BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

This Super Stealth Startup Has Built An Apple Hacker's Paradise

Following
This article is more than 6 years old.

Amanda Gorton

Every benevolent hacker dreams of a space replete with software they can manipulate to make it do things it shouldn't. But oftentimes it's neither cheap nor easy to acquire and maintain all that tech, especially when you're trying to break it, risking its very usefulness. And in the world of Apple products, it's both a financial burden and a technical challenge to gather myriad iDevices and subsequently find vulnerabilities within; if they crash or die, it may mean repeated expensive trips to the Apple Store.

Now, though, there's an answer: Corellium. The software can spin up virtual iPhones and iPads, amongst other Apple systems, all running the latest iOS operating system. From there, hackers and software developers can try whatever they want on the device, whether that's looking for security weaknesses or just testing their apps on different Apple hardware and software. It's possible to pause, rewind and fast-forward everything that's done on the device too, whilst Corellium reveals the internal code to help hackers discover what went wrong (or right) when they started tinkering. It won't matter if the software crashes; you can just create a new virtual Apple device in 10 minutes.

Notable iOS hackers are already impressed. Mark Dowd, chief of Azimuth (recently revealed by Vice Motherboard to be an iOS exploit supplier for the U.S. government, amongst other clients), said in a tweet that it was " basically magic." That's one reason Azimuth became the first customer of Corellium. Nikias Bassen, another famous jailbreaker who was given early access to the tool, told Forbes: "This is an amazing thing." He was most impressed by the ability to hunt for bugs in the kernel (the deepest level of an operating system from which all other software are launched) of the latest iOS version without the need for a real device.

Meet the founders

Founded in Florida in August 2017, and coming out of stealth on Thursday, the founders include a husband and wife duo. The CEO is Amanda Gorton. A Yale classics graduate, she's driving the business forward as it recruits new customers, the first being Australian company Azimuth Security, which has a long history in finding weaknesses in iPhones. Gorton now finds herself a rarity: a female CEO in a cybersecurity industry dominated by men.

Chris Wade, one of the original iPhone jailbreakers and co-creator of iOS emulator iEmu, helped put together the company and the technology, though in the latter he had help from a number of sources. They include the third cofounder, David Wang, formerly of Azimuth and another Yale graduate, who's also a big name in the Apple jailbreaker community, having been part of the Evasi0n crew that repeatedly found security holes in iOS in the early 2010s. He'd previously previously ported Android and Linux onto the iPhone, so has experience in Corellium's wheelhouse. Meanwhile, Jay Freeman, the developer of the Cydia app store for jailbroken iPhones, has provided his Cyript tool that makes it possible to probe and modify iOS apps using a mix of Objective C++ and JavaScript, two widely-known programming languages. The original idea behind Cycript was to make hacking on iOS much more accessible, which chimes with what Corellium is all about.

This isn't Gorton and Wade's first rodeo in the iPhone virtualization space. They spun up a similar company, Virtual, in 2014, which quickly sold to Citrix later that year for an undisclosed fee.

The CHARM offensive

Virtual did much the same as Corellium, but there are some key differences. The former was only for the older 32-bit Apple devices, whilst Corellium was built to handle the latest 64-bit systems. 

Then there's the heart of the new technology: the Corellium Hypervisor for ARM (or what the founders have dubbed CHARM). Running across a host of ARM servers, CHARM controls the virtualized iOS devices (the real versions of which run on ARM chips) and ensures they're getting all the power they need. Whilst those servers don't have the peripherals of iDevices — like the camera, USB and Wi-Fi — Corellium emulates those. This means there are some limitations, though. For instance, the device can connect to Wi-Fi, but not to a cellular network.

In a demo for Forbes earlier in February, Gorton loaded up an iPhone 6 in a matter of minutes, a process that mimics an iTunes-style restore of a normal phone. As she toyed with the virtual iPhone, Gorton said the real benefit of the software was its ability to pause and inspect devices for validating bugs or other code issues.

Corellium

Whilst Apple provides an iPhone simulator, which allows developers to run iOS on PCs based on standard x86 chips, it's not a faithful representation of how iOS would behave on a real device, according to Wade. And that's where Corellium sees a big gap in the market.

"Testing on iOS devices currently is limited in that each physical device is locked to a particular firmware version, as Apple does not let anyone downgrade their devices," Wang told Forbes. "It's also a lengthy process to reset the device to a known state after each test. For a security researcher, physical devices are especially limited in how locked down mobile operating systems are. With virtualization, researchers can tinker with any part of the operating system as well as inspect and instrument it in ways that are very helpful. Best of all, they can do it without having to resort to jailbreaking the device."

Though the ability to mass test iPhones will likely be the biggest draw to Corellium, the software can spin up other iDevices, including Apple TV and the Apple Watch. It doesn't yet have the capability to run a virtual iPhone X, but Gorton said that would be coming in Spring.

Concerns around government use?

One possible concern about making Apple hacking that much quicker and simpler is that it could be used by governments to develop so-called zero-day exploits, which take advantage of unpatched software vulnerabilities to hack the host computer or smartphone. In some cases, those flaws are never disclosed to vendors, and so general users go unprotected.

Given the close relationship with Azimuth, is this a worry for Wang? "Honestly, not really. We will of course be selective in who we choose to do business with, but at the end of the day, we provide virtualization services. Yes, they are great for finding vulnerabilities and developing exploits, but so are other virtualization products like VMware. We see this as a tool that is broadly helpful to all developers working on mobile operating systems. It just so happens that the tool fills a particular shortcoming in the security community for mobile devices that desktop and server platforms already have covered." Wang also revealed that as a result of Corellium tests, the team had already disclosed some problems to Apple.

Corellium comes out of beta in March and will be private invite only.

Follow me on TwitterCheck out my websiteSend me a secure tip