Saturday , March 6 2021

Apple is Bullying a Security Company With a Dangerous DMCA Lawsuit, Hacker News


Making tools should not be a crime

Kyle Wiens************

Kyle Wiens

Photo: MIKI YoshihitoviaFlickrThis op-ed was written by Kyle Wiens, the founder and CEO of iFixit, a company that publishes repair manuals for electronics and sells parts and tools to consumers. A previous version of this story was originally published on iFixit’s website; it has been updated forOneZero

************************

Kyle Wiens************************* (A) **************** () pple has unleashed its legal juggernaut on an innovative iOS security company, and if they win their lawsuit, the damage will reverberate beyond the security community and into the world of repair and maintenance.

ACorellium’s software creates virtual iPhones in a web browser so that app developers and security researchers can tinker without needing a physical device. The software is kind of like VirtualBox or Parallels – a container that you can run your own iOS image inside of. It’s nerdy stuff that most people will never need, but it’s genuinely useful. So useful, in fact, that Apple tried tobuy the company, according to a court filing from November. When the founders refused, Apple decided tosue theminto oblivion. (In a) ******************************** (just-filed revision) to its lawsuit, Apple has invoked Section of the Digital Millennium Copyright Act DMCA, the infamous and often abused copyright law . This claim dramatically raises the stakes for this lawsuit and puts Apple squarely in the crosshairs of copyright experts concerned about unintended precedents it could set if Apple is successful.************************** But before we talk about Section (****************************************************************************************************, let’s look at Apple’s

original complaint

. It accuses Corellium of infringing on Apple’s copyrighted works by providing virtualized access to iOS. “Corellium has simply copied everything: the code, the graphical user interface, the icons – all of it, in exacting detail,” the lawsuit states.****************************** This is an annoying thing for Apple to complain about because it does not provide a first-party way for people to virtualize iOS. If it did, loads of developerswould be happy to pay. Apple gives iOS away with every device, and it doesn’t sue people for pirating iOS the way that Microsoft has become notorious forin regards to Office and Windows. Running virtualized operating systems is a pretty commonplace thing to do these days: a working Windows setup on Amazon’s AWS servers costs about ($ 0.) ************************************************************************************************************************************************ (per hour.************************************ Corellium also does not provide iOS firmware – contained in an IPSW file – itself, instead allowing you to provide your own copy or download one directly from Apple’s servers.

“Corellium does not host, cache, or distribute the IPSWs,” Amanda Gorton, Corellium’s CEO, told OneZero

. “Apple’s IPSW files are freely available, unencrypted, to download from their servers … For our cloud product, when a user creates a new device, the user selects a desired model and OS version, and a download request is sent for the corresponding IPSW. Users are only able to select OS versions available from Apple. ”

Rumors are that Apple is working on a virtualized environment for developing on iOS, so this lawsuit could be an aggressive form of (Sherlocking) , Apple’s practice of copying popular third-party apps.

Despite a lack of apparent interest in enforcing its copyright to iOS software, in this specific case, Apple has decided to exert control over iOS. And they’ve crossed a red line by invoking the most notorious statute in the U.S. Copyright Act, (Section) ************************************************************************************************************. This is the very law that made it illegal for farmers to work on their tractorsand for you to (fix your refrigerator. It’s the same law that iFixit has been whacking away at for years, getting

exemptionsfrom the US Copyright Office for fixing, jailbreaking, and performing security research on everything from smartwatches to automobiles.

Enter Apple with the latest terrible, awful, no-good application of 1201. Apple claims that in making virtual iPhones for security and development use, Corellium is engaged in “unlawful trafficking of a product used to circumvent security measures in violation of************************************************************************************************************************** USC § (**************************************************************************************************************. In other words: Corellium sells a way to use iOS that works around the way Apple intended it to work . Apple knows that you can’t’t use Corellium’s software to create your own knock-off iPhone. But it can claim that Corellium’s software is illegal, and it might technically be right. That’s terrifying.So how did we get here? Well, Section 1349 Works in two ways. First, it makes it illegal to bypass digital locks. And second, it makes it illegal to distribute tools to bypass locks. Back in 2018, when the law was written, digital locks were very rare – they were really only used to protect movies on DVDs. But nowadays, legitimate cybersecurity needs have driven companies to use digital locks on just about everything, and they are not providing anyone the key. You might have to modify your Samsung refrigerator’s software to fix its outdated calendar. But in order to do that, you have to jailbreak its Android operating system. And, as the name implies, jailbreaks require breaking digital locks.

Fortunately, Congress built an escape hatch into the law and allows motivated types like us to apply for specific “ exemptions ”- permission to pick digital locks that are in the public interest. For the last decade, iFixit has joined the Electronic Frontier Foundation and digital activists from around the country to apply for, and win, numerous exemptionsfor repair and security research every three years. One of those exemptions, mostrecently grantedlast October, is for jailbreaking iPhones. (Notably, Apple did not oppose this exemption request.)

