Apple subpoenas Santander and US intelligence contractor on use of Corellium

66 points by willstrafach 5 years ago | 20 comments
  • lolc 5 years ago
    A lot of interesting stuff may become public from this.

    1. Is Apple scared that backdoors will be found in Ios? It's much easier to find them in a virtual environment.

    2. As the article mentions, there may be zerodays for Ios developed by Corellium. It would be great to know the extent of this.

    3. We might learn more about current phone cracking capabilites in general. That may open a few eyes, including mine.

    I'm currently just very happy to have learned that people are poking at Apple's walled garden. Watching from the sidelines, I will appreciate any and all punches in this conflict. When secretive organizations battle in court, collateral exposure may happen :-)

    • NotSammyHagar 5 years ago
      It should be guaranteed at this point that there are zero days in both main cellphone platforms, apparently an endless number. They keep coming out, there is so much value in them commercially.

      I want to push a view and wish it was more widespread in the software world that finding zero days and not reporting them responsibly (like time to fix by the vendor before publication) is unacceptable. The second part of this view is that it is immoral to work at a company where you find zero days and exploit them. Working at the companies that find these and end up selling them to dictatorial regimes, secret police, as well as to the Harvey Weinstein's of the world is wrong. As a software engineer in a western country I'm fortunate to have some choice in my employers, as many of us do. My choices have some reflection on my character - and like everyone else, I'm hardly perfect myself.

      There are legal and illegal activities, and companies hide behind "we only sell to countries where it's legal". It's still immoral and wrong, and I don't want to work with immoral developers. Doing this kind of stuff is not the ultimate scarlet letter - but if you are working this field, please consider the impact of your actions.

      • _bxg1 5 years ago
        Is this really a minority view? I got the sense that most people in tech feel this way
      • threeseed 5 years ago
        You seem to have a very flippant attitude on this.

        Backdoors in Android and iOS costs lives. There are many governments who today kidnap, torture and kill citizens and even non-citizens based on compromised phones e.g. Jamal Khashoggi.

        And to have companies like Correlium enabling and profiting from this is utterly reprehensible. They aren't altruistic or making the world safer or being selective in who they sell their technology. They are simply the modern day equivalent of a shady arms dealer.

        • _bxg1 5 years ago
          I wouldn't lump Correlium in with the companies that hoarde and sell actual vulnerabilities. Tools that allow people to find them go both ways: they can equally be used to exploit and to harden a system. It's unclear which direction Correlium favored, if either, but there's at least the potential that it could be used for good.

          What Apple needs to do, IMO, is release their own version of this for free and set up a well-funded bug bounty program (lord knows they have the cash). When you have to buy the tool from a third-party, it seems like wealthy bad actors will be more likely to do so than people with good intents.

          • lolc 5 years ago
            I'm not in the mood to go around preaching about the scum that is zeroday factories. Or the questionable ethics of selling opaque phones. I'm just happy the conflict has reached the court system which may shine a light on these practices. What would victims of state persecution gain from me not being happy about this? Why bring them into the discussion?
            • kick 5 years ago
              Security by obscurity is no security at all, because any repressive government will already be shining a flashlight at it to try and find anything they can. Making it faster for security researchers to find vulnerabilities means that there are less people vulnerable.
              • threeseed 5 years ago
                I am not advocating against this sort of technology at all.

                I am against it being a product sold exclusively and secretly to enterprises and governments. The sort of entities who are not informing Apple and Google about vulnerabilities but instead using them for unethical and criminal means.

                • zepto 5 years ago
                  That depends on who the researchers are working for.
              • Wowfunhappy 5 years ago
                One of your points restated with a small tweak:

                > Is Apple scared that vulnerabilities will be found in iOS? It's much easier to find them in a virtual environment.

                And this is exactly why I really hope Apple loses—if they win, it could have a chilling effect for years to come. We want it to be as easy as possible for security researchers to find vulnerabilities so they can be fixed.

                iOS is the worst offender of this because it’s so incredibly locked down. Where are those special iPhones for security researchers? Checkm8 helps, although it can’t be used to inspect devices newer than the iPhone X.

              • roseway4 5 years ago
                > In his own words, as filed with the court, Federighi said: “On Saturday February 8, 2020, a process server was outside of my home. He came to my front door and attempted to serve a subpoena to me, but my wife turned him away.”

                That's not harassment. It's due process.

                • Keverw 5 years ago
                  Wonder if it's normal to serve people at their homes instead of at the office? But sounds pretty standard stuff otherwise if you have to serve them.
                • exabrial 5 years ago
                  Apple is just mad someone is doing virtualization, a technology the refuse to embrace.
                  • sigjuice 5 years ago
                    Apple does virtualization. They include a hypervisor in macOS. https://developer.apple.com/documentation/hypervisor
                    • colejohnson66 5 years ago
                      While they may not embrace virtualization, they certainly don’t stop people from doing it. If they wanted to, they could disable the Intel VMX instructions, but VM programs on macOS clearly show that they don’t.

                      As for Hackintoshes, that’s just because Apple doesn’t have a financial incentive to write drivers for hardware that isn’t their own; They make money from the hardware, not software (macOS is actually free and has been for a few years). You’re free to buy compatible hardware or write your own drivers. In fact, many do write drivers for incompatible hardware; That’s how the Hackintosh hardware selection grows.

                      • jayd16 5 years ago
                        The EULA states you're only allowed to run two OSX VMs on a machine already running OSX or to install OSX on a Apple hardware.

                        It does not grant permission to install on custom hardware.

                        If you can show me how I can legally run a virtualized OSX build farm please please tell me how.

                        https://images.apple.com/legal/sla/docs/macosx107.pdf

                        • youngtaff 5 years ago
                          Installing Apple's OS on non Apple hardware is at most a Breach of Contract which is very different from being illegal.
                          • colejohnson66 5 years ago
                            I never said it was legal or illegal; I said that they don’t stop people from doing it. For example, they don’t go: “oh, this is a Hackintosh? I’ll wipe your efivars so your computer won’t boot.”
                          • Flockster 5 years ago
                            You seem to be talking about macOS. The Corellium case is about virtual iOS instances.