Apple has unleashed their legal juggernaut on an innovative iOS security company, and if they win their lawsuit, the damage will reverberate beyond the security community and into the world of repair and maintenance.
Corellium’s software creates virtual iPhones in a web browser, so that app developers and security researchers can tinker without needing a physical device. It’s nerdy stuff that most people will never need, but it’s genuinely useful. So useful, in fact, that Apple tried to buy the company. When the founders refused, Apple decided to sue them into oblivion.
In a just-filed revision to their lawsuit, Apple has invoked section 1201 of the DMCA, the infamous and often abused copyright law. This claim dramatically raises the stakes for this lawsuit, and puts Apple squarely in the crosshairs of copyright experts concerned about unintended precedents it could set if Apple is successful.
But before we talk about section 1201, let’s look at Apple’s original complaint. They accuse Corellium of doing exactly what they promise customers: providing virtualized access to iOS. “Corellium has simply copied everything: the code, the graphical user interface, the icons—all of it, in exacting detail,” the lawsuit states.
This is an annoying thing for Apple to complain about, because they don’t provide a way to license iOS for virtualized purposes. If they did, loads of developers would be happy to pay. Apple gives iOS away with every device, and doesn’t sue people for pirating iOS the way that Microsoft has been notorious for. Running virtualized operating systems is a pretty commonplace thing to do these days—a working Windows setup on Amazon’s AWS servers costs about $0.03/hour. Apple should charge for this and Corellium should pay.
The Digital Millennium Copyright Act Strikes Back
Despite a lack of apparent interest in enforcing their copyright to iOS software, in this specific case Apple has decided to exert control over iOS. And they’ve crossed a red line by invoking the most notorious statute in the US copyright act, section 1201. This is the very law that made it illegal for farmers to work on their tractors and for you to fix your refrigerator. It’s the same law that we’ve been whacking away at for years, getting exemptions from the US Copyright Office for fixing, jailbreaking, and performing security research on everything from smartwatches to automobiles.
Enter Apple with the latest terrible, awful, no-good application of 1201. Apple claims that in making virtual iPhones for security and development use, Corellium is engaged in “unlawful trafficking of a product used to circumvent security measures in violation of 17 U.S.C. § 1201.”
In other words: Corellium sells a way to use iOS that works around the way Apple intended it to work. Apple knows that you can’t use Corellium’s software to create your own knock-off iPhone. But they can claim that Corellium’s software is illegal, and they might technically be right. That’s terrifying.
Circumventing Technological Protection Measures
Back in 1998, when the law was written, digital locks were very rare—they were really only used to protect movies on DVDs
So how did we get here? Well, 1201 works in two ways: One, it makes it illegal to bypass digital locks. And two, it makes it illegal to distribute tools to bypass locks. Back in 1998, when the law was written, digital locks were very rare—they were really only used to protect movies on DVDs. But nowadays, legitimate cybersecurity needs have driven companies to use digital locks on just about everything, and they are not providing anyone the key. You might have to modify your Samsung refrigerator’s software to fix its outdated calendar. But in order to do that, you have to jailbreak its Android operating system. And, as the name implies, jailbreaks require breaking digital locks.
“Anytime someone puts a lock on something you own, against your wishes, and doesn’t give you the key, they’re not doing it for your benefit.” — Doctorow’s Law
Fortunately, Congress built an escape hatch into the law, and allows motivated types like us to apply for specific ‘exemptions’ — permission to pick digital locks that are in the public interest. For the last decade, iFixit has joined EFF and digital activists from around the country to apply for, and win, numerous exemptions for repair and security research every three years. One of those exemptions, most recently granted last October, is for jailbreaking iPhones. (Notably, Apple did not oppose this exemption request.)
Sounds great! So why can’t Corellium just send the judge a link to the jailbreaking exemption and wave this lawsuit goodbye? Well, there’s a fatal flaw with 1201. The Copyright Office believes only it has the power to grant exemptions for individuals to bypass their own locks, not for third parties to do it for you. So you can write the code to make your own virtualized iOS container, but you can’t hire Corellium to do it for you.
This shows how ridiculous the law is. Cory Doctorow puts it well: “Even computer scientists don’t hand-whittle their own software tools for every activity: like everyone else, they rely on specialized toolsmiths who make software.” The Electronic Frontier Foundation vehemently disagreed with the Office on this and requested a tool exemption, but the Copyright Office ignored them and excluded tool distribution from the most recent exemptions.
