Could iTunes Be Used To Spy On You?

British firm Gamma International was found hawking spyware to foreign intelligence services that installed onto users' computers via an iTunes security hole. The breach has been fixed, but documents indicate that the exploit was used to snoop on the email, Skype, and social media activities of users worldwide.

Democracy and free speech activists worldwide have something new to worry about—cyberwarfare via iTunes. A reporter for a German magazine caught a British security firm boasting about how they can use Apple's megapopular software to infect target computers with malware on behalf of foreign governments. At a booth this past September at Germany's Cyber Warfare Europe conference, representatives from Gamma International UK showed how their FinFisher product service could insert spyware via iTunes at the request of intelligence, security, and police agencies worldwide.

The spyware takes advantage of an unencrypted HTTP request that is filed by iTunes when Apple Software Updater is inactive. Once installed on a user's computer, the spyware program redirected users' web browsers to a customized web page that pretended Flash was not installed on the user's computer. The "Flash" that the web page would install was in reality a sophisticated piece of spyware that sent info on a user's activities directly to foreign intelligence services.

The latest iTunes software update, 10.5.1, was released on Monday, November 14, and appears to have fixed the exploit FinFisher used. Apple's launch of 10.5.1 roughly coincided with both the Der Spiegel article, and the release of a massive cache of documents on widespread Internet surveillance by the Wall Street Journal which includes detailed information on FinFisher and similar products. Most of the documents obtained by the Journal were distributed at a Washington trade show, ISSWorld Americas, which promises "intelligence support systems for lawful interception, criminal investigations and intelligence gathering," which was held this past October. It is not known whether the timing of the iTunes software update was intentional. (An emailed request for comment prompted an autmomatic response from Apple stating the office was closed for the holiday.)

News of the iTunes exploit was broken by Der Spiegel's Marcel Rosenbach, who wrote a German-language report on Gamma's product. Rosenbach openly compared the surveillance methods offered by FinFisher and Gamma International to those used by cybercriminals. Once FinFisher's trojan horse software took advantage of the iTunes security hole and tricked users into installing spyware, outside observers would be able to monitor Skype conversations—even if encrypted—and monitor all text/image web traffic, including both Twitter and Facebook.

That precise scenario played out during the recent Egyptian revolution that ousted President Hosni Mubarak. Human rights protesters found documents connecting Gamma to the feared Mubarak-era State Security Investigations (SSI) service. A cache of invoices and brochures posted by Cairo blogger and physician Mostafa Hussein to the Posterous microblogging service revealed that Gamma offered to sell more than $375,000 in software, hardware, installation, and training services to the SSI (which was accused of routine torture of prisoners by the United Nations). Accompanying documents, written in Arabic, showed how FinFisher and sister software FinSpy could be used to snoop on the email, Facebook, and Skype accounts of dissidents. The documents were obtained during a raid on the SSI headquarters by a large posse of regime opponents.

It is unknown whether Egyptian state security ever purchased Gamma's products; the ISS was dissolved following the Egyptian revolution. According to Der Spiegel, attendees from the governments of Malaysia, Indonesia, and the United Arab Emirates were on the trade show's participants list. Speakers at Cyber Warfare Europe included officials from the United States military, NATO, and the British Defence Ministry.

[Top Image: Flickr user: fawksy, Middle Image: Gamma International UK, Bottom Image: moftasa.posterous.com]

For more stories like this, follow @fastcompany on Twitter. Email Neal Ungerleider, the author of this article, here or find him on Twitter and Google+.

Add New Comment

4 Comments

  • Chris Reich

    I-Tunes, Facebook and other wildly popular online programs have the potential to be serious security concerns. I worry more about Facebook these days as it feels like it traces my every move.

    When I search Amazon for a camera, why does Facebook jam camera ads onto my screen unless it 'knows' where I've been? I don't like it.

    I thought there would be regulations in place once the lawmakers understood a bit about bytes. Technology still has an insanely upper hand against the consumer. Software licenses are ridiculously stringent and online security has more holes than Swiss cheese. Put some liability exposure on these companies and you'd see security greatly improve. At least we should be as far along as protecting the consumer from intentional theft of private information or negligence to provide reasonable security when using a service.

    Chris Reich
    www.TeachU.com

  • Bob Jacobson

    Thanks, Apple, for saying not a word.  This is the dark side of the Jobsian legacy, Apple's tight-lipped foolishness combined with software bravado that leaves Apple users cocky, ignorant, and vulnerable to exploits.  I am loading up on every third-party security package I can because it's become obvious that we can't depend on Apple to reliably warn us users of our peril, especially now that it's the industry leader.

  • Sandra Jones

    This is scary. MNCs creating mega-popular software must make sure to create one that's safe from hackers. This is alarming for ordinary customers like us. While Apple must have faced a lot of heat, other companies might find themselves in a social media PR nightmare.