Posted on 06/10/2014 10:25:59 PM PDT by Swordmaker
Can the NSA really listen to your iPhone’s microphone even when it is turned OFF? Experts say it is possible - but reveal the trick to beat it
The NSA could technically listen in to the microphone of an iPhone even if it switched off, experts have revealed.
The claim was first made by Edward Snowden during an interview with Brian Williams of NBC Nightly News.
Today, experts confirmed the technique was technically possibly - and revealed a way to sidestep it.
The claim the NSA could technically listen in to the microphone of an iPhone even if it switched off was first made by Edward Snowden during an interview with Brian Williams of NBC Nightly News.
The claim the NSA could technically listen in to the microphone of an iPhone even if it switched off was first made by Edward Snowden during an interview with Brian Williams of NBC Nightly News.
Brian Williams of NBC Nightly News, holding his iPhone aloft during last Wednesday’s interview, asked, “What can the NSA do with this device if they want to get into my life? Can anyone turn it on remotely if it’s off? Can they turn on apps?
'They can absolutely turn them on with the power turned off to the device,' Snowden replied.
Security researchers claim the technique is possible, and that software could make the phone look like it’s shutting down but actually entering a low-power mode that leaves key communication chips on. . .
This 'playing dead' state would allow the phone to receive commands, including one to activate its microphone, Eric McDonald, a hardware engineer in Los Angeles told Wired.
(Excerpt) Read more at dailymail.co.uk ...
Threat model. To mount our main attack where we capture video without any external indication to the victim, we assume that an attacker is able to run native code on the victim’s computer as an unprivileged user. Further, we assume the code is unencumbered by defenses such as Apple’s App Sandbox which is used for applications downloaded from the Mac App Store but by little else. This assumption is quite mild...
...
We stress that our main result — disabling the iSight LED — only applies to the first generation internal iSight webcams and we make no claims of security or insecurity of later models...
Please provide proper attribution and a working link which goes directly to the published material in your post. In fact, always provide proper attribution, including a working link to the site of original publication each time you post any published material.
Thanks.
Without the system booted, what would execute the software?
You get your own grip, Defiant. You just spouted a load of mythological based FUD yourself. A lot of what you just said simply is not true. First of all, please link me to a thread on FreeRepublic where I have gone "Ape" over anyone suggesting it would be "nice if iPhones have a removable battery." Please.
There are excellent engineering reasons for not having a removable battery which I understand and appreciate. These choices made by Apple engineers are why our iPhones and iPads are as small, thin, and light as they are, yet still have industry leading battery lives. Ask yourself, Defiant: "What does it take to add a user replaceable battery?"
Not having a user replaceable battery allows Apple engineers to use caseless battery cells that can be as flat as they need them, in any shape that best fits the available volume and space. . . or even use two or more separate battery packs in different locations inside the body of the phone to maximize the energy availability in the space availability, and increase the operational time. . . all while minimizing size and weight, on which consumers put a premium.
All that would have to be given up for a small minority who, like you, who have been carping for seven years about not having replaceable batteries. You want more time? Buy a Mophie case and double the power.
No, Defiant, this is a decision that makes sense every way you look at it. . . Adding a user-replaceable battery makes no sense unless you want to add cost, size, weight, problems, more customer dissatisfaction, and, in the long run, shorten the longevity of your product.
Is that going "ape" or is that explaining why Apple made a reasonable product design decision that I like that makes the product overall a better product?
You picked up on more FUD on "Antennagate" and Steve Jobs' comment. Jobs made an off the cuff joke to a guy he thought would have a sense of humor, before he went on to explain there really was no problem. And there wasn't. . . but the guy had no sense of humor, didn't believe Jobs, and spread the comment around the world. The iPhone4 went on being sold WITHOUT any antenna changes or redesign in the rest of the world, Defiant, and no antenna complaints were registered in any other market or carrier. Articles, which I posted on FR, from Australia were asking "what antenna problem?" and the iPhone 4 actually, when tested against competitors, was found to have the best reception performance of them all. The issue was a carrier based problem with AT&T only, with too many customers and not enough bandwidth causing dropped calls in certain urban areas. The unchanged iPhone 4, has been resurrected by Apple this year for sale in third world countries and STILL no antenna issues.
And I was quite serious about putting a phone (not just an iPhone) in a microwave oven. . . Even if it is a humorous solution. But I see you have no sense of humor like the guy Jobs was chatting with.my point was that if you are so damn paranoid and worried that someone can eavesdrop on you from a turned off phone and you must talk about something sensitive, put the damned thing in a microwave oven. A microwave oven is impervious to the radio wavelengths. . . nothing in, nothing out. Then you should probably have your chat in Klingon.