Making Tools Should Not Be a Crime
Apple is upset that Corellium has created a tool that grants access to iOS in an innovative medium that Apple is (so far) unwilling to provide.
“Corellium, by offering the Corellium Apple Product for sale or license without authorization from Apple, is trafficking in technologies, products, or services that are primarily designed to avoid, bypass, remove, deactivate, or otherwise impair technological measures that effectively control access to Apple’s copyrighted works, in violation of 17 U.S.C.§ 1201(a)(2).”
According to Apple, Correllium does this by “disabling loadable firmware validation, disabling self-verification of the FIPS module, adding Corellium software to the ‘trust cache,’ and instructing the restore tool not to contact Apple servers for kernel / device tree / firmware signing.” That allows them to “jailbreak” or otherwise bypass one or more feature of iOS and iOS devices that are designed to prevent access to the software or other material that could be stored on the iOS device.
Of course, Apple includes those copyrighted works for free with every iOS device. Corellium is not enabling piracy of iOS—they’re supporting security research. But because 1201 doesn’t require theft of a copyrighted work, Apple has a chance of succeeding with this ‘tool trafficking’ argument.
If Apple Wins, We All Lose
As the world embraces internet-connected hardware, more and more of the devices that we use will integrate digital locks. Apple is arguing that no one else should be able to make tooling for performing security research on their products. What happens if other companies start making the same claims?
This isn’t academic. Last year, GM sued aftermarket parts company Dorman for “overriding the security measures used in [GM]’s vehicle control modules” in their transmission repair tool. Dorman’s aftermarket transmissions moved the firmware from an existing transmission into their aftermarket part, so that it would be recognized by the vehicle and work.
John Deere has also been aggressively locking down their products, aiming to monopolize service and prevent farmers from doing repairs themselves. They opposed a DMCA exemption for farmers on the grounds that if owners could fix their own equipment, they might use their newfound freedom to pirate Taylor Swift’s music on their tractors.
This is a massive change from the status quo. For decades, people have used aftermarket car parts and those parts have created competition in the industry. For decades, farmers have been self-reliant and able to fix their own gear without the manufacturer breathing down their neck and squeezing money out of them.
That GM and John Deere can abuse copyright law in this way is terrible. It’s clearly in the public’s interest to have aftermarket parts options for automobiles: it keeps manufacturers competitive on both price and quality. This law has the unintended consequence of giving manufacturers a monopoly on repairs of any product containing software and a digital lock.
Apple knows this. They understand the ethical implications of using a bad law as a cudgel, and they don’t care. Every successful suit that invokes 1201 sets a precedent for further abuse. The purpose of copyright is set out in the US constitution as simply “to promote the progress of science and useful arts.” Apple’s suit does the opposite—it seeks to limit who can make security tools to improve iOS. It’s beyond the pale to abuse copyright to preserve a monopoly position and deter security research.
It’s Time to Fix the DMCA
So where do we go from here? The EFF has sued the Copyright Office arguing that section 1201 is an unconstitutional violation of the First Amendment. If they succeed, it’s possible that 1201 could go away entirely. But that suit has languished on the court’s desk for three years, and it’s unclear when it will be heard.
The more expeditious path would be for Congress to pass something like Rep. Zoe Lofgren’s Unlocking Technology Act and fix section 1201 once and for all.
The future of ownership is at stake. If we can’t investigate the security of the software that runs on our devices or make software changes in order to fix them, then we don’t really own our stuff anymore.
It’s time to decriminalize toolmaking.
Top image by Daniel Aleksandersen/Flickr
crwdns2944067:030crwdne2944067:0
Is it really terrifying or are you a little paranoid like Doctorow who seems to think he has a god-given right to steal other’s intellectual property?
If you’d spent decades and millions of pounds creating a successful product, only to see someone else come along and rip it off verbatim, you’d probably also be miffed. But you haven’t. You just want to cheat and steal. Thank God for the copyright office.
Ray Scott - crwdns2934203:0crwdne2934203:0
Nobody is “stealing” anything. Nor did Doctorow ever claim he has a right to do so. Everything being done here should be a Fair Use, which is a core part of Copyright law. But Section 1201 is so badly implemented that it completely ignores Fair Use and any other safeguards (hence why EFF sued to have it struck down as blatantly unconstitutional).
