Timing of SSL bug fuels conspiracy theories about Apple and the NSA

By , Feb 24, 2014

ios 7-0-6

By now you’ve probably already heard about the SSL bug that was discovered in iOS and OS X. Apple pushed an iOS update out on Friday to fix it, and it didn’t sound like a big deal at the time, but we have since learned that it is an extremely serious security flaw.

The flaw leaves Apple devices open to what’s called a man-in-the-middle attack, in where a malicious program poses as a trusted website to intercept communications or inject malware. And its existence has fueled conspiracy theories about Apple and the NSA…

prism-slide-5

John Gruber of Daring Fireball pointed to some interesting tweets and posts this weekend, and started connecting the dots between the recently-discovered SSL bug and Apple’s rumored involvement with the NSA. It’s way out there, so please grab your tinfoil hats.

As John points out, iOS 6 was released in late September 2012. Interestingly enough, a slide leaked by Edward Snowden last summer said Apple joined the NSA’s PRISM program right around that time. Coincidence? Maybe. But he goes on to postulate the implications:

“Sure would be interesting to know who added that spurious line of code to the file. Conspiratorially, one could suppose the NSA planted the bug, through an employee mole, perhaps. Innocuously, the Occam’s Razor explanation would be that this was an inadvertent error on the part of an Apple engineer. [...]

Once the bug was in place, the NSA wouldn’t even have needed to find the bug by manually reading the source code. All they would need are automated tests using spoofed certificates that they run against each new release of every OS. Apple releases iOS, the NSA’s automated spoofed certificate testing finds the vulnerability, and boom, Apple gets “added” to PRISM.”

Again, all of this is circumstantial and speculative, and Apple has come out numerous times vehemently denying its involvement in any NSA program. But the timing is rather odd, and it makes you wonder how such a serious bug went undiscovered for over a year.

In the end, the important thing is that the vulnerability has been discovered and patched. If you’re on iOS, you can grab the fix in iOS 7.0.6 here, or download this manual fix if you don’t want to update, and Apple says that it’s currently working on a fix for OS X users.

So, do you think there’s any truth to this Apple-NSA stuff? Or is it all an empty conspiracy theory?

  • Share:
  • Follow:
  • hnam311901

    What if the patch is just for opening the hole for the first time?

    • sadaN

      That was the first thing I thought of when I read the article’s title, but I’m sure 7.0.6 has been thoroughly looked at by specialists, like the one who affirmed the vulnerability was not present in versions pre-6.0.

  • http://GitHub.com/cc941201 CC-Dog

    If it’s a conspiracy, I’m sure they can do it better instead of disabling almost the entire SSL library. Even opening source on their website.

  • jack

    Not a coincidence

    • Xee

      I agree, the timing and the politics between NSA/US Government and Apple and the public backlash post Edward Snowden.

      Makes it look like Apple and most others were complicit with with NSA and forced to do so. But now that ground has shifted, Apple are giving the NSA two fingers.

  • jack

    Couldn’t someone use a router sniffer to see if the affected iPhone is communicating with NSA?

    • Chris

      Your device at no point would communicate with the NSA’s network, they intercept network traffic without being detected

      • jack

        Shit

  • hkgsulphate

    why
    all of a sudden they patched this

    • Rowan09

      Maybe they just found out about it. I never seen anything on the web pointing to this bug, it’s only when Apple released a fix it was being mentioned.

  • Chris

    The conspiracies about the NSA started long before iOS 6 and Mac OS X 10.9 were released, this is simply another rumor with no evidence behind it.

  • http://www.facebook.com/ramos96 Evaristo Ramos, Jr.

    Don’t worry we have a better one in place :)

  • Cool

    i think it’s a coincidence.

  • Lagax

    No conspiracy! And what does ‘timing’ mean here? This NSA-Affair was in talks 6 months right now, so no, logically not.

  • mav3rick

    Very strange basic coding bug in the “most advanced mobile OS”: indexed goto line but not bound to the if statement…

  • George Newell

    But what code has since been added that we don’t yet know anything about???

  • Barcelonian

    just install SSLPatch by Ryan Petrich.

  • M_thoroughbred

    I think that this is just a coincidence. If Apple was working with the NSA I think it would be better implemented then this. At least I would hope. This left the devices open for attack by anyone not just the NSA.

  • http://facebook.com/theactivepatriot Franz Schneider

    The “conspiracy theory” argument has been blown out of the water on so many topics already, I view anyone still trying to use that argument as reputation-suicidal. To use it is to join a losing argument. To think for one’s self on every topic and do your own research is the way you win. Of course any free thinker these days will automatically be called a conspiracy theorist by the likes of CNN, MSNBC, and those who stick their head in the television for their so-called, “news.”

    Now, as for the question, you answered it yourself. You have the NSA slide included in your post above. So, shall we go outside and look at a clear, blue sky and ask, “is it a conspiracy theory that the sky is blue?” Or do we stand in front of the White House and ask, “is it a conspiracy theory that the White House is white?”

    Why not ask more useful questions like:

    “Now that it is beyond a shadow of a doubt that Apple is in bed with the NSA and that your data is not secure with Apple, where does this last iOS update fall in line?”

    or

    “Since government spying has bee exposed for over a decade by Wayne Madsen, Infowars, and the like and now the PRISM program by Edward Snowden, how is the iOS update, if at all, related to the NSA? How much easier is this iOS update making data access and collection for the NSA?”

    We’ve had it with the “conspiracy theory” argument. It’s all proven. It’s all on record. There is no question that the NSA spies on millions of Americans and that Apple is a key in that exploitation. People are hungry for truth, reality, and cutting the crap.

  • Sleetui

    Will a patch on Cydia be available for iOS 6 users later on?

  • fake like fake

    I don’t know what to believe anymore.

  • fake like fake

    Don’t expect any kind of privacy while using PROPRIETARY SOFTWARE.
    I don’t see this happening on LINUX.

  • Amr

    Look what I saw this morning lol…