Undocumented iOS Features left Hidden Backdoors Open in 600 Million Apple Devices
A
well known iPhone hacker and forensic scientist has unearthed a range
of undocumented and hidden functions in Apple iOS mobile operating
system that make it possible for a hacker to completely bypass the
backup encryption on iOS devices and can steal large amounts of users’
personal data without entering passwords or personal identification
numbers.
Data
forensics expert named Jonathan Zdziarski has posted the slides (PDF)
titled “Identifying Backdoors, Attack Points, and Surveillance
Mechanisms in iOS Devices” showing his findings, from his talk at the
Hackers On Planet Earth (HOPE X) conference held in New York on Friday.
Jonathan
Zdziarski, better identified as the hacker "NerveGas" in the iPhone
development community, worked as dev-team member on many of the early
iOS jailbreaks and is also the author of five iOS-related O'Reilly books
including "Hacking and Securing iOS Applications."
The
results of his overall research on the iOS devices indicate a backdoor
into iOS device’ operating system, although it is not at all that much
widely open as a number of reports have suggested.
You can protect your iOS device settings, Messages, Camera Roll, documents, saved games, email account passwords, Wi-Fi passwords, and passwords that you enter into websites using iTunes Backup feature. iTunes also allows users to protect their backup data with an encryption.
You can protect your iOS device settings, Messages, Camera Roll, documents, saved games, email account passwords, Wi-Fi passwords, and passwords that you enter into websites using iTunes Backup feature. iTunes also allows users to protect their backup data with an encryption.
EVERY SET OF INFORMATION OF iOS USERS IS AT RISK
He researched about the capabilities and services available in iOS for data acquisition and found that over 600 million personal iOS devices, particularly those running the latest version iOS 7, have secret data discovery tools or ‘undocumented features’ that have the ability to bypass the iOS backup encryption, but only under certain circumstances.
He researched about the capabilities and services available in iOS for data acquisition and found that over 600 million personal iOS devices, particularly those running the latest version iOS 7, have secret data discovery tools or ‘undocumented features’ that have the ability to bypass the iOS backup encryption, but only under certain circumstances.
When
your backup is encrypted, you will need to enter the password when
enabling or disabling encryption or when restoring from the backup, but
according to Zdziarski, there is a iOS service called mobile file_relay,
can be accessed remotely or through a USB connection to bypass the
backup encryption.
This
staggering amount of data includes a full copy of the user's address
book including deleted entries, stored photos, the voicemail database
and audio files, any account data configured on the device such as
iCloud, email, Facebook, Twitter, and other services, the user cache of
screenshots, keystrokes and the device's clipboard, GPS data—all without
requiring a backup password to be entered.
“Between this tool and other services, you can get almost the same information you could get from a complete backup,” Zdziarski said in an interview. “What concerns me the most is that this all bypasses the consumer backup encryption. When you click that button to encrypt the backup, Apple has made a promise that the data that comes off the device will be encrypted.”
“Between this tool and other services, you can get almost the same information you could get from a complete backup,” Zdziarski said in an interview. “What concerns me the most is that this all bypasses the consumer backup encryption. When you click that button to encrypt the backup, Apple has made a promise that the data that comes off the device will be encrypted.”
Apart
from this, there are two other services as well, a packet sniffer
dubbed com.apple.pcapd and the other com.apple.mobile.house_arrest on
the device that may have legitimate uses for users and app developers
but can also be used to spy on users by the government intelligence
agencies and bad actors.
The
pcapd service fires up without notifying the iOS device's owners and
allows an attacker to remotely monitor all network traffic traveling
into and out of the device via Wi-Fi, even when the device is not
running in a special developer or support mode. pcapd service can log
and export network traffic and HTTP request/response data traveling into
and out of the device.
The
House_arrest service, on the other side, allows iTunes to copy
sensitive files and documents from third party applications such as
Twitter, Facebook, and other data stored in “vaults”, and much more.
QUESTIONS TO BE ANSWERED BY APPLE
Zdziarski also includes some questions in its presentation for Apple:
Why is there a packet sniffer running on 600 million personal iOS devices instead of moved to the developer mount?
Why are there undocumented services that bypass user backup encryption that dump mass amounts of personal data from the phone?
Zdziarski also includes some questions in its presentation for Apple:
Why is there a packet sniffer running on 600 million personal iOS devices instead of moved to the developer mount?
Why are there undocumented services that bypass user backup encryption that dump mass amounts of personal data from the phone?
Why is most of my user data still not encrypted with the PIN or passphrase, enabling the invasion of my personal privacy by YOU?
Why is there still no mechanism to review the devices my iPhone is paired with, so I can delete ones that don’t belong?
Why is there still no mechanism to review the devices my iPhone is paired with, so I can delete ones that don’t belong?
IN SHORT - CONCLUSION
and summed it up logically in his last slide (page 57 of the PDF) as follows:
Apple is dishing out a lot of data behind our backs.
It’s a violation of the customer’s trust and privacy to bypass backup encryption.
and summed it up logically in his last slide (page 57 of the PDF) as follows:
Apple is dishing out a lot of data behind our backs.
It’s a violation of the customer’s trust and privacy to bypass backup encryption.
There is no valid excuse to leak personal data or allow packet sniffing without the user’s knowledge and permission.
Much of this data simply should never come off the phone, even during a backup.
Much of this data simply should never come off the phone, even during a backup.
Apple has added many conveniences for enterprises that make tasty attack points for .gov and criminals.
Overall, the otherwise great security of iOS has been compromised… by Apple… by design.
Overall, the otherwise great security of iOS has been compromised… by Apple… by design.
DEPENDENCIES
The Attacker first need to grab the pairing keys
The targeted iOS device should be physically near to the attacker
Targeted iPhone needs to have its Wi-Fi switched ON
The Attacker and targeted iOS device should be in the same Wi-Fi network
Targeted device should not been rebooted since the last time the user entered the PIN
If we consider these dependency, practically it is not possible for an attacker to carry out the attack as it can be executed when a user’s device matches all the above circumstances.
The Attacker first need to grab the pairing keys
The targeted iOS device should be physically near to the attacker
Targeted iPhone needs to have its Wi-Fi switched ON
The Attacker and targeted iOS device should be in the same Wi-Fi network
Targeted device should not been rebooted since the last time the user entered the PIN
If we consider these dependency, practically it is not possible for an attacker to carry out the attack as it can be executed when a user’s device matches all the above circumstances.
ROLE OF NSA
A number of undocumented services and features in iOS map are pretty close to the capabilities of some NSA’s tools, specifically DROPOUTJEEP hacking tool, implant for Apple iOS devices that allows the NSA to remotely control and monitor nearly all the features of an iPhone, including text messages, Geo-Location, microphone and the Camera, which was revealed by documents leaked by Edward Snowden.
A number of undocumented services and features in iOS map are pretty close to the capabilities of some NSA’s tools, specifically DROPOUTJEEP hacking tool, implant for Apple iOS devices that allows the NSA to remotely control and monitor nearly all the features of an iPhone, including text messages, Geo-Location, microphone and the Camera, which was revealed by documents leaked by Edward Snowden.
“If
you're the NSA, with a Tailored Access Operations division that
specializes in this sort of thing, getting into Apple's backdoor is easy
as pie,” the Register notes.
Zdziarski
clarified that he is not pin-pointing to these services as intentional
backdoors for the NSA or other intelligence agency, but he believes
there is evidence that the agency may be using the services,
nonetheless.
Posted by : Gizmeon
No comments:
Post a Comment