And you do realize this is Apple we’re talking about, right? They are not the ones who invented the products they’re so well known for selling. All of them were built on the work of others. Why do they get to decide that nobody else is allowed to do it when they found their own success by doing the same?
John Roddy -
Perhaps you haven’t read the same writings of Doctorow that I have, but he has said on occasions that he thinks he has the right to reverse engineer other people’s IP in order to figure out how it works. This is a blatant attempt at IP theft (Apple’s IP, or the IP they license from others). Obviously he’s not going to say it in so many words. His usual excuse is that it’s being done in the name of “security research”. And if you think I’m wrong, ask him why he complains about IOT devices that use encryption to provide a more secure product, such as encrypting the communications to back end services. He ironically claims that the security that is build into IOT products prevents security researchers from carrying out their jobs. How nonsensical is that statement? And if the encryption weren’t there in the first place, they’d be up in arms. A ridiculous argument really.
Ray Scott -
Yes, I know we’re talking about Apple. OK you seem to know very little about technology, patents or licensing. It’s perfectly legal to license patented technology from other inventors to build a product and sell it, legally, which is exactly what Apple have done. In other cases, such as their A series of chips, they have designed and developed the components themselves. I’m not sure why you think the user of a product that contains 3rd party IP is suddenly allowed to use that 3rd party IP to develop a product without paying a licensing fee to the patent owner. You’re suggesting that everyone can just use everyone else’s copyrighted IP, just because you think everyone else is violating patent laws and licensing
Ray Scott -
The OP said Apple should license it and the third parties pay for it. The problem is Apple won’t license it. Instead they attempt to employ a capture and kill strategy by buying out the company but not releasing the service so they only they can effect repairs. When that failed, they go to a DCMA lawsuit to kill without capturing.
jkgarrett17 -
And another thing, just because 1201 was created in a time when digital locks were around, doesn’t mean its intention was only to be applied to digital locks in the future. That’s another mistake on your part. Misinterpreting the law.
Ray Scott - crwdns2934203:0crwdne2934203:0
Corellium’s IP Policy is laughable…
Ray Scott - crwdns2934203:0crwdne2934203:0
Bullying is very common tactic large companies use as a disincentive to any kind of disruption. Disruption is why Elon musk is generally hated by the wall street and oil+car industry. It is easier to compete in any environment by closing all the doors to opensource. We are living in the age of consumer innovation and this law needs to be changed along with strengthening of anti-monopoly laws. consumers are gaining access to data center level hardware etc and in all sectors the DIY market is gaining traction at unprecedented levels.
This decade will hold the key and companies charging 40% margins for bare-minimum innovation YoY will have to withstand public scrutiny.
https://sloanreview.mit.edu/article/five...
santosh - crwdns2934203:0crwdne2934203:0
I don’t trust any “security“ companies other than Apple, they did the best job so far
Zhi - crwdns2934203:0crwdne2934203:0
Each tech company (including Apple) relies on an external white-hat-community that helps them find security flaws. The tool as described here basically enables external experts to do so.
Even a company as large as Apple can not test all use cases, and therefore these external communities play an important role for the security or all of us. The same holds true for people tinkering around using existing products. These people are vital for the innovation that helps societies to evolve. Best example is Apple itself - it was founded as the result of tinkering.
Andreas Rudolph -
It’s a pity to read this article with my MacBook…
I think Apple is forgetting their old days of the two Steves. They used to hack telephones with “Blue Box”, and started the whole company. Now the company they built is suing next-generation Steves.
Ryang Sohn - crwdns2934203:0crwdne2934203:0
And let’s be honest, Correlium are trying to make a buck out of virtualising someone else’s product. They are not a charity or non-profit trying to perform security research. Just because someone else stumbled across a security issue accidentally, doesn’t make what Corellium are doing right.
You also seem to casually ignore the copyright’d works that Apple have obviously developed around a FIPs module. Which is exactly what Corellium are circumventing. If it looks like an Apple product (and Corellium are even using Apple trademarks in their product ), user’s will hold Apple responsible if something goes wrong. The idea that it’s perfectly fine for some other company to hack into someone else’s copyrighted works to undermine its security and then pass it off as original work without getting their arses sued is living in dreamland. It’s just theft and cheating.
