Researcher Finds Hidden Data-Dumping Services In iOS 98
Trailrunner7 writes There are a number of undocumented and hidden features and services in Apple iOS that can be used to bypass the backup encryption on iOS devices and remove large amounts of users' personal data. Several of these features began as benign services but have evolved in recent years to become powerful tools for acquiring user data.
Jonathan Zdziarski, a forensic scientist and researcher who has worked extensively with law enforcement and intelligence agencies, has spent quite a bit of time looking at the capabilities and services available in iOS for data acquisition and found that some of the services have no real reason to be on these devices and that several have the ability to bypass the iOS backup encryption. One of the services in iOS, called mobile file_relay, can be accessed remotely or through a USB connection can be used to bypass the backup encryption. If the device has not been rebooted since the last time the user entered the PIN, all of the data encrypted via data protection can be accessed, whether by an attacker or law enforcement, Zdziarski said. Update: 07/21 22:15 GMT by U L : Slides.
Jonathan Zdziarski, a forensic scientist and researcher who has worked extensively with law enforcement and intelligence agencies, has spent quite a bit of time looking at the capabilities and services available in iOS for data acquisition and found that some of the services have no real reason to be on these devices and that several have the ability to bypass the iOS backup encryption. One of the services in iOS, called mobile file_relay, can be accessed remotely or through a USB connection can be used to bypass the backup encryption. If the device has not been rebooted since the last time the user entered the PIN, all of the data encrypted via data protection can be accessed, whether by an attacker or law enforcement, Zdziarski said. Update: 07/21 22:15 GMT by U L : Slides.
Pedos, drug lords, and terrorists take notice!! (Score:5, Funny)
Re: (Score:3)
It is not a positive reflection on your post that I can't even tell what kind of paranoid delusion you're trying to espouse.
Re:Pedos, drug lords, and terrorists take notice!! (Score:5, Insightful)
I'm going with "if you have nothing to hide, you have nothing to fear".
Which isn't so much a paranoid delusion, as it is a prevalent sentiment.
Re: (Score:2)
Sheesh.
Re: (Score:3)
The corollary to "if you have nothing to hide you have nothing to fear" is that everybody has something to hide.
And the people who spy on you are certainly not willing to give you the benefit of the doubt, and they care not a whit about your presumed innocence.
Re: (Score:2)
Re: (Score:1)
? Well it's also kind of problematic (Score:5, Insightful)
For people who lose/have their device stolen.
Re: (Score:1)
Everyone else, every law-abiding citizen, may move on, nothing to see here...
So you're a law-abiding citizen?
I'll correct you on that the next time I see you on the roads doing even 1mph over the speed limit - you'll be 'breaking the law' y'know?
Studies show normal ordinary people 'break the law' at least 3x/day on average.
Heck, getting a BJ from your wife is illegal in some states (as far as 'a law on the books') still.
So, they may not be 'strictly enforced' laws, but I'm willing to bet every 'law abiding citizen' (so they think) has broken the law, and does so quite often really.
Re: Pedos, drug lords, and terrorists take notice! (Score:1)
Go whoosh yourself.
Re: Pedos, drug lords, and terrorists take notice (Score:1)
That too is against the law in some states.
Re: (Score:2)
Recently, in a nearby city an office was injured arresting a criminal. The police response was that the people in that bad area didn't help the officer as he was being beaten, so they started patrolling that area more. The result was jaywalking tickets to people crossing the street from their house to their mailbox, and kids getting tickets for riding their bikes without a headlamp (in the daytime). Basically any tiny infraction to punish the populace.
2 Questions (Score:4, Interesting)
1) Can this method be used to bypass iCloud?
2) Does anyone have a write-up of how it works? I've got a lost-to-pawn iPad that need wiped, and will likely have more come into the shop in the future.
Huge Caveat! (Score:5, Informative)
There is a huge caveat here:
You can only do this if you have the keys from a computer you have sync'd with previously. That only happens if you enter your passcode then see the "Trust this Computer" prompt on a computer that has iTunes installed and you click "Trust" at the prompt. That creates a set of sync keys that the iOS device will then accept to access the various services.
Some of the stuff he complains about is only enabled for devices used for development or if the device is enrolled in enterprise provisioning. As far as I'm aware, Apple requires that the company purchase the device on the company account to support over the air enrollment in this system so it wouldn't affect personal devices. Even for USB connected devices, you must enter the password/passcode to allow the device to be visible to MDM tools in the first place. Even enabling development mode requires entering the password/passcode.
The one main point he brings up (which I agree with) is Apple needs to provide a way to see the list of computers on your device and remove them.
