Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
China Privacy Security Apple

Apple Agrees To Chinese Security Audits of Its Products 114

itwbennett writes According to a story in the Beijing News, Apple CEO Tim Cook has agreed to let China's State Internet Information Office to run security audits on products the company sells in China in an effort to counter concerns that other governments are using its devices for surveillance. "Apple CEO Tim Cook agreed to the security inspections during a December meeting in the U.S. with information office director Lu Wei, according to a story in the Beijing News. China has become one of Apple’s biggest markets, but the country needs assurances that Apple devices like the iPhone and iPad protect the security and privacy of their users as well as maintain Chinese national security, Lu told Cook, according to an anonymous source cited by the Beijing News."
This discussion has been archived. No new comments can be posted.

Apple Agrees To Chinese Security Audits of Its Products

Comments Filter:
  • Absolutely fair.. (Score:3, Insightful)

    by Rick in China ( 2934527 ) on Friday January 23, 2015 @03:20AM (#48882665)

    More countries should be doing security audits on more products.

    • by Anonymous Coward on Friday January 23, 2015 @03:41AM (#48882707)

      "Security Audits" - In other words, making sure these governments have a way to access secure information stored on confiscated iPhones from activists, dissidents, journalists, and other troublemakers.

      • Re: (Score:2, Funny)

        by Anonymous Coward

        No, it says "protect the security and privacy of their users". Are you accusing them of lying?

      • "Security Audits" - In other words, making sure these governments have a way to access secure information stored on confiscated iPhones from activists, dissidents, journalists, and other troublemakers.

        How would a security audit achieve this? Just curious. I'm sure you know a lot more about this than I do.

        • Re:Absolutely fair.. (Score:4, Informative)

          by weilawei ( 897823 ) on Friday January 23, 2015 @06:31AM (#48883073)

          I believe the GP was suggesting that the phrase "security audit" was being used in a euphemistic manner.

          • I believe the GP was suggesting that the phrase "security audit" was being used in a euphemistic manner.

            And in what alternate universe would Apple agree to a euphemistic security audit?

            • I can't really answer that, since I don't have any information on their internals, thus, I'd be speculating. I was merely pointing out what the GP appeared to be saying.

              Do I agree with the GP? No idea. It's rather difficult to pass judgement on things without any actual details. I'd prefer to skip speculation and just wait for the results.

            • In a world where several BILLION up-and-coming wage earners are ripe to purchase their products, which, incidentally, wouldn't exist if not for the cheap labor still extant in that very same country.

              • In a world where several BILLION up-and-coming wage earners are ripe to purchase their products, which, incidentally, wouldn't exist if not for the cheap labor still extant in that very same country.

                Maybe their regional ads will say 'Designed in California. Made in China'

                • In a world where several BILLION up-and-coming wage earners are ripe to purchase their products, which, incidentally, wouldn't exist if not for the cheap labor still extant in that very same country.

                  Maybe their regional ads will say 'Designed in California. Made in China'

                  Probably should actually say 'Designed in California. Made in Taiwan, Japan, and Korea. Assembled in China.'

        • by phayes ( 202222 ) on Friday January 23, 2015 @08:35AM (#48883517) Homepage

          What better way to learn what undiscovered security holes there are in a product than to be able to see the source code?

          Oh, you thought that the reason China wants to audit the code is so that they can "protect" their citizens. Yes, because not at all well known for targeting dissent, no, not at all...

        • by rtb61 ( 674572 )

          It depends what they are actually saying when they say they want to security audit the devices. I take that to mean complete access to the source code for all software supplied with the device and complete access to detailed hardware designs. So yep, a security audit will allow the Government of China to hunt down bugs and make use of them "to access secure information stored on confiscated iPhones from activists, dissidents, journalists, and other troublemakers". Likely it goes deeper than this and they w

      • by swb ( 14022 )

        This was my first thought -- it's a search not for security of the devices, but a search for exploits of these devices and/or some form of industrial espionage.

        But I wonder -- can Apple set the terms of the audit? Ie, you get to examine whatever it is you examine in our office using our provided systems which aren't connected to the Internet. You may not bring any electronic devices into the audit facility. You may not reproduce any code you review in our facility by any means, including notes, pseudocode

        • by gnasher719 ( 869701 ) on Friday January 23, 2015 @07:32AM (#48883175)
          Consider that China is legally allowed to do security audits or "security audits" on any open source system. So what would Apple have to be afraid of that Linux or OpenSSL just as examples don't have to be afraid of?
          • Re:Absolutely fair.. (Score:5, Interesting)

            by swb ( 14022 ) on Friday January 23, 2015 @07:50AM (#48883261)

            Fear one may just be outright industrial espionage.

            I'm guessing that security in Apple products goes above and beyond whatever (likely modified) FOSS libraries they use, but would also include stuff like their whole-disk encryption system, the touch ID sensor and its encodings, etc. So there's a fair amount of proprietary tech in these devices.

