[NewsPoster]

[Updated with rebuttal from Apple] Apple's iOS platform contains several backdoors that may allow for Apple and/or governments to collect private data, according to a forensic scientist, Jonathan Zdziarski. Presenting at the recent Hackers On Planet Earth (HOPE/X) conference, Zdziarski said that that there are several conspicuous design gaps -- and some deliberately-included forensic services -- that make it possible to extract data using forensic tools. The services have names such as "lockdownd," "pcapd," and "mobile.file_relay."

These can bypass backup encryption measures, and be exploited via USB and Wi-Fi, and possibly over cellular networks as well. They aren't publicly documented by Apple, and Zdziarski notes that they don't appear to be carrier or developer functions, since they can reach personal content that would be unnecessary for troubleshooting apps or networks.

"I am not suggesting some grand conspiracy; there are, however, some services running in iOS that shouldn't be there, that were intentionally added by Apple as part of the firmware, and that bypass backup encryption while copying more of your personal data than ever should come off the phone for the average consumer," the analyst comments. "I think at the very least, this warrants an explanation and disclosure to the some 600 million customers out there running iOS devices. At the same time, this is not a zero day and not some widespread security emergency. My paranoia level is tweaked, but not going crazy. My hope is that Apple will correct the problem. Nothing less, nothing more. I want these services off my phone. They don't belong there."

Despite attempts to assuage fears, Zdziarski says that forensic software firms like Cellebrite and Elcomsoft are already using the backdoors to extract data requested by law enforcement agencies. Unmentioned is whether organizations like the National Security Agency might be collecting data, but in December of last year, a leaked 2008 document revealed that the NSA already had near-total access to iPhone data if it could get its hands on a device, and was working on remote access.

Zdziarski encourages people worried about privacy to set a complex passcode, and use Apple's Configurator tool to set up mobile device management restrictions, as well as pair locking, which will delete pairing records. This blocks direct third-party data intrusions, but not those in which Apple collects the data first.

[Update] Apple has quickly responded to the charges, denying any activities inferred by Zdziarski and explaining steps that are taken to ensure customer data privacy. It was equally quick to refute and explain concerns about location privacy raised by Chinese government-run media outlets in a manufactured controversy last week.

"We have designed iOS so that its diagnostic functions do not compromise user privacy and security, but still provides needed information to enterprise IT departments, developers and Apple for troubleshooting technical issues," the company said in a statement given to the Financial Times but not yet fully published. "A user must have unlocked their device and agreed to trust another computer before that computer is able to access this limited diagnostic data. The user must agree to share this information, and data is never transferred without their consent."

The statement from Apple also again reiterates that it has never worked with any government agency to create a "backdoor" in any consumer product or service. Some of the "flaws" Zdziarsky raised in his presentation are based on flaws in the security certificate system (not developed by Apple) that can allow hackers to forge valid certificates and obtain information. Several web and tech companies have had to deal with such issues, including Apple, Google and most recently Microsoft.

"some services running in iOS that shouldn't be there, that were intentionally added by Apple as part of the firmware, and that bypass backup encryption while copying more of your personal data than ever should come off the phone for the average consumer,"

Uhm... if I make a backup it should copy all of my personal data. And it likely bypasses encryption because iTunes has a "make encrypted backups" option that lets you turn it off or set a different password on the backup. It has to bypass the encryption.

But if this can be exploited through third parties, put up or shut up. Until then, I can only conclude this is another security "researcher" looking for free publicity.

[Grendelmon]

Originally Posted by hayesk 

"Uhm... if I make a backup it should copy all of my personal data. And it likely bypasses encryption because iTunes has a "make encrypted backups" option that lets you turn it off or set a different password on the backup. It has to bypass the encryption.

But if this can be exploited through third parties, put up or shut up. Until then, I can only conclude this is another security "researcher" looking for free publicity.

...says the armchair software security expert.

[chimaera]

Originally Posted by hayesk 

Uhm... if I make a backup it should copy all of my personal data. And it likely bypasses encryption because iTunes has a "make encrypted backups" option that lets you turn it off or set a different password on the backup. It has to bypass the encryption.

Backups do not need to bypass encryption. They can backup the encrypted files, intact. Where you still need the password to decrypt the backups.

[BLAZE_MkIV]

But he explicitly mentioned that it lets you back them up with a different password. Therefore it needs to decrypt and re-encrypt them. Since you have to trust the machine you're storing them on, the easiest way to do this is have the phone that knows 1 password decrypt them and target machine encrypt them. It sounds like they are tricking the phone into thinking it's talking to an authorized iTunes and running a backup. And then labeling the non-public API that apple has to do that a back door.

The part of that quote that surprises me is that even with physical access to the device the NSA doesn't have 100 access.

[davoud]

He said, he said, he said. Did he provide convincing evidence? Any evidence at all?

[OkieDoc]

Speaking of security issues and getting hacked:
Does anyone know how to get rid of these freaking "adchoice" popup ads on here? The ones with the double-underline-in-green?

[Charles Martin]

Apple's been pretty pro-active about its security, so perhaps it will address this directly. Someone shoot Tim an email on the topic.

In the meantime, I'd be VERY interested to hear what this guy has to say about Android by comparison. I suspect we'd find out pretty quick if he's a paid shill or a legitimate researcher, but his silence on the topic of the "world's leading" mobile platform seems very odd at the moment.

[BLAZE_MkIV]

Looks like if he's a shill he's paying himself. He only does iOS. I'd be more likely to classify him as a fear mongerer trying to drum up business.

[Grendelmon]

The comments in this article don't surprise me at all. I mean, seriously... at all.

[machobbes]

As far as I can tell from quickly checking some links,
this guy is a serious researcher, who is not vying for attention.
He is doing his work and writing about it.

[chimaera]

I'd like to see a more technical response from Apple. Documentation for those three mystery APIs for example, and why they need to be running on production devices. Instead of being part of the developer configuration.

[Grendelmon]

http://arstechnica.com/security/2014/07/undocumented-ios-functions-allow-monitoring-of-personal-data-expert-says/

[BLAZE_MkIV]

I't exactly what I thought. He contradicts himself in his own statement.

available to anyone who has access to a computer, alarm clock, or other device that has ever been paired with a targeted device.

Zdziarski said the service that raises the most concern is known as com.apple.mobile.file_relay....all without requiring a backup password to be entered

So once they break into you house and take the pairing key's off you're computer they can use the wireless backup mechanism to trick you're phone into backing up to them instead of your computer. Anyone surprised by this?

[chimaera]

Yes. If your wall charger suddenly orders a decrypted backup of personal files, the phone should prompt the user. For a password, and for the unexpected data request. Simply complying, and decrypting personal data, is a major security breech.

*Any* new source asking for files backup should force a prompt and password the first time.

[BLAZE_MkIV]

It already does. You have to unlock the phone to get to the "Do you trust this device" prompt.