recommended reading

iPhones Have a Major Security Hole That Apple Installed on Purpose

Ahn Young-joon/AP

If you use an iPhone or iPad, your photos, web history, and GPS logs are vulnerable to theft and surveillance via back-door protocols running on all iOS devices, according forensic scientist Jonathan Zdziarski, better known by the hacker moniker “NerveGas.”

In a security-conscious era, we’re used to hearing about zero-day exploits—newly-discovered security holes that can be used to steal personal data or snoop on unsuspecting users. But Zdziarski says the vulnerabilities he has discovered were intentionally installed by Apple and have existed for years.

The new allegations could have a major impact on Apple in China, where state-owned media have argued that the company’s ability to access user data makes the iPhone a national security risk. Apple responded to those claims by saying that it never “worked with any government agency from any country to create a backdoor in any of our products or services.”

In a presentation at the Hackers On Planet Earth conference on Friday, Zdziarski outlined his investigation of the undocumented services, as published in the March issue of Digitial Investigation (paywall). His conclusion: while iOS 7 security is pretty good overall, it has hidden back doors that could be exploited.

The protocols and hidden tools he found use “paired” computers, which have been connected to the iOS device via a USB cable. They include a “packet sniffer” that monitors and logs network traffic, and a file transfer service which can deliver a data dump that could include social media logins, contacts, voicemail messages, and photo albums. The user data is unencrypted, even when a setting to encrypt backup data is turned on. Users could be tricked into allowing untrusted computers to pair when they plug their iDevices in to charge, or attackers could acquire pairing credentials from a computer that has synched in the past.

In a response to Zdziarski, Apple said iOS is designed “so that its diagnostic functions do not compromise user privacy and security, but still provides needed information to enterprise IT departments, developers, and Apple for troubleshooting technical issues.” The company added that users “must agree to share this information, and data is never transferred without their consent.”

Zdziarski disputed that users can control whether their data is shared. “I don’t buy for a minute that these services are intended solely for diagnostics,” he said on his blog.

So why then would these services exist? They could potentially be used by law enforcement or national security agencies to access the devices, either on their own or working with Apple through a subpoena, but Zdziarski urged people not to  jump to conclusions.

“I have NOT accused Apple of working with NSA, however I suspect (based on released documents) that some of these services MAY have been used by NSA to collect data on potential targets. I am not suggesting some grand conspiracy; there are, however, some services running in iOS that shouldn’t be there, that were intentionally added by Apple as part of the firmware, and that bypass backup encryption while copying more of your personal data than ever should come off the phone for the average consumer.”

There’s certainly a precedent of government taking advantage of iOS security holes. An NSA document leaked last year describes a program known as DROPOUTJEEP that targets iPhones and lets a remote attacker pull text messages, contact lists, voicemail, geolocation data, listen to the microphone, and take pictures. Installation requires physical access to the phone, but the leaked documents said “a remote installation capability will be pursued for a future release.”

Reprinted with permission from Quartz. The original story can be found here

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

    View
  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

    View
  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

    View
  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

    View
  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

    View
  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.

    View

When you download a report, your information may be shared with the underwriters of that document.