For
the second time in less than two weeks, Apple is defending itself
against claims that call into question the security of iOS.
The
company has denied a security researcher's claims that iOS has a
"backdoor" that enables third parties to potentially gain access to
users' personal data.
The
researcher, Jonathan Zdziarski, detailed the alleged security flaws in a
presentation at the Hope X security conference and in a journal paper.
The problem, he explains, arises from the way Apple encrypts — or fails
to encrypt — data from the iPhone's native apps, leaving personal data
vulnerable to third parties.
"Once
the device is first unlocked after reboot, most of the data-protection
encrypted data can be accessed until the device is shut down," he wrote
in his Hope X presentation. "Your device is almost always at risk of
spilling all data, since it’s almost always authenticated, even while
locked."
The
data at risk, according to Zdziarski, is some of the most personal
information stored on your phone. It includes Twitter, iCloud, and email
accounts; contacts information, including deleted contacts; and data
caches, including screenshots of pages you've viewed, keyboard typing
history, and location information.
Although
actually extracting this data requires a fairly advanced level of
expertise, this information can potentially be obtained by anyone who
has access to a computer, iPhone dock or any other device that has
previously been paired to the iOS device.
He
stops short of accusing Apple of putting these backdoors in place to
intentionally aid the NSA or other organizations, but the researcher
does say he believes the NSA could have exploited the vulnerabilities.
As he explains on his blog:
I
have NOT accused Apple of working with NSA, however I suspect (based on
released documents) that some of these services MAY have been used by
NSA to collect data on potential targets. I am not suggesting some grand
conspiracy; there are, however, some services running in iOS that
shouldn’t be there, that were intentionally added by Apple as part of
the firmware, and that bypass backup encryption while copying more of
your personal data than ever should come off the phone for the average
consumer.
Apple
did not respond to Mashable's request to comment but told iMore in a
statement that iOS is not designed to compromise users' security.
We
have designed iOS so that its diagnostic functions do not compromise
user privacy and security, but still provides needed information to
enterprise IT departments, developers and Apple for troubleshooting
technical issues. A user must have unlocked their device and agreed to
trust another computer before that computer is able to access this
limited diagnostic data. The user must agree to share this information,
and data is never transferred without their consent.
As
we have said before, Apple has never worked with any government agency
from any country to create a backdoor in any of our products or
services.
On
his part, Zdziarski has already responded to Apple's comments, saying
the statement actually confirms there is, in fact, a backdoor. "It looks
like Apple might have inadvertently admitted that, in the classic sense
of the word, they do indeed have back doors in iOS, however claim that
the purpose is for 'diagnostics' and 'enterprise,'" he wrote in his
blog.
The
issue, he says, is that these services that send out users' data are
always on and consumers have no way of turning them off or otherwise
opting out — even if the "Send Diagnostics to Apple" setting is
disabled.
"I
don’t buy for a minute that these services are intended solely for
diagnostics," he writes. "The data they leak is of an extreme personal
nature. There is no notification to the user. A real diagnostic tool
would have been engineered to respect the user, prompt them like
applications do for access to data, and respect backup encryption."
The
latest security concerns come less than two weeks after Apple published
a lengthy statement defending the security of iOS, following a report
on China's state-run television station that quoted security researchers
who claimed the iPhone was a potential risk to the country's national
security.
Posted by : Gizmeon
No comments:
Post a Comment