Forgot your password?
typodupeerror
Privacy Security Apple

Researcher Finds Hidden Data-Dumping Services In iOS 98

Posted by samzenpus
from the don't-take-my-data-bro dept.
Trailrunner7 writes There are a number of undocumented and hidden features and services in Apple iOS that can be used to bypass the backup encryption on iOS devices and remove large amounts of users' personal data. Several of these features began as benign services but have evolved in recent years to become powerful tools for acquiring user data.

Jonathan Zdziarski, a forensic scientist and researcher who has worked extensively with law enforcement and intelligence agencies, has spent quite a bit of time looking at the capabilities and services available in iOS for data acquisition and found that some of the services have no real reason to be on these devices and that several have the ability to bypass the iOS backup encryption. One of the services in iOS, called mobile file_relay, can be accessed remotely or through a USB connection can be used to bypass the backup encryption. If the device has not been rebooted since the last time the user entered the PIN, all of the data encrypted via data protection can be accessed, whether by an attacker or law enforcement, Zdziarski said.
Update: 07/21 22:15 GMT by U L : Slides.
This discussion has been archived. No new comments can be posted.

Researcher Finds Hidden Data-Dumping Services In iOS

Comments Filter:
  • by rodrigoandrade (713371) on Monday July 21, 2014 @02:34PM (#47502513)
    Everyone else, every law-abiding citizen, may move on, nothing to see here...
    • It is not a positive reflection on your post that I can't even tell what kind of paranoid delusion you're trying to espouse.

      • by gstoddart (321705) on Monday July 21, 2014 @03:25PM (#47502849) Homepage

        I'm going with "if you have nothing to hide, you have nothing to fear".

        Which isn't so much a paranoid delusion, as it is a prevalent sentiment.

        • by cayenne8 (626475)
          So, are there *that* many people out there, that actually trust their phones enough to keep really private stuff on them?

          Sheesh.

    • Yup, because the law-abiding can't know about these features so members of the former group use this to fund their illicit activities.
    • by Crashmarik (635988) on Monday July 21, 2014 @02:57PM (#47502655)

      For people who lose/have their device stolen.

    • by CaptnZilog (33073)

      Everyone else, every law-abiding citizen, may move on, nothing to see here...

      So you're a law-abiding citizen?
      I'll correct you on that the next time I see you on the roads doing even 1mph over the speed limit - you'll be 'breaking the law' y'know?

      Studies show normal ordinary people 'break the law' at least 3x/day on average.
      Heck, getting a BJ from your wife is illegal in some states (as far as 'a law on the books') still.
      So, they may not be 'strictly enforced' laws, but I'm willing to bet every 'law abiding citizen' (so they think) has broken the law, and does so quite often really.

      • Go whoosh yourself.

      • Recently, in a nearby city an office was injured arresting a criminal. The police response was that the people in that bad area didn't help the officer as he was being beaten, so they started patrolling that area more. The result was jaywalking tickets to people crossing the street from their house to their mailbox, and kids getting tickets for riding their bikes without a headlamp (in the daytime). Basically any tiny infraction to punish the populace.

  • 2 Questions (Score:4, Interesting)

    by CanHasDIY (1672858) on Monday July 21, 2014 @02:35PM (#47502521) Homepage Journal

    1) Can this method be used to bypass iCloud?

    2) Does anyone have a write-up of how it works? I've got a lost-to-pawn iPad that need wiped, and will likely have more come into the shop in the future.

  • Huge Caveat! (Score:5, Informative)

    by rabtech (223758) on Monday July 21, 2014 @02:40PM (#47502555) Homepage

    There is a huge caveat here:

    You can only do this if you have the keys from a computer you have sync'd with previously. That only happens if you enter your passcode then see the "Trust this Computer" prompt on a computer that has iTunes installed and you click "Trust" at the prompt. That creates a set of sync keys that the iOS device will then accept to access the various services.

