Apple lawsuit scares security researchers away from Corellium emulator

Posted:
in General Discussion
Apple's lawsuit against cybersecurity firm Corellium is reportedly having a "chilling effect" on some types of iOS security research, according to several experts in the field.

Apple says that Corellium's emulator copies iOS in
Apple says that Corellium's emulator copies iOS in "exacting detail."


In August 2019, Apple levied a copyright lawsuit against security specialist Corellium, saying the company's iOS emulation software "copied everything" about the tech giant's mobile operating system.

Since then, Apple has escalated its legal fight with the Florida-based firm, subpoenaing records from Santander Bank and intelligence firm L3Harris Technologies about their use of Corellium's emulator.

The escalating legal dustup has created a "chilling effect" in the iPhone-focused security industry, one researcher told Motherboard. A handful of security researchers that the publication spoke to expressed fear of retribution from Apple for using the Corellium emulator software.

Some of those experts also claim that Apple's copyright lawsuit is less about intellectual property and more about retaining control over iOS security research and snarling the development of third-party iPhone hacking tools.

In several court filings, Apple maintains that the purpose of its lawsuit is "not to encumber good-faith security research," but to simply stop Corellium from commercializing its copyrighted works.

As part of its legal defense, Corellium said that its emulator product helps secure Apple devices by allowing researchers to find vulnerabilities in the company's platform.

"This litigation presents an existential threat to an open and healthy security research community not only for Apple products but for consumer devices in general," Corellium said in a statement sent by its lawyers.

The U.S. Justice Department recently asked that Apple's deposition of Corellium cofounder Chris Wade be delayed until it could review the evidence Apple's lawyers would present before they question him.

On Friday, Apple's counsel filed a motion opposing that order, stating that the government had provided "no compelling reason, much less any evidence," for the delay.

Comments

  • Reply 1 of 6
    red oakred oak Posts: 1,104member
    “iOS security research”

    What a crock of sh**.  Filled to the rim 
    pujones1watto_cobra
  • Reply 2 of 6
    BeatsBeats Posts: 3,073member
    Good. Steve would have killed these companies.

    "Apple says that Corellium's emulator copies iOS in "exacting detail."

    Android 2.0
    red oakwatto_cobra
  • Reply 3 of 6
    DAalsethDAalseth Posts: 2,979member
    “iOS Security Researchers” should read “Black Hat Hackers”.

    watto_cobra
  • Reply 4 of 6
    tjwolftjwolf Posts: 424member
    "...security specialist Corellium" - really?  What type of security research does Corellium itself pursue?  AFAIK, they simply sell iOS in a VM to any takers.  Is that a misunderstanding?
    watto_cobra
  • Reply 5 of 6
    GabyGaby Posts: 194member
    I find it very suspicious that the US government is involving itself in this case and am curious what their reasoning will be when they inevitably have to answer this very question. My guess is that various espionage agencies have approached or are actively working with correllium regarding "security research" on defeating Apple devices. God only knows what other nefarious things are going on behind closed doors, but it's all very suss. 

    As for the excerpt from Corellium's statement - "This litigation presents an existential threat to an open and healthy security research community not only for Apple products but for consumer devices in general"- anyone with half a brain would call serious bullshit. How does it present a threat to open and healthy research in general? When iOS is not open source code, and functions only on purpose built first party hardware. Designed by and for Apple. Which renders that argument moot. And it's not like the case will set any sort of precedent so if that's the best their legal counsel can muster they should be sacked. Moreover justifiable and honest security research can be done the same way it has always been done up to now, so its not like Corellium offers anything that we are at a disadvantage without. It simply makes life easier for black hats and sketchy individuals to hack iOS and monetise their "work" The simple fact is this iOS is Apple IP. And when you work with anything closed source like this or with anything in fact owned by someone else you accept their terms beforehand. App developers have to accept a user/dev agreement prior to any work and Apple is very exacting in what they do and do not allow. The same applies here. Whether you agree or not with their rules or you think they assert too much control is besides the point. If you don't like it, simple; go elsewhere. But you cannot then complain because the loophole you thought you found gets you into trouble. More and more I find people today to be extraordinarily entitled. It is a very unpleasant trait.
    edited May 2020 watto_cobra
  • Reply 6 of 6
    hammeroftruthhammeroftruth Posts: 1,349member
    Gaby said:
    I find it very suspicious that the US government is involving itself in this case and am curious what their reasoning will be when they inevitably have to answer this very question. My guess is that various espionage agencies have approached or are actively working with correllium regarding "security research" on defeating Apple devices. God only knows what other nefarious things are going on behind closed doors, but it's all very suss. 

    As for the excerpt from Corellium's statement - "This litigation presents an existential threat to an open and healthy security research community not only for Apple products but for consumer devices in general"- anyone with half a brain would call serious bullshit. How does it present a threat to open and healthy research in general? When iOS is not open source code, and functions only on purpose built first party hardware. Designed by and for Apple. Which renders that argument moot. And it's not like the case will set any sort of precedent so if that's the best their legal counsel can muster they should be sacked. Moreover justifiable and honest security research can be done the same way it has always been done up to now, so its not like Corellium offers anything that we are at a disadvantage without. It simply makes life easier for black hats and sketchy individuals to hack iOS and monetise their "work" The simple fact is this iOS is Apple IP. And when you work with anything closed source like this or with anything in fact owned by someone else you accept their terms beforehand. App developers have to accept a user/dev agreement prior to any work and Apple is very exacting in what they do and do not allow. The same applies here. Whether you agree or not with their rules or you think they assert too much control is besides the point. If you don't like it, simple; go elsewhere. But you cannot then complain because the loophole you thought you found gets you into trouble. More and more I find people today to be extraordinarily entitled. It is a very unpleasant trait.
    I think you gave the answer away in your first sentence. The US government wants this as a tool to hack into iPhones since they can’t force Apple into making a back door. At least that is my take on why they would be so interested in this case. 

    I bet if you do a little digging, you’ll find those so called “experts” are working with governments to help design a system to extract data from iOS devices. 
    SpamSandwichwatto_cobra
Sign In or Register to comment.