Your claim that "Apple hates when third parties make accessories that allow them to make a buck, and so they create proprietary cords and work hard to make working on an iPhone, iPad or Macbook Pro as difficult as possible for non-Apple techs" is absolutely ludicrous and demonstrates you don't know what you are talking about. If Apple hates this so much, why are they the leaders in meeting system standards? What is "proprietary" about Intel's Thunderbolt? How come Apple licenses over 10,000 authorized accessory manufacturers for Apple accessories? Why has Apple paid out over $10 Billion to independent App developers? Why do Macs work with industry standard peripherals? Why does Apple make adapters available for all standard cables? Why does Apple publish the specifications for their "proprietary" connectors which they've adopted to be able to make their devices even thinner yet, not, as you say "just to make working on . . . as difficult as possible. . ."? Why does Apple use a standard, easily available screwdriver, although not common, if they are trying to lock out techs. . . when the tech can buy one for under $10?
Could it be, Defiant, that the Apple devices have gotten so compact and layered with parts, that an amateur tinkerer should be discouraged from tinkering? Some devices do reach a level of such complexity. A recent IFixIt tear down of an Apple product warned readers that if they attempted the tear-down, they could easily tear a hidden ribbon cable connector off its circuit board if you didn't know where it was, under two other parts, and the cable had to be carefully disconnected before you removed those parts. Do you think, just perhaps, that might be why it's hard to open the cases?
Do you know that back in 1998 people were complaining about Apple using "proprietary cables" and using these strange proprietary peripherals that had to use those damn "proprietary USB connectors?" Where do you think innovation comes from? Apple is not using these connectors to lock out competition. They're better connectors.
You claim I respond as though I have been personally attacked. Defiant, when I respond like I have been personally attacked, it's because I HAVE BEEN personally attacked. Defiant, I have been the target of some of the worst invective, insults, and name calling on FreeRepublic merely because I use a Mac, iPhone, iPad and/or maintain the Apple/Mac/iPhone/iPad/iOS PING list and post articles for the list. Some of those attackers succeeded in getting themselves banned for life from FreeRepublic.
On this thread, a troll came on with the usual off hand insults to Mac users. . . Implicitly stating that Mac users are too stupid and inept to be able to find back doors and viruses. Then implying we are so stupid we buy overpriced hardware containing underpowered obsolete parts. I did not insult him. I showed him how his fallacious his assertion were with graphical proof. . . and challenged him to prove his assertions. For this. I was called an A$$hole, and you attacked me with more misinformed "facts" from the FUD mill. The SAME people keep coming onto these threads, spreading the same lies, despite being shown the facts over and over. Yet they will repeat the same thing the next time. I tried the polite approach. . . I still do. I have been getting this for TWENTY YEARS - I turned 65 last Friday and I just won't take it anymore. They are the trolls. They are the A$$holes. Read what you want into it. . .
In Alvin’s defense, the article is linked in the original reply. Thanks for moderating. I appreciate your hard work.
Thank you for pointing that out. I read through the entire paper except the citations. Amazing work though it is at best a Trojan in that they do have to get the user to install and run the malicious App so that part of it is activated in a VirtualBox in a virtual OS that is not OSX. One other caveat seems to be, reading between the lines, is that user had to have administrator privileges. . . and the attacker had to have it too because they mentioned the necessity to use SUDO. Had the victim user been operating as a Standard User as is the recommended practice, this would not have worked. Couple of other points. . . G5 computers cannot access the App Store, which they mention is a prerequisite for this to work, although there are other modalities to get the iSeeYou app on target G5. Biggest is the VirtualBox necessity to be running. . . That is a killer and sort of takes us back to the preparing the machine in advance to be invaded before it can be. How many Mac users are going to be running the appropriate guest OS under VirtualBox which has full root privileges (that's actually how the hardware reprogramming of the iSight camera EPROM is accomplished)?
Incidentally. . . Since their exploit requires VirtualBox to allow virtual machines to run on INTEL processor Macs, they are quite wrong that the exploit will work at all on a G5 iMac which uses a G5 PowerPC processor and not an Intel processor. Their only reason for claiming so is that the iSight camera exists on those models of iMacs. They’d have to write an entirely different code to have it work on a G5 iMac! LOL!
I think Sten is referring to a sleeping or hibernating computer. . . The NIC card has a dumb processor on it capable of certain dedicated tasks, among which is sending a signal to the host computer saying "Hey! Sleeping Beauty! wake up! Someone wants to chat with you!" The NIC card is always listening for that incoming alert to the MAC address. . . unless it is powered down.
If you check my posting history, you will find that I have posted negative articles about Apple as well as positive articles. . . and I've also criticized them. Your unwarranted assumption that I believe Apple is perfect is totally wrong. I just prefer facts and truth over myth and revisionist history. . . and FUD.