There are some other more theoretical issues here that Apple should address, but no your iPhone is not running a packet sniffer and will not hand over files to anyone who connects. If your device isn't provisioned for enterprise and has never connected to a PC to sync (the vast majority of iOS devices these days) then as far as I can tell, none of the issues he found are of any use whatsoever.
Re: (Score:2)
If there were master keys the Apple process to retrieve court ordered data would not take 4 months and $1,000.
Re: (Score:1)
"Most of the phone vendors have a way of doing this."
[Citation needed]
Too many words (Score:5, Insightful)
People want to read something like "The iPhone has a secret backdoor for the NSA!!!". Anything much longer than that will never be read or understood by most people.
It's hopeless. Ask 100 people who have heard of this and 95 of them will tell you that it is proven now that the iPhone has a secret backdoor for the NSA over which all data can just be read by them.
(And I'm not even saying that it has NO such backdoor. Maybe it has. But this isn't it. This just isn't designed for mass surveillance, it needs a cooperating user and individual access to a device the user has connected his iPhone to. Maybe it's a side door for law enforcement and/or forensics additionally to a debugging tool.)
Re:Too many words (Score:4, Informative)
People want to read something like "The iPhone has a secret backdoor for the NSA!!!". Anything much longer than that will never be read or understood by most people.
It's hopeless. Ask 100 people who have heard of this and 95 of them will tell you that it is proven now that the iPhone has a secret backdoor for the NSA over which all data can just be read by them.
(And I'm not even saying that it has NO such backdoor. Maybe it has. But this isn't it. This just isn't designed for mass surveillance, it needs a cooperating user and individual access to a device the user has connected his iPhone to. Maybe it's a side door for law enforcement and/or forensics additionally to a debugging tool.)
Except for the fact that Apples handing all of your data over to the NSA anyway. Apple has a very cozy relationship with the US federal government.
http://cdn.bgr.com/2013/11/app... [bgr.com]
But at least Apple held off for longer than some of the others:
http://static.guim.co.uk/sys-i... [guim.co.uk]
Long story short? The NSA doesn't need this backdoor, it's a lot easier to just go strait to apple.
Re:Too many words (Score:5, Insightful)
People want to read something like "The iPhone has a secret backdoor for the NSA!!!". Anything much longer than that will never be read or understood by most people.
It's hopeless. Ask 100 people who have heard of this and 95 of them will tell you that it is proven now that the iPhone has a secret backdoor for the NSA over which all data can just be read by them.
(And I'm not even saying that it has NO such backdoor. Maybe it has. But this isn't it. This just isn't designed for mass surveillance, it needs a cooperating user and individual access to a device the user has connected his iPhone to. Maybe it's a side door for law enforcement and/or forensics additionally to a debugging tool.)
Except for the fact that Apples handing all of your data over to the NSA anyway. Apple has a very cozy relationship with the US federal government.
http://cdn.bgr.com/2013/11/app... [bgr.com]
According to that table there were 0 - 1000 cases in which "some" content data was disclosed to law enforcement in the US (and 1 in the UK and 0 in about 30 other countries). You call this "a very cozy relationship"? With 313 million citizens in the US there were less than 1000 requests granted. What's "cozy" about that?
Re: (Score:1)
We're missing a number here - how many requests were *made*?
http://cdn.bgr.com/2013/11/app... [bgr.com]
The data for the US is almost laughably vague. It could very well be that 1000 requests were made, and 1000 requests were granted.
100% success rate in complying with requests sounds pretty cozy to me...
Re: (Score:2)
The data for the US is almost laughably vague. It could very well be that 1000 requests were made, and 1000 requests were granted.
100% success rate in complying with requests sounds pretty cozy to me...
Following that exact same logic we could argue that 2000 requests were made (involving 3000 accounts) and 0 were granted.
A 0% success rate in complying with requests sounds pretty un-cozy to me...
I agree that the data is worthless, though.
Re: (Score:2)
What's "cozy" about that?
Did a judge authorize every release of data? I don't know, I'm asking. If they just handed it over when asked then that is a cozy relationship, if they demanded a warrant and gave the target notice and an opportunity to contest it then that's fair enough.
Re: (Score:3)
Except for the fact that Apples handing all of your data over to the NSA anyway. Apple has a very cozy relationship with the US federal government. http://cdn.bgr.com/2013/11/app... [bgr.com]
According to that table there were 0 - 1000 cases in which "some" content data was disclosed to law enforcement in the US (and 1 in the UK and 0 in about 30 other countries). You call this "a very cozy relationship"? With 313 million citizens in the US there were less than 1000 requests granted. What's "cozy" about that?
