An image of Apple's demand shows a real iPhone X and Corellium service running a virtual iPhone X.

Apple

Apple has expanded a lawsuit against an iOS virtualization company, claiming that its actions facilitate jailbreak and violate the prohibition of the Digital Millennium Copyright Act (DMCA) on circumvention of copyright protection systems.

Apple sued Corellium, a company that sells access to virtual machines that run copies of the operating system used on iPhones and iPads, in August 2019. We detail the initial accusations in a previous article; Apple said Corellium sells "perfect replicas" of iOS without an Apple license and markets its software as "a research tool for those trying to discover security vulnerabilities and other defects in Apple software." But instead of helping the security investigation in good faith, Corellium "encourages its users to sell any information discovered in the open market to the highest bidder," Apple said.

The first version of Apple's lawsuit accused Corellium of copyright infringement. A new version presented on December 27 alleges both copyright infringement and "illegal trafficking of a product used to circumvent security measures in violation of 17 U.S.C. § 1201," a statute that is part of the DMCA. Apple argued that Corellium gives users the ability to release iOS for benign or malicious purposes.

Apple "demonizes" the jailbreak, says Corellium

Corellium's executive director, Amanda Gorton, responded to the recently expanded allegations in a blog post, writing that "Apple's latest presentation against Corellium should give all security researchers, application developers and jailbreakers reasons to worry."

Corellium is "deeply disappointed by Apple's persistent jailbreak demonization," and Gorton wrote that "developers and researchers rely on jailbreak to test the security of their own applications and third parties." Apple's presentation, according to Corellium, essentially "states (s) that anyone who provides a tool that allows other people to jailbreak, and anyone who helps create such a tool, is violating the DMCA."

Apple, Gorton wrote, "is using this case as a test balloon at a new angle to take strong measures against jailbreak" and "is looking to set a precedent to eliminate public jailbreaks."

The case is in the United States District Court for the Southern District of Florida.

The jailbreak of smartphones and tablets such as iPhones and iPads is allowed in the US. UU. Due to a DMCA exemption granted by the US Copyright Office. UU. (A division of the Library of Congress).

The Copyright Office says that the DMCA exemption for jailbroken phones and tablets is intended to "allow the device to interoperate or eliminate software applications." There is also a DMCA exemption for security research on all types of devices. But to qualify for the security exemption, it must be a "good faith security investigation" that is conducted in an environment designed to avoid any harm to people or the public.

The Electronic Frontier Foundation describes DMCA exemptions in general as "too narrow and too complex for most technology users."

Apple says Corellium prevents encryption and hardware checks

Apple argues that Corellium's alleged DMCA violations allow both Apple copyright violations and the spread of security vulnerabilities.

Apple's updated lawsuit states that iOS uses "technology protection measures that control access and protect Apple's exclusive rights in its software," such as "measures that prevent iOS and iTunes from being installed on hardware not manufactured by Apple." Apple said iOS also has "software restrictions that prevent unrestricted access to the operating system," for example, "prevent a user from modifying the operating system."

Corellium violates Apple's rights by "enabling" its users to bypass the security protections that Apple has implemented to protect its copyrighted works and its exclusive rights in those works, "says Apple's updated lawsuit.

Apple claims that the sale of Corellium's iOS replicas without Apple's authorization amounts to "traffic in technologies, products or services" designed to prevent or eliminate technological measures that control access to Apple's copyrighted works, in violation of Section 1201. Those Apple technology measures "include" encryption, hardware checks and server checks that prevent iOS from being installed and running on hardware not authorized by Apple, and prevents unrestricted access to the iOS operating system. "

While Apple accused Corellium of facilitating jailbreak, the alleged jailbreak is from virtual iOS devices and not from physical iPhones and iPads. Apple wrote:

The Apple Corellium product also gives users the ability to "jailbreak" virtual iOS devices. The jailbreak refers to the act of modifying iOS to bypass software restrictions that prevent unrestricted access to the operating system. Corellium openly markets its technology's ability to "jailbreak … any version" of iOS. Corellium offers its jailbreak technology to all its customers, regardless of their purpose.

Apple also said that the Corellium product "makes modifications to iOS that allow its installation and execution from hardware developed by Corellium or operated by Corellium. Such modifications include the deactivation of the validation of loadable firmware, the deactivation of the FIPS self-verification ( Federal Information Standard Processing Module), which adds Corellium software to the & # 39; trusted cache & # 39; and instructs the restore tool not to contact Apple servers for core / tree signature of devices / firmware ".

Apple: Corellium doesn't care about security

While Corellium argues that its software helps companies identify iOS errors in order to improve the product and protect users, Apple claims that Corellium "makes no effort to limit the use of its product to research and testing. in good faith of iOS. "

Apple cited a Motherboard article describing Azimuth Security as the first Corellium client. Apple wrote:

The Motherboard article reported that Azimuth sells a range of tools that exploit software failures. According to reports, Azimuth clients include foreign governments, including foreign intelligence agencies. And when a journalist recently asked Azimuth founder Mark Dowd if Azimuth had ever reported an error found using Corellium to Apple, he answered "no." Contrary to its high rhetoric, Corellium, in fact, sells Apple's technology and the ability to bypass the security measures built into that technology for its own benefit, and makes no effort to ensure that its customers dedicate themselves exclusively to the Security investigation in good faith.

The founder of iFixit, Kyle Wiens, who has testified before the US Copyright Office. UU. In support of the legalized jailbreak in order to fix products, he wrote yesterday that Apple's complaint is "a dangerous DMCA lawsuit." If Apple wins, "the damage will reverberate beyond the security community and in the world of repair and maintenance," Wiens wrote.

Corellium has not yet submitted its response to Apple's extended complaint in court, but the company promised a strong fight. "We are prepared to defend ourselves strongly against this attack, and we hope to share our formal response to this claim when we present it in court," Gorton wrote.

As for the most direct copyright allegation that Corellium sells replicas of iOS without an Apple license, a response from Corellium in October stated that "Apple implicitly, directly or indirectly, authorized, authorized, consented or agreed to the use allegedly Corellium violator of The Works of Apple. " Corellium wrote that Apple "knew Corellium technology for several years" and "encouraged its development."

"During this time, Apple approved that Corellium participate in its Security Reward Program by invitation only (& # 39; error reward program & # 39;) with the promise to pay for software errors identified by Corellium. While Apple gladly accepted and used the errors sent by Corellium as part of this program, broke its promise to pay for them, "Corellium wrote. Apple finally "announced its own competing product and shortly after sued Corellium," the response said.

Corellium also said that "it has made fair use par excellence of Apple technology."

"Corellium technology is highly transformative because it not only replicates Apple products for the same purposes for which the products were developed. Instead, Corellium technology uses parts of Apple technology for completely different purposes, which provide benefits socially significant, "wrote Corellium.

Instead of using or replicating iOS, Corellium said it "uses its own proprietary software to facilitate the execution of iOS on different hardware."