Sounds great! So why can’t Corellium just send the judge a link to the jailbreaking exemption and wave this lawsuit goodbye? Well, there’s a (fatal flaw) ************ (in Section) ************************************************************************************************************. The U.S. Copyright Office believes only it has the power to grant exemptions for individuals to bypass their own locks, not for third parties to do it for you. So you can write the code to make your own virtualized iOS container, but you can’t hire Corellium to do it for you. This shows how ridiculous the law is. Cory Doctorow

puts it well: “Even computer scientists don’t hand-whittle their own software tools for every activity: like everyone else, they rely on specialized toolsmiths who make software. ”The EFF vehemently disagreed with the Office on this and requested a tool exemption, but the Copyright Office ignored them and excluded tool distribution from the most recent exemptions.

Apple is upset that Corellium has created a tool that grants access to iOS in an innovative medium that Apple is (so far) unwilling to provide. It argues: “Corellium, by offering the Corellium Apple Product for sale or license without authorization from Apple, is trafficking in technologies, products, or services that are primarily designed to avoid, bypass, remove, deactivate, or otherwise impair technological measures that effectively control access to Apple’s copyrighted works, in violation of 17 USC§ (a) (2). ”

to Apple, Correllium does this by “disabling loadable firmware validation, disabling self-verification of the FIPS module, adding Corellium software to the ‘trust cache,’ and instructing the restore tool not to contact Apple servers for kernel / device tree / firmware signing . “That allows Corellium to“ jailbreak ”or otherwise bypass features of iOS that are designed to prevent access to the software stored on the iOS device.

Of course, Apple includes those copyrighted works for free with every iOS device. Corellium is not enabling piracy of iOS – it’s supporting security research. But because Section does not require theft of a copyrighted work, Apple has a chance of succeeding with this “tool trafficking” argument.

As the world embraces internet-connected hardware, more and more of the devices that we use will integrate digital locks. Apple is arguing that no one else should be able to make tooling for performing security research on their products. What happens if other companies start making the same claims?

This isn’t academic. Last year, GM (sued

aftermarket parts company Dorman for “overriding the security measures used in [GM] ‘s vehicle control modules ”in their transmission repair tool. Dorman’s aftermarket transmissions moved the firmware from an existing transmission into their aftermarket part, so that it would be recognized by the vehicle and work.

John Deere has also been aggressively locking down their products, aiming to monopolize service and prevent farmers from doing repairs themselves. It

opposed a DMCA exemptionfor farmers on the grounds that if owners could fix their own equipment, they might use their newfound freedom to pirate Taylor Swift’s music on their tractors.

This is a massive change from the status quo. For decades, people have used aftermarket car parts and those parts have created competition in the industry. For decades, farmers have been self-reliant and able to fix their own gear without the manufacturer breathing down their neck and squeezing money out of them.Kyle WiensThat GM and John Deere can abuse copyright law in this way is terrible. It’s clearly in the public’s interest to have aftermarket parts options for automobiles: It keeps manufacturers competitive at both price and quality. This law has the unintended consequence of giving manufacturers a monopoly on repairs of any product containing software and a digital lock.

Apple knows this. They understand the ethical implications of using a bad law as a cudgel, and they don’t care. Every successful suit that invokes sets a precedent for further abuse. The purpose of copyright is set out in the US constitution as simply “to promote the progress of science and useful arts.” Apple’s suit does the opposite – it seeks to limit who can make security tools to improve iOS. It’s beyond the pale to abuse copyright to preserve a monopoly position and deter security research.

So where do we go from here? The EFF has sued the Copyright Office(arguing that section) is an unconstitutional violation of the First Amendment. If they succeed, it’s possible that could go away entirely. But that suit has languished on the court’s desk for three years, and it’s unclear when it will be heard.

The more expeditious path would be for Congress to pass something like California Representative Zoe Lofgren’s Unlocking Technology Actand fix Section (once and for all.

The future of ownership is at stake. If we can’t investigate the security of the software that runs on our devices or make software changes in order to fix them, then we don’t really own our stuff anymore.

It’s time to decriminalize toolmaking.

**************************************************************

******************************************************** (******************************************************************************** (Read More) Kyle Wiens****************************************************************** () ************************************************************************************Kyle Wiens

About admin

Check Also

Amazon's Ring blamed hacks on consumers reusing their passwords. A lawsuit say that’s not true., Recode

Amazon's Ring blamed hacks on consumers reusing their passwords. A lawsuit say that’s not true., Recode

After a series of high-profile incidents in which hackers gained access to live footage of Ring security cameras inside people’s homes, the company blamed consumers for reusing old passwords. Two plaintiffs in a class action lawsuit accusing the company of negligence and invasion of privacy say that’s not the issue — instead, they say their…

Leave a Reply

Your email address will not be published. Required fields are marked *