    Some of the stuff he complains about is only enabled for devices used for development or if the device is enrolled in enterprise provisioning. As far as I'm aware, Apple requires that the company purchase the device on the company account to support over the air enrollment in this system so it wouldn't affect personal devices. Even for USB connected devices, you must enter the password/passcode to allow the device to be visible to MDM tools in the first place. Even enabling development mode requires entering the password/passcode.

    The one main point he brings up (which I agree with) is Apple needs to provide a way to see the list of computers on your device and remove them.

    There are some other more theoretical issues here that Apple should address, but no your iPhone is not running a packet sniffer and will not hand over files to anyone who connects. If your device isn't provisioned for enterprise and has never connected to a PC to sync (the vast majority of iOS devices these days) then as far as I can tell, none of the issues he found are of any use whatsoever.

    • Too many words (Score:5, Insightful)

      by joh (27088) on Monday July 21, 2014 @02:59PM (#47502669)

      People want to read something like "The iPhone has a secret backdoor for the NSA!!!". Anything much longer than that will never be read or understood by most people.

      It's hopeless. Ask 100 people who have heard of this and 95 of them will tell you that it is proven now that the iPhone has a secret backdoor for the NSA over which all data can just be read by them.

      (And I'm not even saying that it has NO such backdoor. Maybe it has. But this isn't it. This just isn't designed for mass surveillance, it needs a cooperating user and individual access to a device the user has connected his iPhone to. Maybe it's a side door for law enforcement and/or forensics additionally to a debugging tool.)

      • Re:Too many words (Score:4, Informative)

        by Charliemopps (1157495) on Monday July 21, 2014 @03:22PM (#47502817)

        People want to read something like "The iPhone has a secret backdoor for the NSA!!!". Anything much longer than that will never be read or understood by most people.

        It's hopeless. Ask 100 people who have heard of this and 95 of them will tell you that it is proven now that the iPhone has a secret backdoor for the NSA over which all data can just be read by them.

        (And I'm not even saying that it has NO such backdoor. Maybe it has. But this isn't it. This just isn't designed for mass surveillance, it needs a cooperating user and individual access to a device the user has connected his iPhone to. Maybe it's a side door for law enforcement and/or forensics additionally to a debugging tool.)

        Except for the fact that Apples handing all of your data over to the NSA anyway. Apple has a very cozy relationship with the US federal government.
        http://cdn.bgr.com/2013/11/app... [bgr.com]

        But at least Apple held off for longer than some of the others:
        http://static.guim.co.uk/sys-i... [guim.co.uk]

        Long story short? The NSA doesn't need this backdoor, it's a lot easier to just go strait to apple.

        • Re:Too many words (Score:5, Insightful)

          by joh (27088) on Monday July 21, 2014 @04:29PM (#47503323)

          People want to read something like "The iPhone has a secret backdoor for the NSA!!!". Anything much longer than that will never be read or understood by most people.

          It's hopeless. Ask 100 people who have heard of this and 95 of them will tell you that it is proven now that the iPhone has a secret backdoor for the NSA over which all data can just be read by them.

          (And I'm not even saying that it has NO such backdoor. Maybe it has. But this isn't it. This just isn't designed for mass surveillance, it needs a cooperating user and individual access to a device the user has connected his iPhone to. Maybe it's a side door for law enforcement and/or forensics additionally to a debugging tool.)

          Except for the fact that Apples handing all of your data over to the NSA anyway. Apple has a very cozy relationship with the US federal government.
          http://cdn.bgr.com/2013/11/app... [bgr.com]

          According to that table there were 0 - 1000 cases in which "some" content data was disclosed to law enforcement in the US (and 1 in the UK and 0 in about 30 other countries). You call this "a very cozy relationship"? With 313 million citizens in the US there were less than 1000 requests granted. What's "cozy" about that?

          • We're missing a number here - how many requests were *made*?

            http://cdn.bgr.com/2013/11/app... [bgr.com]

            The data for the US is almost laughably vague. It could very well be that 1000 requests were made, and 1000 requests were granted.

