If you're not familiar with the iPhone platform and you're interested in just one technical detail to help navigate these stories, let it be this: the iPhone 3G platform bears very little resemblance to the modern, post-touch-ID phone. The platform security system at every level, from boot chain to hardware domains to OS security, evolved more in the last 10 years than any previous platform had in 20 years prior.
That doesn't make an iPhone 7 impregnable, but it should inform any analysis you do of stories about phones being tampered with "starting in 2008"; that's a little like talking about SMTP server security "starting in 1993".
I have not read the leaked docs, however from the description it sounds like the good old 0x24K bootrom exploit[0] which lasted through the earlier revisions of 3GS until it was patched in hardware. There were a few bootrom exploits but by the time iPhone 5 came out, this vector was mostly gone if not entirely and every jailbreak since then required an initial priviledge escalation in the userland.
Its one thing to state that the current version of the iOS is 'more resilient to intrusion/usurpation than an other version', and its another thing entirely to understand that Apple, Inc., itself .. may not be as resilient as required in order to validate the position that 'we can stop worrying about the CIA'.
We should not 'stop worrying about the CIA' just because Apple came to the rescue and already fixed the bugs.
We should, in fact, continue to apply pressure to such vendors of digital enslavement as Apple, and the rest of the sordid gang, to provide real evidence that "Things are Okay™", when asked.
I have no idea how you would begin to demonstrate that a body of source code as big (in both lines of code and length / size of the development project) as iOS, Android/Replicant/Lineage, or any other modern operating system contains zero backdoors, especially when your threat model involves the software authors helping you over a period of many years to weave those backdoors into the OS and obfuscate them as much as necessary.
I also have no idea how to audit a physical phone I have received from an Apple Store to make sure that the hardware and firmware faithfully implement what they are supposed to be implementing.
I still wonder how much it would have cost the FBI to crack the passcode/phrase on a phone with secure enclave. I also wonder if an agency like the NSA has capabilities around these devices and would they be willing to expose such capabilities in another similar scenario. A final musing of mine is if they wouldn't just claim some group or another did it for $X,000,000 dollars to make it all seem plausible (e.g. the cost and attack scenario on the 5c was plausible and probably required desoldering the storage, but that won't help on a device with the enclave system).
The encrypted by default iOS 4 and the whole design around passcode handling in that release was the start of a very strong security posture for Apple and their iOS devices.
Sadly, I can no longer update my comment, but please note that the iPhone 5S, 6, and 6+ are equipped with Secure Enclave.
As recently as last April, the FBI was claiming they could not access 5S or newer models[1] (at least with the hack they reportedly bought for over $1 million[2]).
I always find it fascinating to read and understand the mistakes or yesteryear. Many of the same architecture flaws can be found in systems today, and likely tomorrow. Bugs, on the other hand, are fun because we tell ourselves we would never make those mistakes, and then proceed to make them.
As an iPhone 3G user who spends a lot of time bouncing between countries, this makes me think I should upgrade to something more recent the next time I'm headed anywhere there's a risk customs may inspect my devices.
Customs is a different threat model: they have the ability to say "Please unlock your phone and show us what's on it." You can refuse, although that might get your device confiscated or your trip delayed or cancelled. The CIA's threat model in the leaked documents involve silent software exploits. There's no involvement with the human owner of the device.
It's very important to understand the silent-exploit threat model! That's the model used when someone is being investigated as a terrorist (or freedom fighter) and the government doesn't want to make them aware they're being surveilled, because they might change their plans.
In particular, the 3G is going to be highly vulnerable to silent exploits because of the lack of software updates, but that's not your concern at the border. Your concern is the lack of Secure Enclave on the 3G. That means that if they take your phone from you, they can image the contents of it fairly easily, without needing a fingerprint or passcode from you. If you get a newer phone, enable encryption, and use a strong passcode instead of a fingerprint, you can reboot the phone before a border crossing, and then the data is strongly protected unless you choose to give up your passcode.
For the customs threat model, you might also want to bring a different phone with limited data when traveling. It might make sense to have a powered-off phone with a Secure Element somewhere separate from you (e.g., shipped via post), and just use the 3G for contacting folks while in transit, wiping all interesting data from it. In theory, this means your secure phone could get confiscated but you can't be compelled to unlock it (since you're not physically with it). I'm curious if other folks on this forum think this is a reasonable plan.
... Also, the easy vulnerability to silent exploits is probably a huge threat for you for non-government attackers, which are a much more common attack.
backup and wipe your phone before you travel. there are several stories now of customs compelling you to unlock the phone before allowing you to leave.
Unless you have to, leave your fancy device at home and bring a dumb(er) travel phone with you that only contains the information you need for that trip. And there's nothing stopping you from loading more information on it after you've made it through customs.
Have you heard "indefinitely" anywhere? I helped write both versions of the EFF border search guide and I don't think I've ever heard of "indefinitely", either as a threat or a reality.