Not to mention that this number includes all requests for tracking down stolen phones and those from missing persons.
Re: (Score:2)
Long story short? The NSA doesn't need this backdoor, it's a lot easier to just go strait to apple.
This isn't about the NSA in particular, this is about all law enforcement. It's ordinary for law enforcement to confiscate your phone and drop it into a cradle for analysis when you're arrested.
Re:Huge Caveat! (Score:5, Informative)
That only happens if you enter your passcode then see the "Trust this Computer" prompt on a computer that has iTunes installed and you click "Trust" at the prompt. That creates a set of sync keys that the iOS device will then accept to access the various services.
The article made that very clear. But it's not clear to me where these keys are stored - is it on the disk, unprotected, or is it in your encrypted keychain? If the former, it seems to me that - unless you encrypt your computer's hard disk - this means anyone with unfettered access to your computer could get at these keys and thereby get at everything on your iOS device. If the latter, it would be much more difficult to do, even if they otherwise got access to your account.
The guy said he uses this to monitor his kids (which, depending on their age, might be a bit jerky in my opinion). However since he seems like an overzealous parent, I'm wondering if he has his kids' passwords etc., which would be necessary if these keys are in the keychain.
Re:Huge Caveat! (Score:5, Informative)
That only happens if you enter your passcode then see the "Trust this Computer" prompt on a computer that has iTunes installed and you click "Trust" at the prompt. That creates a set of sync keys that the iOS device will then accept to access the various services.
The article made that very clear. But it's not clear to me where these keys are stored - is it on the disk, unprotected, or is it in your encrypted keychain? If the former, it seems to me that - unless you encrypt your computer's hard disk - this means anyone with unfettered access to your computer could get at these keys and thereby get at everything on your iOS device. If the latter, it would be much more difficult to do, even if they otherwise got access to your account.
The guy said he uses this to monitor his kids (which, depending on their age, might be a bit jerky in my opinion). However since he seems like an overzealous parent, I'm wondering if he has his kids' passwords etc., which would be necessary if these keys are in the keychain.
Unless Apple has changed the way this process works, the keys you need to get it to sync aren't in the keychain at all. ON a mac you can find them in ~/Library/MobileSync or something like that. On later versions of Windows it'll be in Users\\AppData\Roaming\Apple\MobileSync
You can quite literally copy and paste them from one machine to another in order to trick an iDevice into syncing with multiple iTunes libraries at once, though you can run into problems with that if you're not careful. However, if encryption is enabled on backups, then you must know the passphrase to actually access a device backup. It's been years since I've played around with this, so I may bit a bit off on the exact directory locations, but they are basically just files sitting around in your user folder.
Re: (Score:3)
In other words, over sensationalized slashdot summary carefully glazes over the facts that make it moot.
Re: (Score:2)
but no your iPhone is not running a packet sniffer
Not even if you're using a Remote Virtual Interface [apple.com]? If that can only be used by plugging the device into a Mac and running rvictl on the Mac, that's one thing, but if you can also get it to act as a remote pcap daemon over the network, as he claims, that's a different matter.
Attacker or law enforcement? (Score:4, Insightful)
whether by an attacker or law enforcement
For those who are innocent, law enforcement IS the attacker.
DROPOUTJEEP backdoor (Score:4, Interesting)
This may be the backdoor known as DROPOUTJEEP [iclarified.com], which was described in some Snowden-leaked documents last year.
Looks like Apple sold out, put in a backdoor, and then lied about it.
Re: (Score:3)
Apple's reputation management service is reacting faster now. It used to take them an hour to mod criticism down. Now it only takes 15 minutes. Who are they using?
Re: (Score:3)
The MS shills are pretty much whores, I'm betting they paid them $0.03 a mod.
Re:DROPOUTJEEP backdoor (Score:4, Funny)
Not a MS shill. But a consultant. Just because I'm a whore, doesn't mean I'm cheap.
It's called trauma (Score:2)
Really, very much as after 9/11 people are actually training themselves into a deep trauma. As you should know avoiding a trauma means NOT to do that. Sadly if you leave people to do what they want (and have this amplified by the headline-addicted press and of course the Internet) they will do exactly that. They will over and over come back to what did hurt them, they will stare at it all day long and become more and more fascinated by it, until they can't think of anything else anymore. Feelings of intense
Re: (Score:3)
This may be the backdoor known as DROPOUTJEEP [iclarified.com], which was described in some Snowden-leaked documents last year.
Looks like Apple sold out, put in a backdoor, and then lied about it.