They themselves are the pirates. This is clearly obvious.
Ray Scott - crwdns2934203:0crwdne2934203:0
Once you start virtualizing iOS in a browser, what’s to stop you from running it in Chrome, on an Android phone? All you need a that point is a bit of plumbing, and half the Android world would run iOS in their Android phone, if nothing else, simply for iMessage. You don’t think Apple sees that?
i have no name - crwdns2934203:0crwdne2934203:0
I have to agree with you there, I would totally run iMessage on my Android phone if I could.
nathanwharry -
corellium is doing illegal things by using iOS the way they use it. They are not a Security firm they are recklessly ripping off iOS and emulate it.
Peter Ben Jumanne - crwdns2934203:0crwdne2934203:0
Lets be honest about Apples intentions with FIPS TPM design. The only reason Apple invented it was to try and prevent people from building their own Apple computers running iOS aka Hackintosh. Apples business model is strange, they make money as an over-priced hardware design company with music services, a popular phone and now TV services. Back in the day Apple allowed white-box Apple systems and nearly went out of business because everyone else could build a better/faster and cheaper apple computer running MacOS. The sheer fact Apple is paranoid about Apple software running on anything other than an Apple piece of hardware is evidence to that fact, anyone else could do it better and cheaper.
And why the !&&* would anyone want to run iOS on Android hardware, generally the sentiment is the opposite for Android/Windows users when it comes to Apple anything, cool looking hardware (but not generally better or more capable than others), would be great to run Windows/Linux/Android on it, not the other way around.
zman442 - crwdns2934203:0crwdne2934203:0
For me, the solution is very simple.
If I can’t buy parts and fix it, I don’t buy it.
Never owned an apple product.
tjm
tjm - crwdns2934203:0crwdne2934203:0
This is the same thing which happened with Monsanto suing neighbor farmers for “stealing” IPR via pollen drift adjacent to a Monsanto field of RoundUp ready corn. It’s also the same thing as the EULA which converts the traditional purchase agreement into a lease agreement without the purchaser’s informed knowledge or consent. IOW, if you cannot use it, (bricked via product key/username & password) you do not own or control your purchased device, which remains in the control of & therefore ownership of the seller, whether that is corporate or previous consumer. It is time to decriminalize the ownership society. In yet other words, the courts need to inform corporate personhood, they cannot have it both ways.
lumloy371 - crwdns2934203:0crwdne2934203:0
Seems like it is the opposite of the Monsanto example, if Apple is Monsanto. It would be more like: Neigboring farmer actively trying to catch all wind drift, in order to monetize the drifting seed. The farmer actively removes windbreaks and add wind machines in order to get more drift. And the farmer goes to court to sue Monsanto for trying to limit the drift; that it is the farmer’s right to capitalize on all wind-born seeds.
Hobowan Kenobi -
They’re emulating proprietary hardware/software so….take your crying somewhere else.
Justin - crwdns2934203:0crwdne2934203:0
Several downsides to these “locked” IOT devices that should concern everyone:
1) bought a nifty IOT device for monitoring plant watering, locked to MFG server, so I can’t access directly. Mfg. went out of business and device becomes unusable. Didn’t realize my purchase was essentially stock in the company and a bet on its survival. Be warned!
2) Each company only does a few little things. These they lock to their ecosystem. If you want to build a single unified system, you have to break these locks or you are out of luck. Home automation is a great example. Door locks generally made by people who only make those. Lighting, separate system. HVAC might be combined with some other system. Sensor - many vendors, but no one that covers all your needs. Imagine if you bought a computer and could only buy parts from the Mfg. But they don’t sell WiFi and the one that does doesn’t have HDDs?
Ross Heitkamp - crwdns2934203:0crwdne2934203:0
You get access to a virtualized iPhone, or iPad, within xCode on a Mac. What makes Correlium so much better that these paid developers need to use it instead? Just so they don't have to buy a Mac? What am I missing here?
nathanwharry - crwdns2934203:0crwdne2934203:0
tjm wrote: “For me, the solution is very simple. If I can’t buy parts and fix it, I don’t buy it. Never owned an apple product.”
Me, too!
