If you use an iPhone or iPad, your photos, web history, and GPS logs are vulnerable to theft and surveillance via back-door protocols running on all iOS devices, according forensic scientist Jonathan Zdziarski, better known by the hacker moniker “NerveGas.”
In a security-conscious era, we’re used to hearing about zero-day exploits—newly-discovered security holes that can be used to steal personal data or snoop on unsuspecting users. But Zdziarski says the vulnerabilities he has discovered were intentionally installed by Apple and have existed for years.
The new allegations could have a major impact on Apple in China, where state-owned media have argued that the company’s ability to access user data makes the iPhone a national security risk. Apple responded to those claims by saying that it never “worked with any government agency from any country to create a backdoor in any of our products or services.”
In a presentation at the Hackers On Planet Earth conference on Friday, Zdziarski outlined his investigation of the undocumented services, as published in the March issue of Digitial Investigation (paywall). His conclusion: while iOS 7 security is pretty good overall, it has hidden back doors that could be exploited.
The protocols and hidden tools he found use “paired” computers, which have been connected to the iOS device via a USB cable. They include a “packet sniffer” that monitors and logs network traffic, and a file transfer service which can deliver a data dump that could include social media logins, contacts, voicemail messages, and photo albums. The user data is unencrypted, even when a setting to encrypt backup data is turned on. Users could be tricked into allowing untrusted computers to pair when they plug their iDevices in to charge, or attackers could acquire pairing credentials from a computer that has synched in the past.
In a response to Zdziarski, Apple said iOS is designed “so that its diagnostic functions do not compromise user privacy and security, but still provides needed information to enterprise IT departments, developers, and Apple for troubleshooting technical issues.” The company added that users “must agree to share this information, and data is never transferred without their consent.”
Zdziarski disputed that users can control whether their data is shared. “I don’t buy for a minute that these services are intended solely for diagnostics,” he said on his blog.
So why then would these services exist? They could potentially be used by law enforcement or national security agencies to access the devices, either on their own or working with Apple through a subpoena, but Zdziarski urged people not to jump to conclusions.
“I have NOT accused Apple of working with NSA, however I suspect (based on released documents) that some of these services MAY have been used by NSA to collect data on potential targets. I am not suggesting some grand conspiracy; there are, however, some services running in iOS that shouldn’t be there, that were intentionally added by Apple as part of the firmware, and that bypass backup encryption while copying more of your personal data than ever should come off the phone for the average consumer.”
There’s certainly a precedent of government taking advantage of iOS security holes. An NSA document leaked last year describes a program known as DROPOUTJEEP that targets iPhones and lets a remote attacker pull text messages, contact lists, voicemail, geolocation data, listen to the microphone, and take pictures. Installation requires physical access to the phone, but the leaked documents said “a remote installation capability will be pursued for a future release.”