★ On the Timing of iOS’s SSL Vulnerability and Apple’s ‘Addition’ to the NSA’s PRISM Program
[Via Daring Fireball]
Jeffrey Grossman, on Twitter:
I have confirmed that the SSL vulnerability was introduced in iOS 6.0. It is not present in 5.1.1 and is in 6.0.
iOS 6.0 shipped on 24 September 2012.
According to slide 6 in the leaked PowerPoint deck on NSA’s PRISM program, Apple was “added” in October 2012.
These three facts prove nothing; it’s purely circumstantial. But the shoe fits.
Sure would be interesting to know who added that spurious line of code to the file. Conspiratorially, one could suppose the NSA planted the bug, through an employee mole, perhaps. Innocuously, the Occam’s Razor explanation would be that this was an inadvertent error on the part of an Apple engineer. It looks like the sort of bug that could result from a merge gone bad, duplicating the
goto fail; line.
Once in place, the NSA wouldn’t even have needed to find the bug by manually reading the source code. All they would need are automated tests using spoofed certificates that they run against each new release of every OS. Apple releases iOS, the NSA’s automated spoofed certificate testing finds the vulnerability, and boom, Apple gets “added” to PRISM. (Wasn’t even necessarily a fast turnaround — the NSA could have discovered the vulnerability over the summer, while iOS 6 was in developer program beta testing.)
Or, maybe nothing, and this is all a coincidence.
I see five levels of paranoia:
- Nothing. The NSA was not aware of this vulnerability.
- The NSA knew about it, but never exploited it.
- The NSA knew about it, and exploited it.
- NSA itself planted it surreptitiously.
- Apple, complicit with the NSA, added it.
Me, I’ll go as far as #3.1 In fact, I think that’s actually the optimistic scenario — because we know from the PRISM slides that the NSA claims some ability to do what this vulnerability would allow. So if this bug, now closed, is not what the NSA was exploiting, it means there might exist some other vulnerability that remains open.
Best conspiracy theory that might actually have some basis in reality. Apple might owe Snowden a hearty pat on the back, He revealedthe fact that the NSA was hacking Apple.
Apple was added to the PRISM program only a couple of months after the vulnerability first appeared. And this vulnerability allowed exactly the sort of thing that the NSA said it could do.
Now the paranoid thing is to think that the NSA used a mole to place the vulnerability there. I’d hate to think that the Security State would purposefully undercut a UScompanyto feed its needs.
If it did, heads need to roll.
But, what this does suggest is that Apple has been working overtime to figure out just how the NSA was hacking Apple.
Now Apple has fixed this. Wonder how the NSA feels about it?