Cheers,
Roger
Roger - crwdns2934203:0crwdne2934203:0
I managed a few of those “faster/better and cheaper” computers. They weren’t. Apple was struggling at the time with poor management. When Steve Jobs returned the company returned to profitability. One of the changes made was to eliminate those junk computers. I hope no one argues that their return to success was because of bullying.
Terry Schwartz - crwdns2934203:0crwdne2934203:0
Lucien Guadeloupe Bonjour je ne suis pas expert en sécurité, cependant une question me vient :
1° Un constructeur vend une maison avec clé numérique sur la porte d’entrée et il me refuse le droit d’entrée donc je suis dehors à sa guise !.
2° Qu’un agriculteur soit empêché de gagner sa vie avec une machine qu’il a acheté avec une clé de sécurité et qu’il soit interdit de passer par technicien tiers pour la réparation !.
Ce n’est plus du commerce mais du racket et privation de liberté de vie de chacun. Et nous combattons le racket régulièrement me semble t’il !
Si Apple doit Now faire du racket pour exister = un signe de manque de création chez eux, I faut cesser d’acheter du APPLE ?
Concernant la notion de propriété intellectuelle, déposer un brevet ne veut pas dire être le seul à avoir trouvé sinon inutile de former des millions ingénieurs
Autre source d’inquiétude : QUI VA CONTROLER APPLE S’Il EST INTERDIT A D’AUTRE DE REGARD Salutations à toutes et tous
adilouiserre - crwdns2934203:0crwdne2934203:0
You say “Apple gives iOS away with every device” - NO, it does not. It sells you a license to use their software, under certain circumstances that do not include copying the code onto another devoice.
Ralph Cornforth - crwdns2934203:0crwdne2934203:0
I’m super against what Apple is doing here. But with regards to the DMCA on the Farms video, I don’t see an issue with people being able to work on their vehicles or tools they buy etc. It shouldn’t be illegal to open up something you bought and work on it. But these guys seem to be wanting the diagnostics tools for free which doesn’t make sense. A diagnostics tool is a different product. If you can write your own, go ahead. If you can work out what the problem is without the software, sure go ahead. But why should they get a separate product, which is the diagnostics tool which a lot of effort has gone into, for free?
James T - crwdns2934203:0crwdne2934203:0
Apple is no longer consumer oriented. The USSCt has held that a corporation’s primary priority is to make $ for its shareholders, and I’ve read that Tim Cook was promoted to CEO to make Apple more financially profitable —which is another way of saying “Shareholders and their rewards come first.”
I recently purchased an Apple-refurbished MBP with a thin Retina screen, and the screen shattered within 2 months of purchase. The purchase price was around $1000, but the replacement of the shattered screen was over $600. I then decided to purchase a good quality 2012 MBP like the laptop I was replacing —solid and fixable. So how many of the new Apple products with their subpar repairability ratings end up in the trash heap with their plastic shells living into the next millenium? I have been an Apple user since 1986, but I’m not interested in the newer waves of Apple products because they won’t last (& I can’t repair them) and their plastic shells will just be more debris in the pollution of our world.
beezecorp - crwdns2934203:0crwdne2934203:0
I’ve fixed Apple Computers on a mostly non-solder level for 30 yrs - It has become more difficult, I grant you that, but please quit the whining, those of you who have never owned an Apple. The whole experience, total sum of use, abuse and repair, is much more rewarding than that of PC/Windows. I own 13 yr old MacBook Pros, which run flawlessly with a modern OS (El Capitan). I have PowerPCs from 1998 and 1999, which are more than glorified typewriters, because a flock of enthusiast do upkeep on the software. I have an SE/30 from the late 80s, which is still running, non-recapped. All of my work for 30 yrs as well as that of millions of other enthusiasts have resulted in feedback to Apple, which has refined both programming, interface and hardware. Today’s Apple has forgotten that past. It is now a struggle to stay on top of people’s awareness, and in this fight every marginal comma counts. Apple is no longer the result of willing community, they are now the masters. They need to know our dislike of this.
kenneth krabat - crwdns2934203:0crwdne2934203:0
WTF are you talking about. Apple provides virtualized iOS via the iOS simulator. It isn’t in the browser, it’s still a virtual environment. What Corellium does is intelectual property theft. Apple doesn’t license iOS to be used in that way. Period.
Zeno Popovici - crwdns2934203:0crwdne2934203:0