Yeah. Or the guy who wrote that is either a moron or a jerkass, and completely ignored some important info given. Like the fact that DROPOUT.JEEP was actually the codename for a wired jailbreak for the first iPhone that NSA had to develop themselves. It's not like that info is hard to gain once you strip out the boasting and bullshit bingo from the l33t NSA haX0r slide.
XOR (Score:5, Insightful)
DON'T PANIC (Score:5, Informative)
Why link to a re-post and not to the source: http://www.zdziarski.com/blog/ [zdziarski.com]
There we find this:
Re: (Score:3)
>I want these services off my phone.
How can you say that and yet still buy such devices? It's not like one doesn't have a choice...
Re:DON'T PANIC (Score:5, Insightful)
How can you say that and yet still buy such devices? It's not like one doesn't have a choice...
Yes, they could buy Android instead. Or Windows.
Oh, hang one...
Re:DON'T PANIC (Score:4, Funny)
Try BeOS.
Not a high profile target for the feds, the police or the Russian mob.
Re: (Score:2)
Android and Windows Phone aren't the only alternatives out there. There are even devices and OSes that are supported entirely by FLOSS community, like OpenPhoenux. There is a choice, you just have to keep your eyes wide open.
Re:DON'T PANIC (Score:5, Insightful)
And how much crap is installed on Android you can't disable (or know is there) without rooting your phone?
How much crap on Windows phone? I bet you can neither disable nor know it's there.
Your BlackBerry?
So, please, tell us, how are Android, Windows or BlackBerry phones any better? Can you prove none of them has something similar?
I very much doubt you can.
You can choose to not have a device at all, but I have my doubts you can choose a phone which doesn't have similar security holes you know nothing about.
Re: (Score:3)
The only secure Android phone is what is running Cyanogenmod.
Re: (Score:3)
The only secure Android phone is what is running Cyanogenmod.
Only if you personally are capable of security auditing every single line of source code. Otherwise, you'll be trusting someone or something...as virtually everyone else is doing.
Re: (Score:1)
The only secure Android phone is what is running Cyanogenmod.
Only if you personally are capable of security auditing every single line of source code. Otherwise, you'll be trusting someone or something...as virtually everyone else is doing.
And how much source code does Apple give you to audit.
There are levels of trust we accept because not everyone has the time or skills to audit source code. However many actions (like simply making source code available) make others more trustworthy than their competitors.
I know Google collects info from my Nexus 5 and 7 but Google are at least honest about what they collect, give me options on what gets sent and have demonstrated how it's annonymised.
Apple collects the same, if not more info from I
Re:DON'T PANIC (Score:4, Funny)
The only secure Android phone is what is running Cyanogenmod.
No... the only secure Android phone is the one you pulled the battery out on.
iPhone is trickier... since there's no removable battery: it is very hard to secure. Best bet is to wrap it in tin foil and let the battery drain down on its own, then when it reaches 0% it will be secure
Re: (Score:3)
The only secure Android phone is what is running Cyanogenmod.
If you take "secure" to mean "i don't know of any security vulnerabilities in it" then sure, but that's unlikely to be very secure.
Re:DON'T PANIC (Score:5, Insightful)
Android has the Google Play Services that has all permissions, that can update itself without asking or even telling the user and that has access to EVERYTHING on the phone. If the NSA wants you data, it gets it. Period.
And really, you need to do some reality-check here. You can't protect yourself against that. No way. Not without building your own hardware, writing your own software, including the firmware and the baseband.
All the geeks dreaming of technical solutions to political problems are just dreamers. What we need is some sane checks and balances for when and in which cases such things are used. This is a political problem and the first step to home in to a solution is accepting that there ARE cases where law enforcement and government agencies indeed have a right and a need to do this. Without accepting this you will only continue to shake your fists and even IF you may get into power with steadfastly requiring 100% security against everyone: Once you will notice that people will use the Internet and mobile devices to organize against you then, you WILL turn around and cry for surveillance and WILL try to defend yourself. Freedom has to have some teeth and hands and eyes to defend itself. The point is not to pull the teeth, the point is how to tame them. There are no technical solutions to that problem.
Re: (Score:2)
Not if you block it with a HOSTS file!
Re: (Score:1)
I have one (Huawei).
No Google Play Services (and any other Google Apps - Maps, Mail, etc.)
Re: (Score:2)
Just buy an Android phone without Google Apps pre-installed. I have one (Huawei). No Google Play Services (and any other Google Apps - Maps, Mail, etc.)
Yeah, having everything send to the Chinese intelligence agencies is soooo much better. Not to mention the NSA backdoors in the Linux kernel that Google itself hasn't found.
