iPhone Emulation Company Sued by Apple Says It's Making iPhones Safer

A startup that makes replicas of the iPhone that help hackers find vulnerabilities is accusing Apple of suing it in an attempt to shut it down. Corellium also fired back at Apple and claimed the company owes it $300,000. From a report: On Monday, Corellium, the startup that was sued by Apple for alleged copyright infringement in August, filed its response to the lawsuit. Apple alleged that Corellium's product is illegal, and helps researchers sell hacking tools based on software bugs found in iOS to government agencies that then use them to hack targets. The cybersecurity world was shocked by Apple's lawsuit, which was seen as an attempt to use copyright as an excuse to control the thriving, and largely legal, market for software vulnerabilities. The lawsuit was filed just a few days after Apple announced it would give researchers special "pre-hacked" devices to allow them to find and report more bugs to the company.

"Through its invitation-only research device program and this lawsuit, Apple is trying to control who is permitted to identify vulnerabilities, if and how Apple will address identified vulnerabilities, and if Apple will disclose identified vulnerabilities to the public at all," Corellium argues in its response, echoing arguments made by the security research community. In its response, Corellium essentially argues that using Apple's code in Corellium is fair use and its product makes the world a better place by helping security researchers inspect the iPhone's operating system, find flaws in it, and help Apple fix them. With Corellium, researchers can more easily find bugs by creating virtual instances of iOS and test them more quickly, as opposed to having to use actual physical devices. Corellium attempts to illustrate this by including "before" and "after" images in its response that demonstrate what it was like to try to hack the iPhone before it released its software.

Those who can, do

[Opportunist]

Those who can't, sue.

Re:Those who can, do

[bluefoxlucid]

Duplicating and distributing IP to what would be paying customers--people with the same end use case as what would usually be a customer--is copyright infringement and a problem for honest business.

It doesn't, however, deprive anyone of physical use of whatever it is they had. Each copy is a copy, like building a car just like yours and giving it to someone else.

In this case, we built a car just like yours and gave it to someone else to smash in a crash test. One might argue that a counterfeit car used for a taxi fleet or sold to consumers or whatnot is tarnishing the brand and taking away from the uniqueness of the automaker's product; but simply as a replica to destroy? To examine, probe, and seek out flaws? No, the argument doesn't hold.

Re:

[Aighearach]

One might argue that a counterfeit car used for a taxi fleet or sold to consumers or whatnot is tarnishing the brand and taking away from the uniqueness of the automaker's product; but simply as a replica to destroy? To examine, probe, and seek out flaws? No, the argument doesn't hold.

One might argue, but it would be silly, since those are arguments that involve valid concerns in a trademark dispute, but that are completely irrelevant to a copyright dispute.

Re:

[guruevi]

The intended use doesn't matter, the sale itself does. The customer could say they will smash the vehicles and then turn around and use it in a taxi fleet. There are companies out there using Correlium tech to 'virtualize' and rent out "cloud iOS" devices for commercial development. What you're saying is that it would be legal to sell copied versions of Windows for 'development' without paying Microsoft.

In this case, whatever Correlium is selling isn't in itself illegal, what they did do illegally however i

Re: Those who can, do

[registrations_suck]

Except that youâ(TM)re selling the card to the third party, not giving it away. And the car you built is my design, for which I own various patents and other rights, which I have neither licensed to you nor been compensated by you.

Re:

[fedos]

Your false analogy is bad and you should feel bad.

Re:Those who can, do

[twocows]

First, your analogy doesn't make sense. It's the same argument RIAA/MPAA/etc. make to try and falsely conflate copyright infringement and unauthorized redistribution with stealing. It's false because in the case of stealing, someone is deprived of property and the ability to use it (in your analogy, that would be the person whose car is "borrowed"). In the case we are discussing, Apple is not being deprived of their property or the ability to use or sell it. It may be that there is a crime being committed, but that crime is not stealing like you are implying.

Second, you seem to be under the mistaken assumption that there are no legally permitted exceptions to copyright. This is false and in fact TFS specifies the specific exemption that Corellium is challenging under: fair use. Whether their use is actually exempted is a matter that will be decided by the courts, but fair use is, in fact, a valid exemption to copyright and if they can prove their usage falls under it, they will, in fact, be able to use Apple's IP without their say so. That's how fair use works.

Re:

[Anonymous Coward]

Don't copy that floppy! You wouldn't download your grandma, would you?!

Re:

[exomondo]

Because "I'm making it safer" you'll agree, right?

On what basis do they claim that it's making things safer? Do they only offer their service to "good guys"?

As stated in the article:
The only customer Corellium names in its response is Azimuth Security, which was acquired by defense contractor L3 last year. As Motherboard reported last year, Azimuth is one of the best companies in the world at finding bugs in iOS, and developing exploits that take advantage of those bugs. Azimuth does not report those bugs to Apple. Instead, it sells hacking tools based on

Re:

[Opportunist]

No problem. As long as I can still use it whenever I need it and you don't damage it in any way, I'd be delighted to have a more secure car.

You have any idea what you normally pay to get a sensible security test done?

