Apple's iOS 'dishing out a lot of data behind our backs,' security researcher charges
Noted forensic scientist and iOS hacker Jonathan Zdziarski has uncovered a number of undocumented "backdoor" services in Apple's mobile operating system that he argues could be exploited by law enforcement agencies, the NSA, or other malicious actors to bypass encryption and siphon sensitive personal data from iOS devices.
Zdziarski -- an early member of iOS jailbreaking teams and author of the O'Reilly title Hacking and Securing iOS Applications -- presented his discoveries as part of a talk at the annual HOPE/X conference, a long-running hacking and development conference in New York. The slides from that talk were first noted by ZDNet.
In the talk, Zdziarski touches on a number of services that run in the background on iOS but, he believes, do not appear to serve developers, Apple's engineering staff, or support personnel in any way. Others are designed for the benefit of enterprise administrators, but are crafted in such a way that they could be used for nefarious purposes.
"Much of this data simply should never come off the phone, even during a backup," Zdziarski wrote in one slide, referring to the information made available by those background services.
One service, com.apple.pcapd, captures HTTP data packets that flow to and from a user's device via libpcap. The service is active on every iOS device, according to Zdziarski, and could possibly be targeted via Wi-Fi for monitoring without the user's knowledge.
Zdziarski takes particular issue with the com.apple.mobile.file_relay service, which came around in iOS 2 but has been significantly expanded with successive release. This service completely bypasses iOS backup encryption, he says, exposing a "forensic trove of intelligence" including the user's address book, CoreLocation logs, the clipboard, calendars, notes, and voicemails.
In one particularly poignant example, Zdziarski says that an attacker could make use of this service to grab recent photos from a user's Twitter stream, their most recent timeline, their DM database, and authentication tokens that could be used "to spy on all future [Twitter] correspondence remotely."
Neither iTunes nor Xcode make use of these hidden services, Zdziarski notes, and the data is "in too raw a format" for Genius Bar use and cannot be restored to the device in any way.
Zdziarski also panned some of Apple's enterprise-friendly features, including mobile device management options that could allow an attacker to load custom spyware on a device by forging a security certificate. Zdziarski created a proof-of-concept spyware application for iOS in this way, he said, though Apple closed the loophole through which it collected data by denying applications the ability to create socket connections to the device itself.
A few of these services have already been tapped by manufacturers of commercial forensic devices, Zdziarski says, including companies like Elcomsoft, AccessData, and Cellebrite. Cellebrite products are widely used by U.S. law enforcement agencies to extract the contents of mobile devices seized from suspects.
Apple's iOS security is "otherwise great," Zdziarski wrote, noting that Apple has "worked hard to make iOS devices reasonably secure against typical attackers."
Zdziarski -- an early member of iOS jailbreaking teams and author of the O'Reilly title Hacking and Securing iOS Applications -- presented his discoveries as part of a talk at the annual HOPE/X conference, a long-running hacking and development conference in New York. The slides from that talk were first noted by ZDNet.
In the talk, Zdziarski touches on a number of services that run in the background on iOS but, he believes, do not appear to serve developers, Apple's engineering staff, or support personnel in any way. Others are designed for the benefit of enterprise administrators, but are crafted in such a way that they could be used for nefarious purposes.
"Much of this data simply should never come off the phone, even during a backup," Zdziarski wrote in one slide, referring to the information made available by those background services.
One service, com.apple.pcapd, captures HTTP data packets that flow to and from a user's device via libpcap. The service is active on every iOS device, according to Zdziarski, and could possibly be targeted via Wi-Fi for monitoring without the user's knowledge.
Zdziarski takes particular issue with the com.apple.mobile.file_relay service, which came around in iOS 2 but has been significantly expanded with successive release. This service completely bypasses iOS backup encryption, he says, exposing a "forensic trove of intelligence" including the user's address book, CoreLocation logs, the clipboard, calendars, notes, and voicemails.
In one particularly poignant example, Zdziarski says that an attacker could make use of this service to grab recent photos from a user's Twitter stream, their most recent timeline, their DM database, and authentication tokens that could be used "to spy on all future [Twitter] correspondence remotely."
Neither iTunes nor Xcode make use of these hidden services, Zdziarski notes, and the data is "in too raw a format" for Genius Bar use and cannot be restored to the device in any way.
Zdziarski also panned some of Apple's enterprise-friendly features, including mobile device management options that could allow an attacker to load custom spyware on a device by forging a security certificate. Zdziarski created a proof-of-concept spyware application for iOS in this way, he said, though Apple closed the loophole through which it collected data by denying applications the ability to create socket connections to the device itself.
