Forensic scientist and author Jonathan Zdziarski has revealed backdoors, attack points and surveillance mechanisms built into iOS Devices.
Speaking at the Hackers On Planet Earth (HOPE/X) conference in New York, Jonathan Zdziarski basically shot down Apple’s claims about security and its efforts to safeguard iOS devices from police and government snooping.
Zdziarski, better known as the hacker "NerveGas" in the iPhone development community, worked as a dev team member on many of the early iOS jailbreaks, and is the author of five iOS-related O’Reilly books including "Hacking and Securing iOS Applications."
In his talk, Zdziarski revealed "a number of undocumented high-value forensic services running on every iOS device" and "suspicious design omissions in iOS that make collection easier."
He also provided examples of forensic artefacts acquired that "should never come off the device" without user consent.
These undocumented iOS services exposed by Zdziarski (like "lockdownd," "pcapd" and "mobile.file_relay") can bypass encrypted backups and be accessed via USB, Wi-Fi and "maybe cellular."
What's most suspicious about the undocumented services (and the data they collect) is that they're not referenced in any Apple software, the data is personal in nature (thus unlikely to be for debugging) and is stored in raw format, making it impossible to restore to the device.
Zdziarski does say that the iPhone is "reasonably secure" to a typical attacker and newer devices are generally more secure from everybody… everybody except Apple and the government.
He noted that Apple has "worked hard to ensure that it can access data on end-user devices on behalf of law enforcement", and links to Apple's Law Enforcement Process Guidelines spell this out in a fairly chilling way.
Apple’s Law Enforcement Process Guidelines make it pretty clear that Apple is storing all sorts of information about users, and Section III ‘Information Available From Apple’ almost seems like a menu of various items they will provide law enforcement or government agencies (with the proper warrants, subpoenas, etc).
The list includes such items as device registration information, customer service records, iTunes information, retail store transactions, online purchases, gift card purchases, just about anything stored on Apple’s iCloud service (including subscriber information, mail logs, emails, photos, documents, contacts, calendars, bookmarks and iOS device backups). And they can provide some Find My iPhone data.
Finally, when it comes to iOS devices Apple admits that it can indeed extract quite a bit of data from Passcode locked devices.
The list is pretty scary all by itself and you can see that in many cases if they can’t get the data from one place they can easily get it from another. For example they may not be able to pull emails from an iPhone but they can access the ‘auto correct’ data so if you used your iPad or iPhone to compose an email message the original keystrokes (and the corrected misspellings) are available - or if you stored them on iCloud they are there.
Zdziarski concluded his talk with two slides. The first is a list of questions for Apple (apparently he already asked but never got an answer).
And finally he points out that Apple may have added many conveniences for enterprises but these backdoors provide, as he puts it, “tasty attack points for .gov and criminals.”
This is fairly disturbing information and it’s not going to make it any easier for Apple to sell products overseas or to large corporations – two areas that have been highlighted in recent weeks. I guess that the Chinese news services were right after all when they said that iPhones could be a threat to national security.
You can find Jonathan Zdziarski’s slides from his talk in PDF format here.