What law? Could be fair use, though

[raymorris]

> The judge will rule in favor of Corellium as a matter of law in most points but he will say that Apple has a right to:
> * require payment from Curellium for a "pool" of virtual machines, with the price tied to the new price of a typical iOS device and the typical lifespan of those devices

What law requires device manufacturers to sell virtual machines similar to their devices? Even if that were a good idea for a law, there is no such law, that I'm aware of.

The defendant does a reasonable argument fo

Re:

[drinkypoo]

I don't think it's a reasonable argument for fair use. It really doesn't meet any of the standards. They're selling access to third parties. The goal isn't solely to critique, or inform, or to educate.

If they were doing all of the testing themselves and giving away the information, or working only with educational institutions or news outlets, maybe fair use would fly. But the combination of activities is pretty clearly using someone else's IP for profit.

For what it's worth I do think Apple's secrecy is cre

Those are all examples of "transformative"

[raymorris]

One of the four tests under fair use is whether the use is transformative, whether it changes how the work is used. Examples if transformative uses are "The goal isn't solely to critique, or inform, or to educate". Actually this is a combination of critique ans education, but no matter - it's clearly different from the use Apple designed the iPhone for, so it is transformative use. IMHO, it passes that prong.

Another prong is whether people will buy this product instead of buying an iPhone, thereby hurtin

Ps they took the whole thing

[raymorris]

Since I already covered half of the fair use analysis, I suppose I may as well finish.

They took the whole thing, not a small part. Points against fair use.

The work is taken as a functional system, neither a recitation of factual information, nor a work of art. So zero points either way on the nature of the original work.

On the "fifth factor", good guy or bad guy, again zero points because they are doing something that is both helpful and potentially harmful for society - depending on who uses the product.

Re:

[guruevi]

The judge won't rule in favor of Correlium because they are engaging in copyright violations.

The judge may require both punitive and compensatory damages, but it won't be calculated the way you assume, but even if you did, the CPU in the iOS devices never stops, it's continuously keeping a connection to the cell tower, Apple push services, receiving e-mail etc.

The case is very simple: can you download 'free' software from a provider (eg. Apple and Microsoft) and then resell it as your own. Copyright says no

Re:My prediction

[twocows]

They're arguing their usage constitutes fair use, which if they successfully argue would mean they're not violating copyright law.

I don't buy it myself, but it's for the courts to decide. I'd actually like to see them win, both because I think they have a useful product (and I think Apple should work with them rather than sue them into oblivion) and because I'd like to see copyright law weakened and fair use broadened, but I really don't think they will.

Re:

[rahvin112]

I don't buy it either. If they are making money abusing Apples copyright I doubt a court would find that it's fair use. Fair use rarely covers the ability to copy someones code and sell it (or access to it) for a profit.

Their goal isn't more security or comment, it's to make money using Apples Copyrights by selling access to those copyrights in a way that Apple refuses to provide. I bet they lose this suit and lose it badly. In fact I'm willing to bet the Judge gives Apple a preliminary injunction and shuts

Re:

[spire3661]

A $1000 iphone will have a hell of a lot longer life than 3 years. The first owner might only hold onto it that long, but it still retains a huge chunk of its value after that short a period and there are secondary markets.

Re: My prediction

[bill_mcgonigle]

> A $1000 iphone will have a hell of a lot longer life than 3 years

The iPhone 5s was discontinued just over three years ago and already it's unsupported and unsafe to use on the Internet because of unpatched vulnerabilities.

Re:

[hunterkll]

iOS 12.4 received an update with iOS 13's release as well for the 5S, patching all current known vulnerabilities.

https://appleinsider.com/artic... [appleinsider.com]

So yea, still somewhat supported, and not "unsupported and unsafe" with "unpatched vulnerabilities"

As well, it had a support lifecycle *far* longer than any android device i'm aware of, being released *6* years ago and still receiving a patch as of last month for known vulnerabilities. And given it was updated yesterday, still seems to be somewhat supported....

I'd

Re:

[the_B0fh]

iPhone 5s was released on September 20, 2013 and discontinued on March 21, 2016. It still takes iOS 12, which was last updated on September 17, 2019 (v 12.4.1).

How is it unsafe to use? I bet you it is far better patched than 95% of the Androids out there.

I'm a Food Researcher

[Lije Baley]

I'm getting into the fridge at work and tasting everyone's lunches. There is certainly something bad in there somewhere. Oh, and BTW I expect to be paid handsomely.

Re:I'm a Food Researcher

[drinkypoo]

If you can't tell the difference between copyright infringement and theft, why do you imagine that anyone will care what you think?

Re: I'm a Food Researcher

[Lije Baley]

I actually didn't mean to comment on the topic, I have just had enough "security researcher" articles lately. Like AC said, I should have kept it to myself.

DEY COPIED R APIS!!!

[the_skywise]

Emulators are completely legit to build - now they MIGHT have a claim for selling the emulators but that's not what's happening here and I don't think that's Apple's argument.

Re:

[rahvin112]

It's not just an emulator, an emulator would be something that duplicates a ARM system. This thing is duplicating the entire hardware right down to Apples software in the ROM's, not to mention duplicating and running an unlicensed copy of iOS.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[drinkypoo]

Yeah, but don't single out Apple, they hold only a minority of the market. They hold a lot of it as far as single brands go, but we really need to have control over all of the devices. Apple is only a particularly egregious example of lack of control over one's devices, because they have a monopoly over deploying apps to iDevices.