            Fear two might be obtaining what amount to currently unknown zero-day exploits that could conceivably open all iDevices to security risks exploitable by Chinese intelligence.

            AFAIK, recent models and OS levels have a generally accepted level of security that makes them difficult to break or exploit and I think this has come to be seen as a competitive advantage. Even if the security is beatable by the NSA in a lab situation, the marketing value is to businesses worried about lost devices or devices used in vertical markets with security compliance regulations.

            Which is why I wondered how much Apple can control the terms of a security audit. Do the the Chinese just get handed a memory stick with ios-82-iphone6-source.tgz they can take back to their office or do they sit in a plain white room with locked down desktops that do a one-way remote console to a machine with source code? Or worse, a plain white room with a bunch of binders of printed source code?

          • Losing the additional security that closed source gives over open source.

            Note that the phrase "There's no such thing as security through obscurity" is a nonsense. Security through obscurity alone is poor security. But it does indeed add a level of security when combined with other security practices.
            https://en.wikipedia.org/wiki/... [wikipedia.org]

        • But I wonder -- can Apple set the terms of the audit?

          No, but they can create different versions for different nations with different back doors approved by each region's security apparatus...

      • by gtall ( 79522 )

        That, and I wonder how intrusive are the security audits. I wouldn't put it past the Chinese government to think of the security audits as a legal way to steal technology ideas.

      • by AmiMoJo ( 196126 ) *

        The NSA installed the backdoor, can't blame others for wanting to find it. That way they can protect themselves, exploit it for their own use and pick up some hints on the sort of techniques that the NSA likes to use.

      • Re:Absolutely fair.. (Score:5, Interesting)

        by Minupla ( 62455 ) <minupla@gmail.PASCALcom minus language> on Friday January 23, 2015 @07:53AM (#48883271) Homepage Journal

        Hrmm, this might work out well for us non-govt people.

        Consider:

        NSA: "Apple, you must let us 'review' your code. We'll keep our findings to ourselves, you can't tell anyone"
        Apple: "OK"
        NSA digs through code, finds exploits, locks them up for future weaponization ...
        China: "Apple, we'd like to "review" your code. We're going to tell the world about it"
        Apple: "OK"
        NSA: "Crap, now those evyl Chinese will find our exploits. Darn, I guess we'd better tell Apple to fix them after all or the Chinese will be spying on us!

        At the end of the day, the best we can hope for is that the various spooks keep each other honest.

        Min

      • So, what do we think? Will the Chinese Government use this opportunity to provide valuable input to Apple on security vulnerabilities that they discover to help better secure Apple products? Or will they squirrel away the things they discover to their Intel agencies? My bet's on the latter.
      • by Anonymous Coward

        It means that they get to see the source code under NDA. They negotiated the same thing for Windows. Having source makes it a little easier to find exploits to add to an NSA-like arsenal backing a FOXACID-like system. Though it's possible to find exploits without source, it's natural for them to want every advantage they can get.

        Hopefully this is less of a big deal for Apple than it was for Windows since much of the Apple source code is already public: Darwin and WebKit. There's still a lot of closed-so

      • "Security Audits" - In other words, making sure these governments have a way to access secure information stored on confiscated iPhones from activists, dissidents, journalists, and other troublemakers.

        Not necessarily. There are legitimate kinds of audits, too. In fact the U.S. should be doing more of them.

        We have already found foreign chips (guess where they were made) that were "backdoored", even in some military products. And others that were cheap forged copies of better chips.

        Whenever we have electronics that are important to not just military security but even just citizen privacy and dependence (like phones), we should be doing thorough security audits.

    • It is common practice for most countries, the only thing new here is a western country letting china do it too.

      • by bouldin ( 828821 )

        Here in America, we don't even audit our damn voting machines.

        Unmodified, general purpose COTS non-voting software (e.g., operating systems, programming language compilers, data base management systems, and Web browsers) is not subject to the detailed examinations specified in this section. However, the accredited test lab shall examine such software to confirm the specific version of software being used against the design specification to confirm that the software has not been modified. Portions of COTS

  • Of Course (Score:4, Insightful)

    by theshowmecanuck ( 703852 ) on Friday January 23, 2015 @03:21AM (#48882667) Journal
    Since most of their operations are in China (even if de facto), they are essentially a Chinese company. They have to agree.
    • They have outsourced parts of their business to companies in China, but that does not make them a Chinese company.

  • by codeButcher ( 223668 ) on Friday January 23, 2015 @03:22AM (#48882671)

    I thought Apple products were assembled in China? (By chinese spies masquerading as low-wage workers, etc. etc. etc.)

    Also, Lenovo.

    • by AmiMoJo ( 196126 ) *

      I don't think the assemble the code by hand any more.

    • I thought Apple products were assembled in China?

      Manufactured and assembled. They used to assemble parts for the US market in Sacramento, but they decided that they should keep the proceeds from the Mac tax instead of paying American workers to build products which are associated with America.

