Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Privacy Security Apple

Researcher Finds Hidden Data-Dumping Services In iOS 98

Posted by samzenpus
from the don't-take-my-data-bro dept.
Trailrunner7 writes There are a number of undocumented and hidden features and services in Apple iOS that can be used to bypass the backup encryption on iOS devices and remove large amounts of users' personal data. Several of these features began as benign services but have evolved in recent years to become powerful tools for acquiring user data.

Jonathan Zdziarski, a forensic scientist and researcher who has worked extensively with law enforcement and intelligence agencies, has spent quite a bit of time looking at the capabilities and services available in iOS for data acquisition and found that some of the services have no real reason to be on these devices and that several have the ability to bypass the iOS backup encryption. One of the services in iOS, called mobile file_relay, can be accessed remotely or through a USB connection can be used to bypass the backup encryption. If the device has not been rebooted since the last time the user entered the PIN, all of the data encrypted via data protection can be accessed, whether by an attacker or law enforcement, Zdziarski said.
Update: 07/21 22:15 GMT by U L : Slides.
This discussion has been archived. No new comments can be posted.

Researcher Finds Hidden Data-Dumping Services In iOS

Comments Filter:
  • Huge Caveat! (Score:5, Informative)

    by rabtech (223758) on Monday July 21, 2014 @02:40PM (#47502555) Homepage

    There is a huge caveat here:

    You can only do this if you have the keys from a computer you have sync'd with previously. That only happens if you enter your passcode then see the "Trust this Computer" prompt on a computer that has iTunes installed and you click "Trust" at the prompt. That creates a set of sync keys that the iOS device will then accept to access the various services.

    Some of the stuff he complains about is only enabled for devices used for development or if the device is enrolled in enterprise provisioning. As far as I'm aware, Apple requires that the company purchase the device on the company account to support over the air enrollment in this system so it wouldn't affect personal devices. Even for USB connected devices, you must enter the password/passcode to allow the device to be visible to MDM tools in the first place. Even enabling development mode requires entering the password/passcode.

    The one main point he brings up (which I agree with) is Apple needs to provide a way to see the list of computers on your device and remove them.

    There are some other more theoretical issues here that Apple should address, but no your iPhone is not running a packet sniffer and will not hand over files to anyone who connects. If your device isn't provisioned for enterprise and has never connected to a PC to sync (the vast majority of iOS devices these days) then as far as I can tell, none of the issues he found are of any use whatsoever.

  • DON'T PANIC (Score:5, Informative)

    by Anonymous Coward on Monday July 21, 2014 @02:50PM (#47502625)

    Why link to a re-post and not to the source: http://www.zdziarski.com/blog/ [zdziarski.com]

    There we find this:

    DON'T PANIC

    Before the journalists blow this way out of proportion, this was a talk I gave to a room full of hackers explaining that while we were sleeping, this is how some features in iOS have evolved over the PAST FEW YEARS, and of course a number of companies have taken advantage of some of the capabilities. I have NOT accused Apple of working with NSA, however I suspect (based on released documents) that some of these services MAY have been used by NSA to collect data on potential targets. I am not suggesting some grand conspiracy; there are, however, some services running in iOS that shouldnâ(TM)t be there, that were intentionally added by Apple as part of the firmware, and that bypass backup encryption while copying more of your personal data than ever should come off the phone for the average consumer. I think at the very least, this warrants an explanation and disclosure to the some 600 million customers out there running iOS devices. At the same time, this is NOT a zero day and NOT some widespread security emergency. My paranoia level is tweaked, but not going crazy. My hope is that Apple will correct the problem. Nothing less, nothing more. I want these services off my phone. They donâ(TM)t belong there.

  • Re:Huge Caveat! (Score:5, Informative)

    by 93 Escort Wagon (326346) on Monday July 21, 2014 @03:00PM (#47502677)

    That only happens if you enter your passcode then see the "Trust this Computer" prompt on a computer that has iTunes installed and you click "Trust" at the prompt. That creates a set of sync keys that the iOS device will then accept to access the various services.