            100% success rate in complying with requests sounds pretty cozy to me...

            • by Smurf (7981)

              The data for the US is almost laughably vague. It could very well be that 1000 requests were made, and 1000 requests were granted.

              100% success rate in complying with requests sounds pretty cozy to me...

              Following that exact same logic we could argue that 2000 requests were made (involving 3000 accounts) and 0 were granted.

              A 0% success rate in complying with requests sounds pretty un-cozy to me...

              I agree that the data is worthless, though.

          • by AmiMoJo (196126) *

            What's "cozy" about that?

            Did a judge authorize every release of data? I don't know, I'm asking. If they just handed it over when asked then that is a cozy relationship, if they demanded a warrant and gave the target notice and an opportunity to contest it then that's fair enough.

          • Except for the fact that Apples handing all of your data over to the NSA anyway. Apple has a very cozy relationship with the US federal government. http://cdn.bgr.com/2013/11/app... [bgr.com]

            According to that table there were 0 - 1000 cases in which "some" content data was disclosed to law enforcement in the US (and 1 in the UK and 0 in about 30 other countries). You call this "a very cozy relationship"? With 313 million citizens in the US there were less than 1000 requests granted. What's "cozy" about that?

            Not to mention that this number includes all requests for tracking down stolen phones and those from missing persons.

        • by drinkypoo (153816)

          Long story short? The NSA doesn't need this backdoor, it's a lot easier to just go strait to apple.

          This isn't about the NSA in particular, this is about all law enforcement. It's ordinary for law enforcement to confiscate your phone and drop it into a cradle for analysis when you're arrested.

    • Re:Huge Caveat! (Score:5, Informative)

      by 93 Escort Wagon (326346) on Monday July 21, 2014 @03:00PM (#47502677)

      That only happens if you enter your passcode then see the "Trust this Computer" prompt on a computer that has iTunes installed and you click "Trust" at the prompt. That creates a set of sync keys that the iOS device will then accept to access the various services.

      The article made that very clear. But it's not clear to me where these keys are stored - is it on the disk, unprotected, or is it in your encrypted keychain? If the former, it seems to me that - unless you encrypt your computer's hard disk - this means anyone with unfettered access to your computer could get at these keys and thereby get at everything on your iOS device. If the latter, it would be much more difficult to do, even if they otherwise got access to your account.

      The guy said he uses this to monitor his kids (which, depending on their age, might be a bit jerky in my opinion). However since he seems like an overzealous parent, I'm wondering if he has his kids' passwords etc., which would be necessary if these keys are in the keychain.

      • Re:Huge Caveat! (Score:5, Informative)

        by jittles (1613415) on Monday July 21, 2014 @03:09PM (#47502721)

        That only happens if you enter your passcode then see the "Trust this Computer" prompt on a computer that has iTunes installed and you click "Trust" at the prompt. That creates a set of sync keys that the iOS device will then accept to access the various services.

        The article made that very clear. But it's not clear to me where these keys are stored - is it on the disk, unprotected, or is it in your encrypted keychain? If the former, it seems to me that - unless you encrypt your computer's hard disk - this means anyone with unfettered access to your computer could get at these keys and thereby get at everything on your iOS device. If the latter, it would be much more difficult to do, even if they otherwise got access to your account.

        The guy said he uses this to monitor his kids (which, depending on their age, might be a bit jerky in my opinion). However since he seems like an overzealous parent, I'm wondering if he has his kids' passwords etc., which would be necessary if these keys are in the keychain.

        Unless Apple has changed the way this process works, the keys you need to get it to sync aren't in the keychain at all. ON a mac you can find them in ~/Library/MobileSync or something like that. On later versions of Windows it'll be in Users\\AppData\Roaming\Apple\MobileSync

        You can quite literally copy and paste them from one machine to another in order to trick an iDevice into syncing with multiple iTunes libraries at once, though you can run into problems with that if you're not careful. However, if encryption is enabled on backups, then you must know the passphrase to actually access a device backup. It's been years since I've played around with this, so I may bit a bit off on the exact directory locations, but they are basically just files sitting around in your user folder.

