Skip to main content

Your iPhone May Be Rigged to Spy on You

Tech Media Network (Tom's Guide)By Tom's Guide / Jill Scharr


NEW YORK — iOS forensic examiner Jonathan Zdziarski may know more about iPhones than any other non-Apple employee. Yet even he can't find a reason for some of the mystery features buried within the iOS operating system, which look an awful lot like security backdoors that bypass user-designated data protections.

The features could be there to let Apple — or even the National Security Agency or the FBI — get access to most of your iOS device's data without you knowing it.

MORE: 5 Essential iPhone Security Tips

In a presentation Friday (July 18) at the HOPE X hacker conference here, Zdziarksi detailed his discoveries about the data-collection tools hidden on iOS devices. Some tools are listed by name, yet not explained, in the Apple developer manual and do far more than advertised. Others are undocumented and buried deep within the iOS code.

The hidden features may partly explain allegations, based on documents leaked in the Snowden archive, in the German newsmagazine Der Spiegel that the NSA has had the ability to access data on BlackBerrys and Android and iOS devices. Der Spiegel did not detail how the NSA would do so.

The undocumented features can be accessed by any PC or Mac to which a targeted iOS device has been connected via USB, Zdziarski says. Some hidden features can also be accessed via Wi-Fi while the phone is at rest, or even while the owner is using it.

Zdziarksi is certain that these mechanisms, whatever their purpose, are no accident. He has seen them become more complex, and they seem to get as much maintenance and attention as iOS's advertised features. Even as Apple adds new security features, the company may be adding ways to circumvent them.

"I am not suggesting some grand conspiracy," Zdziarski clarified in a blog post after his HOPE X talk. "There are, however, some services running in iOS that shouldn't be there, that were intentionally added by Apple as part of the firmware and that bypass backup encryption while copying more of your personal data than ever should come off the phone for the average consumer."

"My hope is that Apple will correct the problem," he added in the blog posting. "Nothing less, nothing more. I want these services off my phone. They don't belong there."

Apple has not yet responded to a request for comment.

The keys to the kingdom

How would someone connect to these mechanisms on an iPhone? Zdziarski explained the trick has to do with iOS "pairing." When an iOS device connects to a PC or a Mac via USB, the mobile device and the computer exchange security certificates that establish a trusted relationship between the two, and exchange encryption keys for setting up an encrypted SSL channel.

The keys and certificates are stored on the iOS device and on the desktop, and never deleted unless the iOS device is wiped (via the "Erase All Contents and Settings" feature) or the desktop is restored to factory settings. In most cases, this pairing relationship is established automatically  as soon as the devices are connected.

The first step in spying on an iOS device is to get that pairing data. A targeted iPhone could be covertly connected to a computer without the owner's knowledge (sort of the James Bond approach). Or spyware could be installed on the targeted person's desktop, and the pairing data copied.

With the pairing data, attackers can locate the targeted iOS device on a Wi-Fi network. Because iPhones are set up to automatically join networks whose names they recognize (like "linksys" or "attwifi"), attackers can also force an iPhone to connect to an attacker-controlled network.

MORE: iPhone 6 Rumors: Specs, Sizes, Camera and More

In a research paper published in March in the journal Digital Investigation, Zdziarski writes: "It may even be possible for a government agency with privileged access to a cellular carrier's network to connect to the device over cellular (although I cannot verify this, due to the carrier's firewalls)."

This is all a lot of ifs, of course. The attacker has to have the pairing keys; the attacker must know where the targeted iOS device is; the attacker has to get on the same Wi-Fi network as the device; and the iPhone needs to have its Wi-Fi switched on. This may be more than the average criminal could pull off, but it wouldn't be difficult for the NSA, an agency with an approximately $52 billion budget, or the FBI.

Something in the mechanism

Once the paired connection is established, access is granted to the mystery tools. Perhaps the most serious is one that Zdziarski described as an "undocumented file-relay service that really only has relevance to purposes of spying and/or law enforcement."

The feature, com.apple.mobile.file_relay, copies and relays nearly all the data stored on an iOS device, even when Backup Encryption is enabled. It is separate from iOS's documented backup and sync features.

Since around 2009 iOS devices have had an optional feature called Backup Encryption. The feature encrypts all data backed up from an iOS device to a PC or Mac running iTunes, complete with a separate password. File_relay bypasses the password.

