Apple Confirms “Back Doors”; Downplays Their SeverityPosted on July 23, 2014

1. Apple Confirms “Back Doors”; Downplays Their Severity
2.  
3. Posted on July 23, 2014 by Jonathan Zdziarski
4. Apple responded to allegations of hidden services running on iOS devices with this knowledge base article. In it, they outlined three of the big services that I outlined in my talk. So again, Apple has, in a traditional sense, admitted to having back doors on the device specifically for their own use. Perhaps people misunderstand the term “back door” due to the stigma Hollywood has given them, but I have never accused these “hidden access methods” as being intended for anything malicious, and I’ve made repeated statements that I haven’t accused Apple of working with NSA. That doesn’t mean, however that the government can’t take advantage of back doors to access the same information. What does concern me is that Apple appears to be completely misleading about some of these (especially file relay), and not addressing the issues I raised on others.
5.  
6. Lets start with pcapd; I mentioned in my talk that pcapd has many legitimate uses such as these, and I have no qualms with Apple using pcapd to troubleshoot issues on users’ devices. Using a packet capture has been documented for developers for a couple of years, but had no explanation for being on every device that wasn’t in developer mode. The problem I have with its implementation, however. In iOS, pcapd is available on every iOS device out there, and can be activated on any device without the user’s knowledge. You also don’t have to be enrolled in an enterprise policy, and you don’t have to be in developer mode. What makes this service dangerous is that it can be activated wirelessly, and does not ask the user for permission to activate it… so it can be employed for snooping by third parties in a privileged position.
7.  
8. Now lets talk about file relay. Apple is being completely misleading by claiming that file relay is only for copying diagnostic data. If, by diagnostic data, you mean the user’s complete photo album, their SMS, Notes, Address Book, GeoLocation data, screenshots of the last thing they were looking at, and a ton of other personal data – then sure… but this data is far too personal in nature to ever be needed for diagnostics. In fact, diagnostics is almost the complete opposite of this kind of data. And once again, the user is never prompted to give their permission to dump all of this data, or notified in any way on-screen. Apple insists AppleCare gets your consent, but this must be a verbal consent, as it is certainly not a technological consent. What’s more, if this service really were just for diagnostic use, you’d think that it would respect backup encryption, so that everything coming off the phone is encrypted with the user’s backup password. When I take my laptop to Apple for repairs, I have to provide the password. But Apple apparently has admitted to the mechanics behind file relay, which skip around backup encryption, to get to much the same data. In addition to this, it can be dumped wirelessly, without the user’s knowledge. So why does this need to be the case? It doesn’t. File relay is far too sloppy with personal data, and serves up a lot more than “diagnostics” data.
9.  
10. Lastly, house arrest. I make no qualms with this either, and in fact iTunes and Xcode do use this service to access the documents inside a user’s sandbox, as I mentioned in my talk. As I mentioned in my talk also, however, it can also be used to access the stateful information on the device that should never come off the phone – Library, Caches, Preferences, etc. This is where most of the personal data from every application is stored, including OAuth tokens (which is just as good as having the password to your accounts), private conversations, friends lists, and other highly personal data. The interface is wide open to access all of this – far beyond just the “Documents” folder that iTunes needs to access new Pages files. This is not a back door, rather a privileged access that’s available here that really doesn’t need to be there (or at least could be engineered differently).
11.  
12. The last thing I’ll mention is this claim that your data is respected with data-protection encryption. The pairing record that is used to access all of this data is sent an escrow bag, which contains a backup copy of your key bag keys for unlocking data protection encryption. So again, we’re back to the fact that with any valid pairing, you have access to all of this personal data – whether it was Apple’s intention or not.
13.  
14. I give Apple credit for acknowledging these services, and at least trying to give an answer to people who want to know why these services are there – prior to this, there was no documentation about file relay whatsoever, or its 44 data services to copy off personal data. They appear to be misleading about its capabilities, however, in downplaying them, and this concerns me. I wonder if the higher ups at Apple really are aware of how much non-diagnostic personal information it copies out, wirelessly, bypassing backup encryption. All the while that Apple is downplaying it, I suspect they’ll also quietly fix many of the issues I’ve raised in future versions. At least I hope so. It would be wildly irresponsible for Apple not to address these issues, especially now that the public knows about them.
15.  
16. Lastly, please remember my talk was titled “iOS Back Doors, Attack Points, and Surveillance Mechanisms”, NOT “iOS Back Doors Written for NSA”. I have outlined some services I believe are back doors (such as file relay), and Apple has all but confirmed this by stating that their purpose is for Apple to access your data (thank you, Apple, for acknowledging that). I have also outlined many things in my talk that are not back doors, but are attack points and (enterprise) surveillance mechanisms that could be taken advantage of. The pcapd and house arrest services certainly make tasty attack points for an attacker, and should be fixed to limit their risk. Back doors aren’t secrets, but they can be dangerous if misused. As I’ve stated before, DON’T PANIC. I have never suggested this was a conspiracy. As usual, the media has completely derailed the intention of my talk.
17.  
18. About Jonathan Zdziarski
19.  
20. Respected in his community as an iOS forensics expert, Jonathan is a noted security researcher, penetration tester, and scientist. Author of many books ranging from machine learning to iPhone hacking and software development, Jonathan frequently trains many federal and state law enforcement agencies in digital forensic techniques and assists law enforcement and the military in high profile cases. Jonathan is also inventor on several US patent applications, father of DSPAM and other language classification technology, and an App Store developer. All opinions expressed on this website are the author's own. Follow Jonathan on Twitter: @JZdziarski