illegal?

      My head hurts.

      1. NO laws were written to allow mass surveillance of US citizens on US soil. If there had been, they’d be on the way to the US Supreme Court for revocation. NO, the so-called ‘Patriot Act’ does NOT attack the Fourth Amendment of the US Constitution in any way. Instead, it created FISA, which demands that all secret surveillance go through the FISA courts, aka FISC.

        The problem is that, among other things, the W. Bush and Obama administrations BROKE the Patriot Act by either:

        A) Skipping the FISA courts entirely, which lead to legal action during the W. Bush administration,
        OR
        B) LYING to the FISA courts about what they were actually doing, which is now extremely well documented. (FU Mr. Clapper!)
        OR
        C) Bullying the FISA courts into ILLEGALLY allowing mass surveillance, which has been documented to have happened A LOT, and continues right now!

        As for who does the impeaching, that would be that shite hole called the US Congress. I only know of ONE senator who has pointed out that all mass surveillance is unconstitutional at all times. That is Rand Paul, a quirky libertarian.

        Then we have a worthless judge who threw out an ACLU case against these crimes, claiming that mass surveillance is ‘legal’, which any 6th grader knows is bullshit. What was this criminal judges name? Oh yeah. US district judge William Pauley.

        So yeah. How do we get this vast gang of treasonous scam impeached and tried for treason when THEY are the criminals?

        My only source of hope is the rise of viable, representative THIRD parties. To hell with both Democrats and Republicans, who have both brought these crimes and decadence upon all citizens of the USA.

            1. The constitutional standard for all search warrants is probable cause of crime. FISA, however, established a new, different and lesser standard — thus unconstitutional on its face since Congress is bound by, and cannot change, the Constitution — of probable cause of status. The status was that of an agent of a foreign power. So, under FISA, the feds needed to demonstrate to a secret court only that a non-American physically present in the U.S., perhaps under the guise of a student, diplomat or embassy janitor, was really an agent of a foreign power, and the demonstration of that agency alone was sufficient to authorize a search warrant to listen to the agent’s telephone calls or read his mail.

              Over time, the requirement of status as a foreign agent was modified to status as a foreign person. This, of course, was an even lesser standard and one rarely rejected by the FISA court. In fact, that court has rarely rejected anything, having granted search warrants in well over 97 percent of applications. This is hardly harmless, as foreign persons in the U.S. are frequently talking to Americans in the U.S. Thus, not only did FISA violate the privacy rights of foreigners (the Fourth Amendment protects “people,” not just Americans); it violated the rights of those with whom they were communicating, American or non-American.

              It gets worse. The Patriot Act, which was enacted in 2001 and permits federal agents to write their own search warrants in violation of the Fourth Amendment, actually amended FISA so as to do away with the FISA-issued search warrant requirement when the foreign person is outside the U.S. This means that if you email or call your cousin in Europe or a business colleague in Asia, the feds are reading or listening, without a warrant, without suspicion, without records and without evidence of anything unlawful.

  2. It’s just causing a feeding frenzy.
    Spooks=FUD=FUDfighters

    The reality is, spy’s do spy things, since the advent of Stuxnet, anything is possible. Every company might have a code moding mole. However, I thought it was standard practice in debugging, to check for dead code, right before compiling. A dead code check would have caught this, I think.

    1. Ideal conditions vs financial mandates will usually be a big problem. “I WANT IT YESTERDAY!” “I WANT IT CHEAP!” tend to be the usual cries from software clients. Therefore, every possible corner gets cut. The code doesn’t get documented (which is a supremely expensive short term shortcut!). Crap code isn’t vetted. (This too can be an incredibly expensive self-damnation).

      Short term thinking, long term disaster. If there’s a mantra for our times, that’s it.

        1. I have no insight into that at Apple. I know Apple keep a limit on the number of internal coders on particular projects. We had 10.9.2 beta iterating for months, which was kind of odd. Clearly, Apple had other coding priorities going on. I have no idea what they were.

          The challenge of course is to balance time and money and come out on target with whatever budget is set, for whatever reason. Good luck with that.

