Apple’s Copyright Lawsuit Has Created a ‘Chilling Effect’ on Security Research

Security researchers are scared to buy, use, or even talk about the controversial iPhone emulation software Corellium, whose makers are in a legal battle with Apple.
May 5, 2020, 1:46pm
Prototype iPhones
Image: Giulio Zompetti

Last year, Apple accused a cybersecurity startup based in Florida of infringing its copyright by developing and selling software that allows customers to create virtual iPhone replicas. Critics have called the Apple's lawsuit against the company, called Corellium, “dangerous” as it may shape how security researchers and software makers can tinker with Apple’s products and code.

The lawsuit, however, has already produced a tangible outcome: very few people, especially current and former customers and users, want to talk about Corellium, which sells the eponymous software that virtualizes iPhones and Android devices. During the lawsuit's proceedings, Apple has sought information from companies that have used the tool, which emulates iOS on a computer, allowing researchers to probe potential iPhone vulnerabilities in a forgiving and easy-to-use environment.

“Apple has created a chilling effect,” a security researcher familiar with Corellium's product, who asked to remain anonymous because he wasn’t allowed to talk to the press, told Motherboard.

“Apple has created a chilling effect.”

“I don’t know if they intended it but when they name individuals at companies that have spoken in favor [of Corellium], I definitely believe retribution is possible,” the researcher added, referring to Apple’s subpoena to the spanish finance giant Santander Bank, which named an employee who had Tweeted about Corellium.

Several other cybersecurity researchers expressed fear of retribution from Apple for using Corellium.

A security researcher, who specializes in offensive security and asked to remain anonymous, said that he would definitely “have legal look into it beforehand if I needed [Corellium’s] stuff,” arguing that he’d be wary of Apple getting involved.

Three other researchers who specialize in hacking Apple software declined to comment citing the risk of some sort of retaliation from Apple.

Ivan Rodriguez, a security researcher who tried Corellium for free in the past, said that he “would have to get some legal advice before” purchasing it.

Do you work at Corellium? Or have you used Corellium for your work? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, OTR chat at lorenzofb@jabber.ccc.de, or email lorenzofb@vice.com

In January, Apple subpoenaed the defense contractor L3Harris and Santander Bank, requesting information on how they use Corellium, all communications they've had with the startup, internal communications about their products, and any contracts they've signed with the company, among other information.

Mark Dowd, the founder of Azimuth Security, a cybersecurity startup that specializes in developing hacking tools for governments that’s now part of L3Harris, said last year that he couldn’t comment about Corellium “because [Apple] mention[ed] us in the original filing.” (Dowd did not respond to a request for comment this week.)

Apple declined to comment and referred to its court filings against Corellium. In one of them, Apple wrote that “the purpose of this lawsuit is not to encumber good-faith security research, but to bring an end to Corellium’s unlawful commercialization of Apple’s valuable copyrighted works.”

Corellium obviously disagrees.

“This litigation presents an existential threat to an open and healthy security research community not only for Apple products but for consumer devices in general,” the company said in a statement sent by its lawyer. “Apple is using its lawsuit against Corellium to force a dangerous expansion of its dominance, including its ability to pick and choose who performs research and how.”

Some researchers, however, are not afraid of Apple. Elias Naur uses Corellium to test code written in the Go language for mobile operating systems. Before Corellium, Naur said he had to test code on two busted old phones plugged in under his couch. Naur said he’s “not worried Apple will come after Corellium’s customers” and is still using the software.

“Apple v Corellium isn't about jailbreaking, it's about Apple wanting control over Apple research and the bugs that come with it.”

According to cybersecurity experts, Apple legal battle against Corellium is not really about copyright, but trying to control and restrain researchers and companies that develop hacking tools to break into Apple devices, which make up a profitable and ballooning market.

“Apple v Corellium isn't about jailbreaking, it's about Apple wanting control over Apple research and the bugs that come with it,” Marcus Hutchins, a security researcher best known as MalwareTech, said on Twitter. “Their intention is probably to prevent researchers selling bugs to brokers, but you'd be insane to think they'd sanction jailbreaking either.”

In its legal defense, Corellium has argued that its products help researchers find vulnerabilities and ultimately help Apple make safer devices.

On April 20, Apple revealed in a filing that it asked Chris Wade, Corellium’s founder, for all documents and communications relating to him obtaining dev-fused iPhones. As Motherboard reported last year, dev-fused or prototype iPhones are special Apple devices in early stages of development that allow researchers to more easily hack and analyze iOS, as they have some security features disabled. These are “highly confidential” iPhones that “are intended for Apple’s internal testing and development purposes only,” Apple lawyers wrote in the filing.

According to multiple sources who spoke to Motherboard last year, Wade was among several researchers that acquired dev-fused iPhones. Wade has denied this claim.

In this David v. Goliath battle, as Forbes called it, many people are choosing to stay away from David even before seeing who wins.

Subscribe to our new cybersecurity podcast, CYBER.