SurveillanceBritish law enforcement exploits flaw in iTunes to spy

Published 30 November 2011

British law enforcement agencies and Apple are coming under sharp criticism after it was discovered that authorities exploited a security flaw in iTunes to spy on individuals

U.K. law enforcement used Gamma Software's FinFisher as a spy tool // Source: finfisher.com

British law enforcement agencies and Apple are coming under sharp criticism after it was discovered that authorities exploited a security flaw in iTunes to spy on individuals.

Gamma International, a British company, marketed hacking software to governments that infiltrated a targeted computer by using a fake update on Apple’s popular music player, which is installed on more than 250 million computers around the world. The software, dubbed “FinFisher,” allows authorities to remotely monitor a computer. According to the company’s website, its software can be “used to access target systems giving full access to stored information with the ability to take control of the target systems functions to the point of capturing encrypted data and communications.”

The software is known to be used by British law enforcement agencies and earlier this year records discovered in abandoned offices indicated that it had been marketed to Egypt’s secret police.

Brian Krebs, a prominent cybersecurity blogger and a former Washington Post reporter, wrote in a blog post that Apple had initially been informed of the flaw in 2008 but waited more than three years to patch it.

“A prominent security researcher warned Apple about this dangerous vulnerability in mid-2008, yet the company waited more than 1,200 days to fix the flaw,” he said. “The disclosure raises questions about whether and when Apple knew about the Trojan offering, and its timing in choosing to sew up the security hole in this ubiquitous software title.”

According to Krebs, Apple generally fixes security flaws within ninety-one days of their disclosure.

Francisco Amato, the cybersecurity researcher who first discovered the flaw and alerted, said the company may have just been lazy about patching the problem.

Maybe they forgot about it, or it was just on the bottom of their to-do list,” Amato said.

In contrast, Mikko Hypponen, the chief research officer forF-Secure, a Finnish security firm, said, “It is an unusually long time to patch anything, so it doesn’t make much sense.”

Responding to reports that FinFisher exploited a problem in iTunes, Apple said that it works “to find and fix any issues that could compromise systems.”

The security and privacy of our users is extremely important,” a spokeswoman for the company said.  

To protect computers from harmful malware posing as legitimate updates, Krebs recommends “whenever possible, try to do your updating from a network that you trust and control. Otherwise, you may be placing far too much trust in the security of the update mechanisms built into the software you use.”