            1. It’s nauseating to realize you might be correct.

              If the NSA was honorable, if they cared about the law, I might not care! But they’re plain old fascist about the entire endeavor, FUDing us all into approval of their crimes, puke, gag, barf.

  3. Messmer makes up something out of the blue without a shred of evidence to back up her vapor-idea and then throws out “There’s no clear answer so far” as if it is an ongoing investigation.

    “Hey Ellen, we need a story for Wednesday, go make something up”

    My vapor-idea? It was a developers shortcut that they forgot to take out of the finished product.

  4. Ridiculous. The NSA, FBI, Homeland Security, etc. have far more sophisticated methods of collecting data than logging every Mac OS X user’s keystrokes and trying to figure out whether Joe is organizing a terrorist cell or surfing porn.

    Conspiracy theorists please go back down to the basement.

    1. No kiddin’
      If the NSA wants to get into all your computers, the methods are going to be enormously more powerful and enormously more effective than this stupid little bug.

  5. There is no benefit under any circumstances to put in a back door, as the people who search for them may indeed be far smarter than the people who put them in.

    That means they might exploit them for years undetected.

    Build sound code by all means necessary.

    Anyone can put the source code into a GREP editor and do hundreds of different forms of text checking for various syntax, formatting and simple character errors in a very short time and then follow it up with very sophisticated code checking routines.

    I would have thought that extremely sophisticated error checking is just routine in a large company like Apple at this point. This error must have simply not been checked for.

    1. One of my duties in a prior life was regression testing for a very complex set of applications that gathered tens of GB of data daily, stored it in an Oracle DB, analyzed it, displayed it, and performed customer billing based on it. It took 4 of us 8 weeks every time an update was made to the application suite to check it out before deployment. First we developed a list of application requirements. From these we developed test cases for each and every feature and function. The test cases were then converted to test lab items. There were dozens of categories, with hundreds of test lab items to be performed in each category, usually several per function. Each test lab item had to be set up and run manually for review by one of us. This involved creating data including all possible characteristics, to be run through the test lab item. Each test lab item might have from 5 to 30 or so detailed steps.

      Running through hundreds of these test lab items per day was tedious and boring. There was great temptation to take shortcuts, but having to record the procedures and outcomes in a reviewable form discouraged that, and any such fudging would have been immediately traceable if something like this piece of code would have showed up. A test lab item written for this particular application and this instance of code in particular would have required that we could establish an SSL connection with an authenticated server, and that an unauthenticated server, or a spoofed server would have been rejected. We would have had to demonstrate and record the method and results in our testing application’s database. But in the end, if we simply wanted to cut corners we could have done it. We could have reported a test item as “successful” when it wasn’t and assumed that nobody would ever actually look at the test records.

      I think this is what happened at Apple. I think someone under a lot of pressure to deliver fully tested and functional software “yesterday” simply took a shortcut and hoped for the best.

  6. It’s pretty simple to accomplish this if you think about it.

    Find Apple software engineers working on the specific parts of the OS you want to compromise. Offer the engineers large sums of money to introduce bugs. Wait until you receive the all clear.

    Sit back and report in your documents that Apple was “added” to PRISM.

    If I was Tim Cook, I’d be investigating everyone who had access to that code, tracking when the changes were made and working backwards.

  7. Hmm you know ppl, this MIGHT be the reason Scotty F got ditched by Timmy…sure there was a war between Ive and SF and no Jobs to protect him anymore but maybe he was a NSA mole…Eric S definately was a google mole (self evident)

  8. Hey Derek Currie, you do have a lot to say today. Not that I disagree with any of it.

    However, with all your loose talk about the government and NSA you might find some black Suburbans pull up in front of your house soon. These are not good, honorable people you are speaking of.

    Be careful my friend.

  9. I think it’s the aliens attempting to gather enough information about our stupid species, so they can easily colonize and take over… Where the hell do you think all the “reality” TV shows came from? They’re just a distraction, so we don’t notice until it’s too late.

    1. Sorry, but the reality shows are just us doing ourselves in. Alien invaders merely need exercise a modicum of patience, as we advance in our stupification, until they can easily slither in and take over.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.