Re: (Score:2)
So, please, tell us, how are Android, Windows or BlackBerry phones any better?
Many Android vendors have well-documented procedures how to unlock the bootloader of the device and install a custom ROM, which can be mostly built from source (the remaining proprietary blobs come from non-US companies and/or are unlikely to contain backdoors because of the greatly reduced codebase). None of the other major players allow this.
Re: (Score:2)
Android: you have the source. Not the source of the binary blobs so the device can still be compromised through those, but the rest is 'up to you'. Apple, Microsoft, Blackberry... no source.
Is Android the bees knees of mobile software? No, far from it. It is up to par with the competition, though. And it is free software (most of it). The non-free bits can be replaced, mostly. The non-replaceable bits... need to be replaceable. In other words, as it stands now Android is a local optimum.
Re: (Score:1)
Android (as shipped with most phones) is about as open source as iOS is [apple.com]. iOS's kernel and most of the userspace is open source, just like Android's. A huge amount of what users expect from the devices is closed source, just like Google Apps and Google Play Services.
Read the AOSP/Cyanogenmod/etc forums sometime. Most people install Google Apps, and at that point you're well back into mothership calling blackbox land.
Re: (Score:2)
You have a choice to buy iOS, Android, Windows or BlackBerry phones.
My Openmoko, SHR, Maemo, QtMoko and Debian based phones are a nice example. And they all work pretty well! It wasn't always the case, especially in their early days, but things have stabilized pretty well over time.
If you don't want any "crap", support projects like Neo900. You do have a choice.
Re: (Score:2)
to not buy*, of course.
Re: (Score:2)
Re: (Score:1)
"(...) I understand that every OS has diagnostic functions, however these services break the promise that Apple makes with the consumer when they enter a backup password; that the data on their device will only come off the phone encrypted. The consumer is also not aware of these mechanisms, nor are they prompted in any way by the device. There is simply no way to justify the massive leak of data as a result of these services, and without any explicit consent by the user.
I d
Legitimate engineering uses (Score:5, Interesting)
Apple is often prone to adding capabilities without thinking through the security implications. But this researcher should do some more research into what constitutes legitimate engineering uses.
From TFA:
“Some of this data shouldn’t be on the phone. HFSMeta creates a disk image of everything that’s on the phone, not the content but the metadata,” Zdziarski said. “There’s not even an engineering use for that.”
I can imagine plenty of legitimate uses of just metadata. For example, the old iOS backup mechanism basically took a snapshot of everything and something like HFSMeta could be used to identify the files that have changed so only those files are backed up.
Re: (Score:2)
In iOS 7 or later just do not tap on "Yes" if it asks you if you trust the device you connected you iPhone to if you don't trust it.
Re:Legitimate engineering uses (Score:5, Informative)
not to mention "...creates a disk image of everything that’s on the phone..." is misleading, even with the following caveat. It would be far more accurate to say something like "...creates a copy of file access times of everything that's on the phone, and other metadata such as file size and other timestamps." But that wouldn't be bait for journalists and misquotation. (And if the dumped iOS file system metadata includes other things, perhaps mention those -- but timestamps and file size are the main things.)
Whoa. (Score:1)
Re: (Score:2)
Is Apple beginning to get like M$?
What do you mean by "beginning"?
Oh snap! (Score:3)
You'll have to close this back door in iOS 8 and add a new one that's harder to find.
Re: (Score:3, Insightful)
Don't by the corporate colored glass beads, but roll your own crypto. Its not actually hard.
WHAT THE FUCK ARE YOU SMOKING? Rolling your own crypto is HARD. The near infinite number of ways you can screw up (fucked implementations like "optimizations", timing attacks, electromagnetic leakage, poor handling of entropy and key material--the list goes on and on) automatically make rolling your own crypto a bad idea.
You want better security, support the open source hardware and software guys (especially crypto devs who put out established/trustworthy products like OpenBSD).
And yes, I've written plenty
Re: (Score:2)
He was obviously talking about building your own hardware. Did you really think his parts list of "A small controller, an LCD display and a keyboard," was in reference to writing an alternative to OpenBSD?
Law Enforcement should cost (Score:2)
Part of the protection against tyranny isn't the gun, but simply that certain law enforcement has certain costs. Part of it is red tape - a warrant sticks some glue in the process, slows it down. Part of it is monetary costs. In the 1970's wire taps cost a lot.
These costs force some filtering of resources. You can't just go after everyone, you need to be somewha
Memo to Self : don't buy iAnything (Score:2)