  • by Anonymous Coward on Friday January 23, 2015 @03:24AM (#48882679)

    If Apple cooperates then how do they know the devices and software are exactly the same thing that Apple sells in China. The thing to do would be to acquire random samples in China and elsewhere jailbreak and then analyze. Never mind that Apple may not include obvious back doors but instead subtle behaviors that can be exploited and also explained away if discovered by outsiders.

    When push comes to shove it is all bullshit to use enemy technology. If I was in their shoes I would go for my own hardware and software developed without any input from the outside.

    They are probably more interested into breaking into existing I-devices so don't use these things what you want neither the US-G or the CN-G to know. That simple. Nobody is your friend here.

  • by Anonymous Coward

    It will enable the Chinese intelligence services to identify more currently unexploited flaws in the security of Apple's products. I doubt they will let Apple know of all the flaws that they find.

    I suspect also that Apple could not refuse to cooperate, and I would be surprised if the intelligence services in the USA are not doing precisely the same.

    I wonder if the Europeans are regretting the disembowelling of Nokia as a phone manufacturer?

    • by Anonymous Coward
      If you could choose, would you have allowed or disallowed Apple to let China do this audit?
    • Exploitable flaws (Score:2, Interesting)

      by Anonymous Coward

      Nokia failed in design and marketing. Why would "Europe" regret that? It's not like "Europe" could have helped a bit. That's just how market works. Besides, the same people are still making phones, only they run MS software now. Nice phones, I have one, good exchange sync, works as a phone, WhatsApp works, nice camera. UI looks better imho compared to iOS and android. Software ecosystem may lack a bit, but everything I need in a phone is available. I have android phone also, but it's sitting on a desk at ho

  • Chinese New Year
    Chinese Zodiac
    Chinese Opera
    Chinese Laundry
    Chinese Restaurants
    Chinese Checkers
    Chinese Doll
    Chinese Puzzle Box
    Chinese Room
    Chinese Medicine
    Chinese Handcuffs
    Chinese Security Audits
  • I was chatting with friends in China about this article. The immediate and unprompted comment was that this will allow the Chinese clone makers direct access to the coding in the Apple products
  • Does that include auditing MacOSX (integrated cloud services et al)?
  • that they won't disclose to us? I don't know if any of you have ever tried to get this info from Apple, but they really don't make it easy. Or possible.
    • by Chrisq ( 894406 )

      that they won't disclose to us? I don't know if any of you have ever tried to get this info from Apple, but they really don't make it easy. Or possible.

      Just wait until the Chinese leak it online

  • by Anonymous Coward

    How naive you are. Apple just wants to make money from Chinese market. They don't care about privacy.
    What Lu means is really, that you have to give your private key to us, or use the SMn ciphers(Chinese government home made ciphers, whether there are flaws or not, we don't know).

    -- one Chinese

  • ...if that means the Chinese government gets to look at Apple's source code while Apple's customers do not.
  • Gee, I wonder what the other option was...

  • Can the US demand to security audit any Chinese product? Can we demand to see the source/firmware of, say, Huwai routers?

  • The Chinese is most likely doing this as a response to the US banning ZTE and Huawei telecom products in the US. The US government is accusing ZTE and Huawei of building backdoors and other security concerns into their hardware, so China wants to hit back with something equally annoying. China is basically saying that's cool, we can screw with your companies too. Especially since China is a huge market to cell phone makers that most US companies have yet to really tap into. And with a huge growing middle cl
    • The Chinese is most likely doing this as a response to the US banning ZTE and Huawei telecom products in the US. The US government is accusing ZTE and Huawei of building backdoors and other security concerns into their hardware, so China wants to hit back with something equally annoying. China is basically saying that's cool, we can screw with your companies too. Especially since China is a huge market to cell phone makers that most US companies have yet to really tap into. And with a huge growing middle class, the amount of profit for products like iPhone and Android based phones is huge. China is basically holding the iPhone hostage to get better treatment of its companies outside of China.

      The problem with that is the Chinese market craves iPhones and the US market couldn't care less about ZTE and Huawei products. All that'll do is piss off the Chinese with disposable incomes, "the growing middle class" and Chinese leaders will get voted out of office.

      Oh wait. It's a dictatorship.

  • Wait. Do you mean that Apple has just agreed to allow the Chinese to audit the Chinese-made iPhones that have Chinese malware that the Chinese put in to the iPhones that Apple is shipping from China to China? Next they will be wanting to audit the Chinese-made iPhones that have Chinese malware that the Chinese put in to the iPhones that Apple is shipping from China to the U.S. as well? Before or after the NSA interdicts the Chinese-made iPhones made in China by Chinese and shipped (via some secret stop-o
  • But what about all those semiconductor chips out of China, which are part of those American drones, which allow Iran to bring them down (when they are illegally overflying their airspace)?

    The socialist response to Obama's SOTU:

    https://www.youtube.com/watch?... [youtube.com]

    And the Real Obama:
    https://firstlook.org/theinter... [firstlook.org]

"The following is not for the weak of heart or Fundamentalists." -- Dave Barry

Working...