Apple lawsuit scares security researchers away from using Corellium

Some security researchers say they’re too scared to buy, use, or even talk about the controversial iPhone emulation software Corellium, whose makers are in a legal battle with Apple.

Corellium lawsuitLorenzo Franceschi-Bicchierai for Vice’s Motherboard:

Last year, Apple accused a cybersecurity startup based in Florida of infringing its copyright by developing and selling software that allows customers to create virtual iPhone replicas… Very few people, especially current and former customers and users, want to talk about Corellium, which sells the eponymous software that virtualizes iPhones and Android devices. During the lawsuit’s proceedings, Apple has sought information from companies that have used the tool, which emulates iOS on a computer, allowing researchers to probe potential iPhone vulnerabilities in a forgiving and easy-to-use environment.

“Apple has created a chilling effect,” a security researcher familiar with Corellium’s product, who asked to remain anonymous because he wasn’t allowed to talk to the press, told Motherboard… Several other cybersecurity researchers expressed fear of retribution from Apple for using Corellium.

MacDailyNews Take: Again, there is a reason why too many failed attempts to unlock disable an iOS device: Security.

Corellium allows this important security feature to be sidestepped allowing for brute-force attempts to unlock devices, among other things.

Apple offers a $1 million “bug bounty” for anyone who discovers flaws in iOS and gives custom “dev-fused” iPhones to legitimate researchers.

Again, you couldn’t beg for a lawsuit from Apple any better than Corellium, and that’s a list that includes the likes of Psystar!

To thwart brute-force attempts to unlock you devices, always use long, custom, alphanumeric passcodes. Use at least seven characters – even longer is better – and mix numbers, letters, and symbols.

To change your passcode in iOS:
Settings > Face ID & Passcodes > Change Passcode > Passcode Options: Custom Alphanumeric Code

6 Comments

  1. “Corellium allows this important security feature to be sidestepped allowing for brute-force attempts to unlock devices, among other things.”

    I must be missing something here.. Why would using brute force methods to unlock a Corellium virtual device unconnected to any sort of personal information what-so-ever be a security problem? Is there some way for Corellium to create a virtual copy of an actual device so that it can be brute forced that isn’t mentioned here?

    1. Corellium is creating something on which iOS runs which isn’t manufactured by Apple, and that’s a violation of the licensing terms of iOS. Remember, you don’t OWN the copy of iOS that’s on your iPhone; it’s licensed for your use under very specific terms, and one of those terms is that you can’t use it anywhere but actually on that iPhone.

      To build a business around theft (which is what using software that you have no right to use is) is something that the courts frown on. Chances are that Apple will win this one.

        1. They use the emulated environment to continuously attack iOS. Thus allowing them to by-pass the built in security that would otherwise lock the device. Once a vulnerability is found they can then apply it to the actual device they want the data from.

          1. Once more, if a brute force attack is being made on the emulated device, this pretty much assumes trying to find the ‘right’ passcode, how does that ‘solution’ have any bearing on unlocking an actual physical device which would have a completely different passcode?

            Any other vulnerabilities that would be discovered in iOS using the emulated system would not be limited by the passcode try lockout security. That kind of attack would also not be unique to the emulated device and the hacker could have just used any physical iPhone in the first place to discover the same.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.