It Took Apple 3 Years To Fix An iTunes Flaw That Allowed Government & Police To Spy On You

It Took Apple 3 Years To Fix An iTunes Flaw That Allowed Government & Police To Spy On You

Thanks to the success of Apple’s iOS devices and its iTunes music store, the company’s iTunes software is installed on more than 250 Million Macs and PCs all over the world, making it one of the most popular media players available. It may not have been so popular, however, had users known it came with a security flaw that allowed government intelligence agencies and the police to monitor them.

A British company called Gamma International previously marketed a piece of software to governments, called FinFisher. The software took advantage of the iTunes exploit and allowed those with the software to spy on those who used the software.

What’s most worrying about this is that Apple allegedly found out about the flaw in 2008, according to Brian Krebs, a security writer. But the company did nothing about it until earlier this month when it released iTunes 10.5.1 — leaving the exploit open for over three years.

Krebs revealed in a blog post:

A prominent security researcher warned Apple about this dangerous vulnerability in mid-2008, yet the company waited more than 1,200 days to fix the flaw.

The disclosure raises questions about whether and when Apple knew about the Trojan offering, and its timing in choosing to sew up the security hole in this ubiquitous software title.

Krebs reports that on average, it takes Apple just 91 days to fix security flaws in its software once they are discovered.

“Maybe they forgot about it, or it was just on the bottom of their to-do list,” said Francisco Amato, the Argentinian security researcher who alerted Apple to the issue.

However, Apple maintains it takes security issues seriously. In a response to claims that the FinFisher software targeted iTunes users, the company said it works “to find and fix any issue that could compromise systems,” and that “the security and privacy of our users is extremely important.”

Gamma International, a company which specializes in selling computer hacking services to governments, has chosen not to comment on the matter.

Related
  • CharliK

    Another asshat hyperbolic hit foddering headline. 

    No one could spy on you using iTunes. They had to have this other software. Which had to be installed on someone’s computer before the government could see anything. So either they had to get a warrant to sneak into someone’s house and put the software on or find a way to send someone a bogus “there’s an iTunes update” message to make them get the software and install it thinking it was part of iTunes.

    So was the security flaw really in iTunes or in the users. 

    And can you prove that it took 3 years and that Apple just sat around and wasn’t actually working on the issue the whole time. 

  • djrobsd

    Apple Fanboy go away.  You are completely clueless and actually need to google before posting in this forum.  Below is what I got by googling, MUCH more information then CultofMac is sharing with us:

    http://krebsonsecurity.com/201

    1.  They do NOT need physical access to your computer.
    2.  They exploit you by gaining access to a Wifi network that you are also using and then push a fake update to your itunes

    So basically, almost everyone who uses a computer today, at some point when traveling or moving about is going to take their computer to a hotel, a coffee shop, or somewhere with a shared network.  All these government agencies have to do is get on that network the same way you do, and pump the update out, and the minute your computer sees the update, it will ask you to download it.

    The moral of this story, is ONLY update your computer programs like iTunes when you are at home on your own trusted network.  And make sure of course that your home network is locked down.

  • GazaIan

    Your comment is flawed. First, there is no need for a bogus iTunes update message (which would require and exploit to even show such a message through ASU or in iTunes), and there was no ninjas sneaking into people’s homes. The bug was in iTunes, and Apple left it open for 3 years. The bug was left wide open, and another program was written to take advantage of the bug. The target computer only needed iTunes, nothing else.

    And Apple pushes out fixes for jailbreak bugs really quickly, why can’t the same be done here? Apple ignored the bug.

  • JDWages

    Here we go again with the security stuff.  Let’s break out our X-files videos and work ourselves up into a frenzy.

    These after-the-fact stories don’t really encourage Apple to take security more seriously in the future, nor do the journalists write them for that reason either (they only care about the number of people who read their stories and click on ADs).  If anything, stories like this merely tarnish Apple in the eye of many readers, and all the while our governments continues to trample in individual freedoms under the guise of protecting our security and freedoms.

    I say stop harping on Apple with this petty and insignificant stories and instead do an Operation Clean Sweep on incumbent Liberals and Conservatives presently in office.

    And oh yes, Ron Paul for President.  :-)

  • Spike Ennis

    OK, so with this terrible horrible no good very bad bug,,,,, how many people were infected?  ……  6,……..15……..100?   And what did they get to do, send Apple users billions of unwanted ads???   

    Or was it pretty much a bug that was not used. ???

    Just wondering.

  • Spike Ennis

    OK, so with this terrible horrible no good very bad bug,,,,, how many people were infected?  ……  6,……..15……..100?   And what did they get to do, send Apple users billions of unwanted ads???   

    Or was it pretty much a bug that was not used. ???

    Just wondering.

  • CharliK

    Supposedly this bug could be used by companies or the government to gain total access to your system without your knowledge. 

    However despite what Gazalan says, according to numerous reports, secondary software had to be installed to do so. This ‘flaw’ in iTunes wasn’t enough to people to see or control the contents of your computer. In fact the flaw was actually in the way that iTunes checks and downloads updates, which enabled folks to use it as a trojan horse to trick you into installing the surveillance software. 

  • Goldie20

    Well that would be comforting to know that Apple was working on a fix the entire time … and that it took them three ( 3 ) years to come up with a fix. Apple looks bad in either of your scenarios.

  • David Stewart

    Just to be clear, … what? “The software took advantage of the iTunes exploit and allowed those with the software to spy on those who used the software.” “Those with the software”–which software–”to spy on those who used the software”–which software? Using “the software” three times in one sentence that refers back to FinFisher and includes iTunes leaves one wondering which application is referenced by which mention of “the software.” 

    “The software took advantage of the iTunes exploit and allowed those with the software to spy on those who used the software” could mean:
    1. “[FinFisher] took advantage of the iTunes exploit and allowed those with the [FinFisher] to spy on those who used the [FinFisher].” Or:
    2. “ [FinFisher] took advantage of the iTunes exploit and allowed those with  [FinFisher] to spy on those who used the [iTunes].”

    Is it 1. or 2. that is meant? Or another?

    If it’s 1, then for crying out loud, who had FinFisher installed? It was sold to governments. Did any consumer, anyone outside government, install the software? If not, then this story is clearly a hysterical reaction.

    If it’s 2, then you have a story.

    But the ambiguity needs resolution before this can even be understood.

  • GazaIan

    Everyone who has used iTunes for the past 3 years, and has an Internet connection. And they got to watch what you were doing, grab files, they pretty much used your computer.

About the author

Killian BellKillian Bell is a freelance writer based in the UK. He has an interest in all things tech, but most enjoys covering Apple, anything mobile, and gaming. You can follow him on Twitter via @killianbell, or through his website.

(sorry, you need Javascript to see this e-mail address)| Read more posts by .

Posted in News, Top stories | Tagged: , , , , , , , , , , , |