    • by Lumpy (12016)

      In other words, over sensationalized slashdot summary carefully glazes over the facts that make it moot.

    • by Guy Harris (3803)

      but no your iPhone is not running a packet sniffer

      Not even if you're using a Remote Virtual Interface [apple.com]? If that can only be used by plugging the device into a Mac and running rvictl on the Mac, that's one thing, but if you can also get it to act as a remote pcap daemon over the network, as he claims, that's a different matter.

  • by Anonymous Coward on Monday July 21, 2014 @02:40PM (#47502561)

    whether by an attacker or law enforcement

    For those who are innocent, law enforcement IS the attacker.

  • DROPOUTJEEP backdoor (Score:4, Interesting)

    by Animats (122034) on Monday July 21, 2014 @02:42PM (#47502567) Homepage

    This may be the backdoor known as DROPOUTJEEP [iclarified.com], which was described in some Snowden-leaked documents last year.

    Looks like Apple sold out, put in a backdoor, and then lied about it.

    • by Animats (122034)

      Apple's reputation management service is reacting faster now. It used to take them an hour to mod criticism down. Now it only takes 15 minutes. Who are they using?

    • This may be the backdoor known as DROPOUTJEEP [iclarified.com], which was described in some Snowden-leaked documents last year.

      Looks like Apple sold out, put in a backdoor, and then lied about it.

      Yeah. Or the guy who wrote that is either a moron or a jerkass, and completely ignored some important info given. Like the fact that DROPOUT.JEEP was actually the codename for a wired jailbreak for the first iPhone that NSA had to develop themselves. It's not like that info is hard to gain once you strip out the boasting and bullshit bingo from the l33t NSA haX0r slide.

  • XOR (Score:5, Insightful)

    by Himmy32 (650060) on Monday July 21, 2014 @02:44PM (#47502591)
    The summary seems to imply that law enforcement and being an attacker are mutually exclusive...
  • DON'T PANIC (Score:5, Informative)

    by Anonymous Coward on Monday July 21, 2014 @02:50PM (#47502625)

    Why link to a re-post and not to the source: http://www.zdziarski.com/blog/ [zdziarski.com]

    There we find this:

    DON'T PANIC

    Before the journalists blow this way out of proportion, this was a talk I gave to a room full of hackers explaining that while we were sleeping, this is how some features in iOS have evolved over the PAST FEW YEARS, and of course a number of companies have taken advantage of some of the capabilities. I have NOT accused Apple of working with NSA, however I suspect (based on released documents) that some of these services MAY have been used by NSA to collect data on potential targets. I am not suggesting some grand conspiracy; there are, however, some services running in iOS that shouldnâ(TM)t be there, that were intentionally added by Apple as part of the firmware, and that bypass backup encryption while copying more of your personal data than ever should come off the phone for the average consumer. I think at the very least, this warrants an explanation and disclosure to the some 600 million customers out there running iOS devices. At the same time, this is NOT a zero day and NOT some widespread security emergency. My paranoia level is tweaked, but not going crazy. My hope is that Apple will correct the problem. Nothing less, nothing more. I want these services off my phone. They donâ(TM)t belong there.

    • by dos1 (2950945)

      >I want these services off my phone.

      How can you say that and yet still buy such devices? It's not like one doesn't have a choice...

      • Re:DON'T PANIC (Score:5, Insightful)

        by 0123456 (636235) on Monday July 21, 2014 @03:03PM (#47502691)

        How can you say that and yet still buy such devices? It's not like one doesn't have a choice...

        Yes, they could buy Android instead. Or Windows.

        Oh, hang one...

      • Re:DON'T PANIC (Score:5, Insightful)

        by gstoddart (321705) on Monday July 21, 2014 @03:23PM (#47502831) Homepage

        How can you say that and yet still buy such devices? It's not like one doesn't have a choice...