Six years ago I was discussing suing Apple with my in house attorney. . . my wife died suddenly due to a massive heart attack. I was keeping her last voicemail message to me on my iPhone in my visual voicemail inbox and would listen to it daily. One morning it was gone! I frantically looked for it, called Apple support, went to the Genius Bar and was informed that Apple iPhones were set to retain voice mail for only 30 days and then automatically delete them!!! Why? No one knew why. There was no lack of memory. It was a completely arbitrary timed deletion put in by some anonymous programer. And no, voicemail is not backed up and at that time it couldn't be forwarded or copied to anything. It existed only on my phone. No, I found out, ATT did not have a copy. . . Or they wouldn't admit to having it.
A wrote a bitter, nasty letter to Steve Jobs. He called me personally to apologize for Apple's oversight and egregious error. . . and told me the issue was fixed and would be in the next iPhone update.
No, they are not perfect. They make mistakes. I decided not to sue. My lawyer said there were no economic damages and emotional damages are hard to prove.
My point is that I will correct misinformation, provide the correct data, and generally provide links to the proof. If you don't like that and think that's being a "fanboy" too bad. If you are interested in news about Apple and their products, if be glad to add your name to the ~560 other Freepers on the Apple/Mac/iPhone/iPad/iOS Ping list who have asked me to do what you have criticized me for doing: keep them appraised of what's happening in the world of Apple, and keep the fact straight when people post myths, lies, and FUD. I've been maintaining that list for almost ten years.
Thanks.
You’re welcome.
It seems if someone were really worried about their phone being ‘tapped’, simply putting a piece of scotch tape over the microphone would render it useless.
I agree that, as presented, it’s a Trojan. Also, this specific exploit doesn’t work in current models anyway.
I’m not sure about the other things you mentioned:
- The only AppStore reference I recall was that the attacker should *not* use the AppStore since Apple’s Sandbox needed to be avoided.
- They claim that everything runs as an unprivileged user. I didn’t notice any use of sudo — if I missed it, maybe it’s just being used to start a new login session for some reason?
- I don’t see any reason this exploit wouldn’t run on a G5. That doesn’t affect the microcontroller code, and the supervising CPU code could be recompiled for the PowerPC (if iSeeYou isn’t already a fat binary with both PowerPC and Intel code).
Anyway, none of this is really the point. As you said, it’s a proof of concept, showing that it’s possible to get around even straightforward hardware limitations to do seemingly impossible things in software. But it’s really more than a proof of concept, it’s an incredibly clever tour de force.
This exact exploit is out of date, but it should remind everybody to be wary in general. This has nothing to do with Apple, and applies equally to Windows, etc.; it’s the microcontroller hack that’s the key here.
By the way, I think Stuxnet was also a USB microcontroller attack.
If instead, I had received a post discussing the design reasons for using an internal battery instead of a removable (all of which I am fully aware of as I am a tech blog junkie and longtime tech tinkerer.) Apple has its reasons for the internal battery, but I also recall the days a few years ago when they were doing a very brisk business replacing the internal batteries on iPods and early iPhones for $100 a pop, while other gadgets could use replaceable batteries for $10. They were accused at the time by consumer advocates of planned obsolescence. I don't mind discussing the pros and cons of that issue, but what I got was yelled at. You need to have a better filter for when to engage an ally and when to ignore a troll.
Turning the microwave on while the phone is in there is an excellent way to make sure the feds won't be able to use your phone to track you any more.
Uh, actually I have a heck of a lot less to fear from the chinese than the nsa.
I appreciate and always read the articles you post. I admire your willingness to take the slings and arrows from all the Apple haters out there, which comes with the territory in any discussion of Apple. Keep it up, and don’t let the haters make you stop, or become so defensive that you drive off allies.
They were quite clear that for this to work, the payload portion was required to run in a virtual "guest OS" under VirtualBox, a system that enables alternative Intel based operating systems to operate simultaneously with OSX. VirtualBox is a free UNIX app that is equivalent to Parallels Desktop or VMWARE's Fusion which cannot even operate on any PowerPC processor computers, nor could any of the Operating Systems it supports run, since there is no Intel processor for it to use.
When an OS is virtualized under one of these type of applications such as VirtualBox, that OS can operate under its own rules, hitting the hardware, ignoring the permissions inherent in UNIX. it is a way to bypass Root permissions. Since the G5 is NOT an Intel processor, the command structure is totally different, as are the system calls. It is not a trivial issue to simply write another hardware level EPROM flash writer.
In general, I agree with your point about the new approach to attack other micro controllers included with the system, but I think that they did stretch their point when their target Macs had to be running a non-standard environment with a VirtualBox with an un-named OS of their choice. My original point was valid as well. . . that they would have gotten nowhere on a standard environment, as sold Mac, attempting this with as a remote exploit. In other words, we are both right to an extent.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.