What were the big changes? Beside the obvious changes in hardware components like different custom ARM SoC, different modem chip, added fingerprint sensor, etc. what are the software changes? I guess you use now fuzzing, static code analysis, semi-automatic proofing on some import kernel drivers. You mentioned boot chain... bootloader, RAM FS, etc. The iPhone OS started as a fork of OSX, which is based on NextStep with the interesting mix of BSD Unix with Mach. So from the OS perspective I guess it still largely resembles the same architecture that was laid out decades ago.
The CIA exploits are important because most people never update anything. It doesn't matter if you have fixed the OS for the exploit if the fix is never installed.
Some people stay on old versions of stuff specifically for that reason. The wait for exploits that give the user root access to his own property can be excruciating!
I wonder how old the leaked CIA docs are though. Are there any contextual clues that it's current?
Someone might have sat on a copy for years before leaking.
Edit: Quick scan shows there are some docs with dates in 2013, 2014, 2015. So at least some of it is fairly recent. No real way to tell, though, if it was all pulled at once, assembled over time, etc.
CIA must have a bunch of embedded workers at Apple, Google, etc all adding subtle bugs that can later be used to hack the devices and services. I imagine other intelligence agencies must have them too. If they don't, then they're not doing their job.
How about every other intelligence agency in the world though? I'd be shocked if Chinese and Russian intelligence haven't infiltrated every major US tech company.
I'd be shocked if they'd all managed to embed agents in all of them. Intelligence agencies aren't all staffed only by super-competent elite agents as portrayed in films like the Bourne Identity.
Having said that, we do know for a fact that some US companies and research establishments have actually been penetrated by Chinese agents because some of them have been caught. The problem with taking advantage of such agents though is that they not only have to get a job, they also have to get access to whatever the agency is targeting. In a company like Apple with extremely tight internal security that could be pretty challenging.
During the Cold War, the KGB did much more seemingly far-fetched things to infiltrate the institutions of their adversaries. Infiltrating Western technology companies, who knowingly hire foreign nationals who are presumably loyal to their home nations, is easy pickings by comparison.
Getting agents in the ranks to do some corporate espionage is one thing, and I'm sure that's happened as well; in fact, I'm sure that there are relatively small companies who regularly do this (probably by setting up a contracting relationship; it's possible some of the company's employees are unwittingly participating in such schemes).
Getting listening devices installed/activated on every device is a whole 'nother ball park. To the extent that foreign intel services are doing this, my belief would be that it's only by infiltrating so deep that they learn the secrets of how to activate and utilize the monitoring agents installed for American intel services. That's not outside the realm of possibility, but I wouldn't call other nation-states incompetent for not yet having done so.
There is also reverse-engineering, which seems like the more plausible scenario through which foreign intel services would gain access to embedded spy hardware. They just send a device back to their labs for serious reverse-engineering and learn the secrets from that.
>Getting listening devices installed/activated on every device is a whole 'nother ball park.
It's not that hard really. Anyone who's worked on a large codebase knows how easy it would be for someone to slip in a vulnerability that looks like a simple coding mistake. There's even a contest for producing such code: http://www.underhanded-c.org/
Keep in mind that Western tech companies knowingly hire tons of foreign nations who are presumably loyal to their home nations (as is natural), and a large portion of whom have their entire families still living there too.
(Which is not to say that they shouldn't hire foreigners. There are similarly bad incentives for domestic nationals as well, who can make hundreds of thousands of dollars per exploit on the grey market. The problem is that the engineering processes and standards for software are nowhere near as robust as they need to be considering the ubiquitous access to and control of our society that technology has.)
You've said the loyal thing twice now. Being loyal to your country is not the same as being disloyal to your company; it's also quite insulting to suggest that I'd betray my employer just because I'm a foreigner.
Many, if not most, people would put their nation before their employer if said employer is primarily an asset of an adversary nation. I don't think that's wrong or insulting. It's also not meant to be accusatory. I hesitated to write because I figured someone would get their feathers ruffled, but it's just realistic. Tech companies, the software and devices they create, and the data they have, are of national security significance. We should shape our threat models as such.
I never said the CIA always conducts itself legally. My point was that "their job" is defined by the law. CIA agents infiltrating American manufacturers to break their products, even if intended for foreign customers, is illegal and thus not "their job".
> would wikileaks exist
If I understand correctly, you're saying Wikileaks' existence is proof of the CIA's impropriety? That assumes anything secret is illegal. Not true. Classified information is legal [1].
Yes. An intelligence agency can operate lawfully (and with a higher ethical standard than any other intelligence agency), and still have enemies who intend to expose secrets.
That doesn't make an iPhone 7 impregnable, but it should inform any analysis you do of stories about phones being tampered with "starting in 2008"; that's a little like talking about SMTP server security "starting in 1993".