Apple’s lawsuit against security startup Corellium partially thrown out

Corellium, a security research firm sued by Apple, has won a major legal victory against the iPhone maker.

In a ruling that has wide-reaching implications for iPhone security research and copyright law, a federal judge in Florida threw out Apple’s claims that Corellium had violated copyright law with its software, which helps security researchers find bugs and security holes on Apple’s products.

Corellium, co-founded in 2017 by husband and wife Amanda Gorton and Chris Wade, was a breakthrough in security research because it gave its customers the ability to run “virtual” iPhones on desktop computers. Corellium’s software makes it unnecessary to use physical iPhones that contain specialized software to poke and prod iOS, Apple’s mobile operating system.

The judge in the case ruled that Corellium’s creation of virtual iPhones was not a copyright violation, in part because it was designed to help improve the security for all iPhone users. Corellium wasn’t creating a competing product for consumers. Rather, it was a research tool for a comparatively small number of customers.

David L. Hecht, founder of law firm Hecht Partners and co-counsel for Corellium, said in a statement: “We are very pleased with the Court’s ruling on fair use and are proud of the strength and resolve that our clients at Corellium have displayed in this important battle. The Court affirmed the strong balance that fair use provides against the reach of copyright protection into other markets, which is a huge win for the security research industry in particular.”

Apple did not immediately respond to a request for comment. In the lawsuit, Apple argued that Corellium’s products could be dangerous if they fall into the wrong hands because security flaws discovered by Corellium could be used to hack iPhones. Apple also argued that Corellium sells its product indiscriminately, a claim Corellium denied.

Judge Rodney Smith called Apple’s argument on those claims “Puzzling, if not disingenuous.” Smith found that Corellium used a vetting process before selling its products to customers.

Apple initially attempted to acquire Corellium in 2018, according to court records. When the acquisition talks stalled, Apple sued Corellium last year, claiming its virtual iPhones, which contain only the bare-bones functions necessary for security research, constitute a violation of copyright law. Apple also alleged Corellium circumvented Apple’s security measures to create the software, thereby violating the Digital Millennium Copyright Act. That claim has not been thrown out.

“Weighing all the necessary factors, the Court finds that Corellium has met its burden of establishing fair use,” Smith wrote in Tuesday’s order. “Thus, its use of iOS in connection with the Corellium Product is permissible.”

Companies such as Apple have typically prevailed in similar copyright cases in the past, and the ruling came as a surprise to some attorneys.

Still, over the past year tech giants have been facing tougher scrutiny as regulators and lawmakers probe the industry’s behavior. The chief executives of Google, Facebook, Apple and Amazon have faced questions about anticompetitive behavior before Congress, and Google and Facebook have faced charges by regulators and states on those grounds.

Apple, in its defense, has said that user security and privacy are its paramount concerns.

Many in the security community praised the Florida judge’s decision.

“This is a major victory for security researchers looking to make Apple devices more safe for the world,” said Will Strafach, a security researcher. “This is a very positive signal demonstrating that it may not be so easy for Apple to try to bully those who do things that Apple does not approve of.”

Apple’s approach to iPhone security has long been criticized by some researchers, who believe the firm is too protective of its software. The iOS operating system prevents researchers from peering under the hood to look for bugs and other vulnerabilities without first opening up the phone with special tools.

In the early years of the iPhone, it was easier to bypass Apple’s restrictions. Now, the tools to crack open iOS are tightly guarded by researchers.

Matthew Green, an associate professor of computer science at Johns Hopkins University, said much of the security research happening on iOS is done by entities that are well-funded and have the time and resources to get around Apple’s restrictions. “Those people tend not to be the good guys,” he said, referring to shadowy companies that sell cyberweapons to the highest bidder. He said tools such as Corellium “are what lowers the bar and allows smaller companies and potentially good guys to get into Apple product so they can do their work.”

Green pointed to nonprofits such as Citizen Lab, which aids journalists and others targeted by such groups. Citizen Lab recently uncovered a suspected attack on iPhones belonging to Al Jazeera journalists.
Green said he was happy that Corellium defeated Apple’s copyright claim because copyright law, he said, can be used by large companies to “stifle” security research.

Still, Dan Guido, CEO of security firm Trail of Bits, which helps high-profile individuals and companies protect themselves from targeted iPhone attacks, questioned whether tools such as Corellium could really improve the security of iPhones. While Corellium might help researchers find bugs, “There’s no number of bugs Apple can fix to clean the floor of all of them. Being secure requires a longer-term strategy.”

If anything, Guido said, Corellium could be a tool to “change public perception” and pressure companies into doing more security research.

Alexander Urbelis, a partner at the Blackstone Law Group in New York, said Tuesday’s court decision could lead to more innovation in cybersecurity research.

“This ruling makes it possible for cybersecurity researchers to virtualize and test distinct components of third-party software for security vulnerabilities, which is something that has been lacking in the security community in part because of the fear of legal liability,” he said. For instance, Urbelis, who was once acting chief security officer for the NFL, said “unfettered vulnerability hunting” could help stop big “supply chain” hacks such as the one that affected Solar Winds. That recently discovered hack allegedly gave Russian hackers access to a vast trove of U.S. government data. Washington Post