Other tools are are only partly documented in official Apple publications. One is a packet sniffer, or network traffic analyzer, called com.apple.pcapd that views all network traffic and HTTP header data going to and from the iOS device. (Some packet sniffers can also analyze traffic to and from other devices on the same Wi-Fi network.)

Packet sniffers can be useful for iOS developers testing their apps, but Zdziarksi said the feature enabled on all iOS devices, even those not in developer mode.

"Why do we need a packet sniffer running on 600 million personal iOS devices?" Zdziarski asked during his presentation.

No visual indication is given when com.apple.pcapd is running; it could be triggered and run without the user's knowledge.

"It remains a mystery why Apple decided that every single recent device needed to come with a packet sniffer," Zdziarksi wrote in his research paper.

Tell me why

Why do these features exist? Zdziarski can't prove that they were created as backdoors for law enforcement, and isn't even sure they were. But in his talk, he eliminated some of the other possibilities.

Could the features be there for developers? No, said Zdziarski: Most of the mechanisms he identified are not in the official Apple developer manual.

Are they there for Apple's engineers? No: Engineering tools don't need to be installed on every single iPhone.

Is it simply forgotten code? No: Zdziarksi has seen these tools grow more capable with each iteration of iOS. When Apple added the Backup Encryption feature, he said, it also added the means to circumvent it. Clearly, Zdziarski feels, Apple is keeping these secret abilities alive.

"They're maintaining this code," Zdziarski said at the HOPE X talk. "Over the years, year after year, there are new data sources in file_relay ... nobody has forgotten about [these mechanisms]."

"I think at the very least, this warrants an explanation and disclosure to the some 600 million customers out there running iOS devices," Zdziarksi wrote on his blog. "At the same time, this is NOT a zero day and NOT some widespread security emergency. My paranoia level is tweaked, but not going crazy."

Comments

Popular posts from this blog

ART– AN EYE INTO ANOTHER WORLD

For some reason, I have always been a fan of the arts. The ability to create something from nothing, the ability to bring to life what was once but only a figment of one’s imagination to me, is to dare to rival the gods, if you believe in them. I consider the artist to be a gift to man to constantly remind him that he is possible of anything! This piece is more of a show than tell as I am certain that it would not be proper to write an article on art and tell more words than I show works. I have therefore had to steal from a friend, a classmate and most of all, a talented artist as I, myself, am not so gifted as to put up my works for display but still, I shall humour you eventually with my rendition of a popular cartoon that you may recognise if you grew up watching ‘Looney Tones’. Nevertheless, gift is not a necessity to appreciate beauty and the plethora of magna opera (The many great works). Mr Joshua Zirigbe (9β) is a Nigerian from Delta State and he has given us the opportunit...

THE FIRE ON 23 ROAD – FESTAC, LAGOS

A fire outbreak occured on 23 Road in Festac on Saturday the 14th, February, 2015 which is the popular Valentine's day. Jouleconcept's correspondent, Mr Juwah Awele covered the story and gave a report in form of an article about the occurrence. This can be read below: “There is fire in house 2! There were children locked inside the house…” those were the words of my elderly neighbour, Mrs A, returning from the scene of some ongoing tragedy. Immediately, my mother went for all our official documents she always keeps in a ready to go bag while, my father, brother and I set off in the direction of the blaze. On getting to the front of the close, T Close, we observed the residents of the first few houses on the left hastily withdrawing their belongings from their homes; stuffing generators, plasma TVs, gas cylinders and the works into the back seat of their cars. Some had already driven their cars away! Immediately, we realised the fire was coming from the next cl...

Voucher Charity (2)

Over the months, we've had a lot of discouragements here and there; but we stood by our vision. After the end of the 2nd month of the blogging, we have been able to acquire over 10,000 views: Thanks to you! Because of this, Jouleconcepts and its crew are pleased to inform the start of a voucher charity for its viewers. We have only had supports in the U.S.A for sharing free air time online. Thanks to Mr GbadamosiOluphisayor Temitope ( lives in the United State) for his kind support in making this blog touch not just its local country, but the citizen of the United States of America.. We can not forget the presence of the well wishers of the Jouleconcepts and particularly, GINA LONDON for her impact on the vision also. Jouleconcepts says thanks, God bless the blog, the viewers and the World at large..   Nigerian Airtime  Glo   235 873 233 158 434 Etisalat 91108 15796 74652 curtsey Jouleconcepts Please to show that this cards are valid from ...