Sandia National Laboratories worked with the CIA in trying to break the security of Apple’s iPhones and iPads, according to the online reporting site The Intercept.
The publication said it based its story on “top-secret” documents received directly from whistleblower Edward Snowden. It alleges Sandia researchers tried to find security flaws in Apple devices to open “backdoors” for surveillance of any device.
The Intercept said Sandia personnel discussed their efforts with the CIA at a conference in Virginia called the Jamboree – a secret annual gathering launched in 2006 by the CIA’s Information Operations Center, which conducts covert cyberattacks.
Sandia communications personnel referred Journal inquiries about The Intercept allegations to the National Nuclear Security Administration, which is in charge of the national laboratories. The NNSA declined to comment.
The Intercept story said Sandia’s efforts are part of a broad effort by the CIA and other defense and intelligence agencies to find ways of breaking encryption by Apple, Microsoft and other companies to open devices to government surveillance.
Cybersecurity experts say such efforts by governments and others are constant worldwide and should come as no surprise to anyone.
“That they’re trying to do that is not surprising, it’s how successful they are at achieving their goals,” said Mark Fidel, president of the Albuquerque-based cybersecurity firm Computational Analysis & Network Enterprise Solutions. “It’s a constant cat-and-mouse game where a company like Apple will keep fixing vulnerabilities, and then those trying to break in will discover new ones, and the cycle goes on. It’s a real arms race.”
In general, the only “safe” electronic communication for consumers today is the message that doesn’t get sent, Fidel added.
“You should consider anything you do electronically to be at some point publicly available,” he said. “The only security we have is in obscurity, meaning that there’s so much data out there that unless you’re doing something to raise suspicion, no one has a need to know.”
The Intercept is edited by Glenn Greenwald, who was among the first team of journalists to report on classified national security documents leaked by Snowden, a former NSA contractor.
Sandia’s efforts to hack into Apple coding were discussed at the 2012 Jamboree, according to The Intercept. At the gathering, Sandia researchers described a successful “whacking” of Apple’s Xcode, a free piece of software downloadable from the Apple App Store and broadly used by developers to create apps for iPhones, iPads and Mac computers.
The researchers “boasted” that they had discovered a way to manipulate Xcode so it could serve as a conduit for infecting and extracting private data from devices that use apps built with the infected software, according to The Intercept.
“In other words, by manipulating Xcode, the spies could compromise the devices and private data of anyone with apps made by a poisoned developer – potentially millions of people,” the story said.
The Jamboree where Sandia researchers presented their work took place at a Lockheed Martin facility in northern Virginia, The Intercept said. Lockheed has managed Sandia National Laboratories for the NNSA since 1993. The Intercept mistakenly said Lockheed “owns” Sandia Labs.
Apple-hacking research is consistent with a much broader secret U.S. government program to discover and exploit vulnerabilities in foreign and domestic communications devices, according to the 2013 Congressional Budget Justification, another document Snowden previously provided to The Intercept.
According to that document, dubbed the “Black Budget,” intelligence agencies have targeted tech companies like Apple to break emerging encryption technology, and they’ve partnered with “national laboratories” on those efforts.
Apple executives declined to comment to The Intercept about the newly leaked documents, but Apple and other companies have resisted government attempts to break encryption coding.
U.S. law enforcement and intelligence agencies are concerned that modern encryption by tech companies could shield information from authorities even when they have legal warrants to access communications.
“Encryption threatens to lead us all to a very dark place,” FBI Director James Comey said in an October 2014 lecture at the Brookings Institution. “Companies themselves won’t be able to unlock phones, laptops and tablets to reveal photos, documents, e-mail, and recordings stored within.”