        And how much crap is installed on Android you can't disable (or know is there) without rooting your phone?

        How much crap on Windows phone? I bet you can neither disable nor know it's there.

        Your BlackBerry?

        So, please, tell us, how are Android, Windows or BlackBerry phones any better? Can you prove none of them has something similar?

        I very much doubt you can.

        You can choose to not have a device at all, but I have my doubts you can choose a phone which doesn't have similar security holes you know nothing about.

        • by Lumpy (12016)

          The only secure Android phone is what is running Cyanogenmod.

          • by Rick Zeman (15628)

            The only secure Android phone is what is running Cyanogenmod.

            Only if you personally are capable of security auditing every single line of source code. Otherwise, you'll be trusting someone or something...as virtually everyone else is doing.

            • by mjwx (966435)

              The only secure Android phone is what is running Cyanogenmod.

              Only if you personally are capable of security auditing every single line of source code. Otherwise, you'll be trusting someone or something...as virtually everyone else is doing.

              And how much source code does Apple give you to audit.

              There are levels of trust we accept because not everyone has the time or skills to audit source code. However many actions (like simply making source code available) make others more trustworthy than their competitors.

              I know Google collects info from my Nexus 5 and 7 but Google are at least honest about what they collect, give me options on what gets sent and have demonstrated how it's annonymised.

              Apple collects the same, if not more info from I

          • by mysidia (191772) on Monday July 21, 2014 @10:08PM (#47504927)

            The only secure Android phone is what is running Cyanogenmod.

            No... the only secure Android phone is the one you pulled the battery out on.

            iPhone is trickier... since there's no removable battery: it is very hard to secure. Best bet is to wrap it in tin foil and let the battery drain down on its own, then when it reaches 0% it will be secure

          • by exomondo (1725132)

            The only secure Android phone is what is running Cyanogenmod.

            If you take "secure" to mean "i don't know of any security vulnerabilities in it" then sure, but that's unlikely to be very secure.

        • Re:DON'T PANIC (Score:5, Insightful)

          by joh (27088) on Monday July 21, 2014 @05:11PM (#47503613)

          Android has the Google Play Services that has all permissions, that can update itself without asking or even telling the user and that has access to EVERYTHING on the phone. If the NSA wants you data, it gets it. Period.

          And really, you need to do some reality-check here. You can't protect yourself against that. No way. Not without building your own hardware, writing your own software, including the firmware and the baseband.

          All the geeks dreaming of technical solutions to political problems are just dreamers. What we need is some sane checks and balances for when and in which cases such things are used. This is a political problem and the first step to home in to a solution is accepting that there ARE cases where law enforcement and government agencies indeed have a right and a need to do this. Without accepting this you will only continue to shake your fists and even IF you may get into power with steadfastly requiring 100% security against everyone: Once you will notice that people will use the Internet and mobile devices to organize against you then, you WILL turn around and cry for surveillance and WILL try to defend yourself. Freedom has to have some teeth and hands and eyes to defend itself. The point is not to pull the teeth, the point is how to tame them. There are no technical solutions to that problem.

          • Not if you block it with a HOSTS file!

          • by Kamien (1561193)
            Just buy an Android phone without Google Apps pre-installed.
            I have one (Huawei).

            No Google Play Services (and any other Google Apps - Maps, Mail, etc.)
            • Just buy an Android phone without Google Apps pre-installed. I have one (Huawei). No Google Play Services (and any other Google Apps - Maps, Mail, etc.)

              Yeah, having everything send to the Chinese intelligence agencies is soooo much better. Not to mention the NSA backdoors in the Linux kernel that Google itself hasn't found.

        • by hweimer (709734)

          So, please, tell us, how are Android, Windows or BlackBerry phones any better?