    The article made that very clear. But it's not clear to me where these keys are stored - is it on the disk, unprotected, or is it in your encrypted keychain? If the former, it seems to me that - unless you encrypt your computer's hard disk - this means anyone with unfettered access to your computer could get at these keys and thereby get at everything on your iOS device. If the latter, it would be much more difficult to do, even if they otherwise got access to your account.

    The guy said he uses this to monitor his kids (which, depending on their age, might be a bit jerky in my opinion). However since he seems like an overzealous parent, I'm wondering if he has his kids' passwords etc., which would be necessary if these keys are in the keychain.

  • Re:Huge Caveat! (Score:5, Informative)

    by jittles (1613415) on Monday July 21, 2014 @03:09PM (#47502721)

    That only happens if you enter your passcode then see the "Trust this Computer" prompt on a computer that has iTunes installed and you click "Trust" at the prompt. That creates a set of sync keys that the iOS device will then accept to access the various services.

    The article made that very clear. But it's not clear to me where these keys are stored - is it on the disk, unprotected, or is it in your encrypted keychain? If the former, it seems to me that - unless you encrypt your computer's hard disk - this means anyone with unfettered access to your computer could get at these keys and thereby get at everything on your iOS device. If the latter, it would be much more difficult to do, even if they otherwise got access to your account.

    The guy said he uses this to monitor his kids (which, depending on their age, might be a bit jerky in my opinion). However since he seems like an overzealous parent, I'm wondering if he has his kids' passwords etc., which would be necessary if these keys are in the keychain.

    Unless Apple has changed the way this process works, the keys you need to get it to sync aren't in the keychain at all. ON a mac you can find them in ~/Library/MobileSync or something like that. On later versions of Windows it'll be in Users\\AppData\Roaming\Apple\MobileSync

    You can quite literally copy and paste them from one machine to another in order to trick an iDevice into syncing with multiple iTunes libraries at once, though you can run into problems with that if you're not careful. However, if encryption is enabled on backups, then you must know the passphrase to actually access a device backup. It's been years since I've played around with this, so I may bit a bit off on the exact directory locations, but they are basically just files sitting around in your user folder.

  • Re:Too many words (Score:4, Informative)

    by Charliemopps (1157495) on Monday July 21, 2014 @03:22PM (#47502817)

    People want to read something like "The iPhone has a secret backdoor for the NSA!!!". Anything much longer than that will never be read or understood by most people.

    It's hopeless. Ask 100 people who have heard of this and 95 of them will tell you that it is proven now that the iPhone has a secret backdoor for the NSA over which all data can just be read by them.

    (And I'm not even saying that it has NO such backdoor. Maybe it has. But this isn't it. This just isn't designed for mass surveillance, it needs a cooperating user and individual access to a device the user has connected his iPhone to. Maybe it's a side door for law enforcement and/or forensics additionally to a debugging tool.)

    Except for the fact that Apples handing all of your data over to the NSA anyway. Apple has a very cozy relationship with the US federal government.
    http://cdn.bgr.com/2013/11/app... [bgr.com]

    But at least Apple held off for longer than some of the others:
    http://static.guim.co.uk/sys-i... [guim.co.uk]

    Long story short? The NSA doesn't need this backdoor, it's a lot easier to just go strait to apple.

  • by thoromyr (673646) on Monday July 21, 2014 @04:34PM (#47503361)

    not to mention "...creates a disk image of everything that’s on the phone..." is misleading, even with the following caveat. It would be far more accurate to say something like "...creates a copy of file access times of everything that's on the phone, and other metadata such as file size and other timestamps." But that wouldn't be bait for journalists and misquotation. (And if the dumped iOS file system metadata includes other things, perhaps mention those -- but timestamps and file size are the main things.)

"If people are good only because they fear punishment, and hope for reward, then we are a sorry lot indeed." -- Albert Einstein

Working...