Apple has endowed iPhones with undocumented functions that allow unauthorized people in privileged positions to wirelessly connect and harvest pictures, text messages, and other sensitive data without entering a password or PIN, a forensic scientist warned over the weekend.
Jonathan Zdziarski, an iOS jailbreaker and forensic expert, told attendees of the Hope X conference that he can't be sure Apple engineers enabled the mechanisms with the intention of accommodating surveillance by the National Security Agency and law enforcement groups. Still, he said some of the services serve little or no purpose other than to make huge amounts of data available to anyone who has access to a computer, alarm clock, or other device that has ever been paired with a targeted device.
Zdziarski said the service that raises the most concern is known as com.apple.mobile.file_relay. It dishes out a staggering amount of data—including account data for e-mail, Twitter, iCloud, and other services, a full copy of the address book including deleted entries, the user cache folder, logs of geographic positions, and a complete dump of the user photo album—all without requiring a backup password to be entered. He said two other services dubbed com.apple.pcapd and com.apple.mobile.house_arrest may have legitimate uses for app developers or support people but can also be used to spy on users by government agencies or even jilted ex-lovers. The Pcapd service, for instance, allows people to wirelessly monitor all network traffic traveling into and out of the device, even when it's not running in a special developer or support mode. House_arrest, meanwhile, allows the copying of sensitive files and documents from Twitter, Facebook, and many other applications.
"Apple really needs to step up and explain what these services are doing," Zdziarski told Ars by phone on Monday. "I can't come up with a better word than 'backdoor' to describe file relay, but I'm willing to listen to whatever other explanation Apple has. At the end of the day, though, there's a lot of insecure stuff running on the phone giving up a lot of data that should never be given up. Apple really needs to fix that."
Zdziarski said the services aren't easy for anyone to abuse, making it unlikely that hackers could exploit them on a wide scale. Still, he said the functions are within easy reach of technically knowledgeable people who have access to a computer, electric charger, or other device that has ever been modified to digitally pair with a targeted iPhone or iPad. During the pairing process, iDevices create a file containing a set of digital keys. Anyone with access to such files can make almost unfettered use of the services, often wirelessly, until the iPhone or iPad undergoes a factory reset. Fortunately, devices running iOS 7 won't pair to a device until after a user clicks a button OKing the action. Still, the pairing records can be lifted from any computer that has ever synced with an iPhone or with any alarm clock or other peripheral that has been modified by a spy agency.
"It's a big caveat, but that's one area that I see law enforcement starting to target much more," said Zdziarski, who has devised iOS forensic methods used by law enforcement agencies and has consulted federal and local agencies and the US military on criminal investigations. "When they're performing raids there are software solutions out there where they can even boot off a USB thumbdrive and search for pairing records on the machine. Or in the field, a traffic stop or what have you, you have a tablet that you can plug into a suspect's phone and create a pairing on the fly."
Slides of Zdziarski's talk, titled Identifying Back Doors, Attack Points, and Surveillance Mechanisms in iOS Devices are here.
World’s most miserable kids
Zdziarski said the services could also be abused by ex-lovers, co-workers, or anyone else who is in possession of a computer that has ever been paired with an iPhone or iPad. From then on, the person has the ability to wirelessly monitor the device until it is wiped. He said he makes personal use of those features to keep tabs on his iPhone-using children.
"The forensic tools I've written for myself privately I use for parental monitoring where when I set the phone up I'll pair it with my desktop and then at any point in the future I can just easily scan the network, find my kids' devices and dump all their application data, see who they're talking to, and what their doing online," he explained. My kids have got to be the most miserable kids in the world with a forensics expert for a dad."
Zdziarski said the same services can similarly benefit agents of the NSA and law enforcement groups. Because the features are unknown and allow the collection of data without user knowledge or consent, he has left open the possibility that they may have been some of the things that agents have reportedly used in the past to gain "access to iPhone data in instances where the NSA is able to infiltrate the computer a person uses to sync their iPhone." Apple has long said it doesn't cooperate with such surveillance programs, but Zdziarski has called on Apple to either remove or better the functions, or justify their existence, particularly in the case of the file_relay service.
"Its sole purposes is to dish out data, bypass backup encryption, and give you almost the same amount of personal data you get from a backup on the phone, in some cases even more," he said. "We really need someone at Apple to step up and explain why this is here. There's no logical reason why it should be there on 600 million devices."
reader comments
133