          Many Android vendors have well-documented procedures how to unlock the bootloader of the device and install a custom ROM, which can be mostly built from source (the remaining proprietary blobs come from non-US companies and/or are unlikely to contain backdoors because of the greatly reduced codebase). None of the other major players allow this.

        • by knarf (34928)

          Android: you have the source. Not the source of the binary blobs so the device can still be compromised through those, but the rest is 'up to you'. Apple, Microsoft, Blackberry... no source.

          Is Android the bees knees of mobile software? No, far from it. It is up to par with the competition, though. And it is free software (most of it). The non-free bits can be replaced, mostly. The non-replaceable bits... need to be replaceable. In other words, as it stands now Android is a local optimum.

          • by Anonymous Coward

            Android (as shipped with most phones) is about as open source as iOS is [apple.com]. iOS's kernel and most of the userspace is open source, just like Android's. A huge amount of what users expect from the devices is closed source, just like Google Apps and Google Play Services.

            Read the AOSP/Cyanogenmod/etc forums sometime. Most people install Google Apps, and at that point you're well back into mothership calling blackbox land.

        • by dos1 (2950945)

          You have a choice to buy iOS, Android, Windows or BlackBerry phones.

          My Openmoko, SHR, Maemo, QtMoko and Debian based phones are a nice example. And they all work pretty well! It wasn't always the case, especially in their early days, but things have stabilized pretty well over time.

          If you don't want any "crap", support projects like Neo900. You do have a choice.

    • You mean, DON'T PANIC [adafruit.com].
    • by Kamien (1561193)
      The blog post also says this:
      "(...) I understand that every OS has diagnostic functions, however these services break the promise that Apple makes with the consumer when they enter a backup password; that the data on their device will only come off the phone encrypted. The consumer is also not aware of these mechanisms, nor are they prompted in any way by the device. There is simply no way to justify the massive leak of data as a result of these services, and without any explicit consent by the user.
      I d
  • by tipo159 (1151047) on Monday July 21, 2014 @02:53PM (#47502639)

    Apple is often prone to adding capabilities without thinking through the security implications. But this researcher should do some more research into what constitutes legitimate engineering uses.

    From TFA:

    “Some of this data shouldn’t be on the phone. HFSMeta creates a disk image of everything that’s on the phone, not the content but the metadata,” Zdziarski said. “There’s not even an engineering use for that.”

    I can imagine plenty of legitimate uses of just metadata. For example, the old iOS backup mechanism basically took a snapshot of everything and something like HFSMeta could be used to identify the files that have changed so only those files are backed up.

    • by thoromyr (673646) on Monday July 21, 2014 @04:34PM (#47503361)

      not to mention "...creates a disk image of everything that’s on the phone..." is misleading, even with the following caveat. It would be far more accurate to say something like "...creates a copy of file access times of everything that's on the phone, and other metadata such as file size and other timestamps." But that wouldn't be bait for journalists and misquotation. (And if the dumped iOS file system metadata includes other things, perhaps mention those -- but timestamps and file size are the main things.)

  • Is Apple beginning to get like M$?
    • by mjwx (966435)

      Is Apple beginning to get like M$?

      What do you mean by "beginning"?

  • by viperidaenz (2515578) on Monday July 21, 2014 @05:54PM (#47503895)

    You'll have to close this back door in iOS 8 and add a new one that's harder to find.

  • Process is now taking about four months on average, and costs
    about $1,000, so LE is looking for streamlined / inexpensive
    tools to collect evidence.

    Part of the protection against tyranny isn't the gun, but simply that certain law enforcement has certain costs. Part of it is red tape - a warrant sticks some glue in the process, slows it down. Part of it is monetary costs. In the 1970's wire taps cost a lot.

    These costs force some filtering of resources. You can't just go after everyone, you need to be somewha

  • Memo from Self : Like I was going to do that? After the last time I worked on a Mac?

Fools ignore complexity. Pragmatists suffer it. Some can avoid it. Geniuses remove it. -- Perlis's Programming Proverb #58, SIGPLAN Notices, Sept. 1982

Working...