A few of these services have already been tapped by manufacturers of commercial forensic devices, Zdziarski says, including companies like Elcomsoft, AccessData, and Cellebrite. Cellebrite products are widely used by U.S. law enforcement agencies to extract the contents of mobile devices seized from suspects.
Apple's iOS security is "otherwise great," Zdziarski wrote, noting that Apple has "worked hard to make iOS devices reasonably secure against typical attackers."
Comments
I'd hate to be an Android owner, becuase the NSA pwns all of Android phones. And windoze
Apple is Awesome!
Apple's iOS security is "otherwise great," Zdziarski wrote, noting that Apple has "worked hard to make iOS devices reasonably secure against typical attackers."
You never know what jailbreak apps really do.
I want to see this guy demonstrate this function.
I'm so sick of people talking about what "could be happening" or that it's "possible". Quit talking out of your ass to make a name for yourself and show us a working, functioning exploit where you've successfully pulled data off a device. Like he claims forensics agencies are doing.
Otherwise STFU.
if you think Apple is bad you should look at Android cause Android is worse!
I'd hate to be an Android owner, becuase the NSA pwns all of Android phones. And windoze
Apple is Awesome!
NSA is turning out just like in the sci-fi movies such as Minority Report, Fifth Sense, etc. In the future no one will have any real privacy.
I want to see this guy demonstrate this function.
I'm so sick of people talking about what "could be happening" or that it's "possible". Quit talking out of your ass to make a name for yourself and show us a working, functioning exploit where you've successfully pulled data off a device. Like he claims forensics agencies are doing.
Otherwise STFU.
Zdziarski said the services could also be abused by ex-lovers, co-workers, or anyone else who is in possession of a computer that has ever been paired with an iPhone or iPad. From then on, the person has the ability to wirelessly monitor the device until it is wiped. He said he makes personal use of those features to keep tabs on his iPhone-using children.
"The forensic tools I've written for myself privately I use for parental monitoring where when I set the phone up I'll pair it with my desktop and then at any point in the future I can just easily scan the network, find my kids' devices and dump all their application data, see who they're talking to, and what their doing online," he explained."
http://arstechnica.com/security/2014/07/undocumented-ios-functions-allow-monitoring-of-personal-data-expert-says/
Go ahead NSA. I don't give a sht. I got nothing to hide.
if you think Apple is bad you should look at Android cause Android is worse!
I'd hate to be an Android owner, becuase the NSA pwns all of Android phones. And windoze
Apple is Awesome!
I would rather see iOS issues addressed, rather than people just saying "But Android is worse".
Go ahead NSA. I don't give a sht. I got nothing to hide.
Yeah, but it is none of their business either. They don't need to read the txt I send my wife.
He's read to many Daniel Eran Dilger articles. I avoid them like the plague.
Totally agree. He just wants his 15 minutes. I say to him demonstrate it so apple knows what to fix or so that users can take cautionary steps. Otherwise he's all hot air.
Go ahead NSA. I don't give a sht. I got nothing to hide.
Sounds brave, but the issue isn't whether you think you have anything to hide, it's whether the NSA thinks you have anything to hide.You don't get to present at these conferences if you're an idiot. The standards for appearing there are fairly high.
The standard for posting comments on AI forums, not so much.
You should take your own advice (in bold above).
Keep in mind that people challenged the government in court for years about being spied on, only to be told "you can't prove it - go away"
Then Snowden reveled their immoral / illegal activity, now the cases are moving forward again.
It is difficult to get a man to understand something, when his salary depends upon his not understanding it - Upton Sinclair
I hope I will also be glad when the answers emerge!
It's always possible to improve.
Perhaps you should take a moment to peruse the slide deck linked in the article, where you will find several working examples.
Now, the real question, will Apple man up to this, acknowledging it in spite of their gag order from the NSA, and shut them out, or be a good little US corporate citizen and claim these reports are false and move along as if nothing happened? If they do the latter, they will lose a TREMENDOUS amount of credibility.
I sincerely hope Apple sets the example, stands up to the NSA, and expunges all code of this nature from their systems. Only time will tell.
It is possible to extract data from the phone, at least with physical possession. Apple provides that service to law enforcement, although there is an extremely long waiting list. If Apple has a back door then it is not impossible for others to figure out how to gain access as well.
http://www.cnet.com/news/apple-deluged-by-police-demands-to-decrypt-iphones/
I think this researcher is saying if you modify the firmware then the iPhone may be snooped. iOS update may change the firmware. But apps can not.
I rather he do it the way he has, then give the facts over to Apple R&D for them to remove the code and plug the leaks.