> Journalists are not paid enough to buy disposable iPhones frequently.
If I were Apple, I'd give journalists all the "disposable" iPhones they need to swap them frequently for free.
My only condition would be to periodically inspect them for hacking activity, or have them specially instrumented to detect it. It would be a good way to ferret out state-actor zero days (or increase the security of the platform by making state-actors horde exploits even more jealously).
Apple could do it practically for free too, if it was something like "Any accredited journalist can trade their iPhone for a refurb at any Apple store at any time. We'd appreciate, but not require, some information about the general areas of stories you cover and any threats you're suspicious might be focused on you."
Eeeeh... except, if a journalist was enrolled in this program then Apple would (almost certainly) know which journalists were getting new phones and various three-letters could pressure Apple into loading targeted software into phones for specific journalists.
Also, this comment isn't intended to touch the question of Apple's trustworthiness so please don't wave downvote over that, I am merely stating that such a system would _really_ motivate three-letters to put an immense amount of pressure into compromising such a system (whether they did so with or without Apple's co-operation can remain untouched).
If the program were set up as above, such that any accredited journalist could walk into any Apple Store at any time and do the thing, the logistical challenges in having custom, pre-compromized phones on-hand everywhere ("Why aren't we just grabbing those from normal inventory? Isn't that weird?"), or having to bake a "Glenn Greenwald" image onto the phone when he walked in, would probably be noticed.
EDIT: What's to stop Mr. Greenwald from sending a buddy from an old job to swap a new device on his behalf?
Because they'd need to be an accredited journalist, and the presenting of any kind of proof to that end would be enough for three-letter agencies to wiggle their way into a compromise of the system - including the fact that glenn may send his old buddy frank in to collect his phone, so better give either one of them one of the tainted ones.
I misread the original proposal a bit and had assumed it'd be a mail-in-service, but with even determination the three-letter folks could probably leave spiked devices in the stores glenn would be likely to walk into. This is more reasonable but I still have reservations.
Keep in mind Glenn knows this too, so presumably would be somewhat wary of his "local" Apple Stores, and could instead choose to randomly drop into stores when travelling to unexpected and unannounced places.
It's not like _any_ journalist would trust this service at an Apple Store in Saudi Arabia, and probably not the UAE, Oman, or Qatar either. (Or may other countries.)
Being "not a perfect and universal solution" doesn't make it worthless. Snowden isn't about to stroll into Apple Store Moscow to take advantage of a refurbed iPhone. I suspect things would be different if Omar Abdulaziz could have dropped into Apple Store Toronto and swapped his Pegasus-infected phone over...
If it was set up well the journalist could have the exact new phone in hand disconnected from any wires that might flash it before announcing he was a journalist. I don't think there is a way with current technology to discretely have people or computers setup to recognize Greenwald (let alone all his friends) in a good percentage of Apple stores before the transaction is completed. Even if it is possible to identify Greenwald and friends before the transaction that access is probably only available to the actual NSA, not ex NSA employees.
On the other hand - you've now identified the phones for remote exploit. Also identifying which journalists are significant enough to be beneficiaries of this program is probably hard.
Speaking of "accredited journalist" and Glenn Greenwald, how does Glenn Greenwald demonstrate his accreditation to the Apple Store employees? What sort of documentation would Greenwald be asked to present that demonstrates to these Apple store employees that writing for The Intercept entitles him to eligibility in this program?
As far as I can tell, "journalist accreditation" has no objective meaning and is determined on an organization-by-organization basis using subjective standards. Here is the list of criteria the UN uses: https://www.un.org/en/media/accreditation/request.shtml
At first glance, Greenwald would seem to qualify by that standard, provided whoever was judging him were reasonable (by my personal standards) in judging criteria such as whether The Intercept is a "recognized media organization." However I also notice that some of the criteria listed on the page seem very restrictive and could quite possibly disqualify a lot of investigative journalists (requiring six publications per year, when that investigative journalist may be working on serious stories that take more time than that...)
I could imagine The Intercept (and many other news organisations) sending the cub reporter to the local Apple Store with a box of 50 factory-wiped iPhones once a month.
I wonder if Jamal Khashoggi and Omar Abdulaziz would evaluate (or "have evaluated", in the case of Jamal) the risk of "TLA's who have the power to coerce Apple" vs "Saudi Security and Royal Family"?
You are right, in that this is adding an extra organisation you need to trust (although if you're carrying an iPhone you've already surrendered a significant amount of trust to Apple and their ability to resist TLAs).
A possible workaround might be to make the bar of "accredited journalists" super low (perhaps "anyone who's ever had a published byline in anything accepted as an original source by Wikipedia", and push it super publicly, so pretty much every journalist from cutting edge human rights activist/journalists down to the cub reporter on University newspapers is swapping their phone for refurbs every 3 months...
Now that you have dropped the barrier, what requirements are you setting for the device? What if its damaged? How damaged is too damaged? Should they accept damaged devices in exchange for other damaged devices?
> The Apple store becomes a failure point in this. A state actor could turn a low paid store worker to switch out phones of journalists coming in.
Not necessarily, the journalist could go to a random store and the process could be setup as an exception to a normal purchase flow, so the journalist only needs to identify themselves after the phone has been removed from stock (and any effort to swap it would be super suspicious).
If it’s a targeted attack, I’m sure the turned employee would know who they’re looking for. I don’t think it’d normally be a random, let’s get anyone kind of thing.
> If it’s a targeted attack, I’m sure the turned employee would know who they’re looking for. I don’t think it’d normally be a random, let’s get anyone kind of thing.
You missed a key point.
Having a turned employee is only helpful if the person you're targeting goes to that person, but the whole point of the process I outlined was to make it too difficult to predict or control which employee the targeted person would interact with, which makes turning employees impractical (since you'd have to turn so many to have a reasonable chance of success that you'd probably just reveal your attack instead).
If I were Apple, I'd give journalists all the "disposable" iPhones they need to swap them frequently for free.
My only condition would be to periodically inspect them for hacking activity, or have them specially instrumented to detect it. It would be a good way to ferret out state-actor zero days (or increase the security of the platform by making state-actors horde exploits even more jealously).