recommended reading

iPhones Have a Major Security Hole That Apple Installed on Purpose

Ahn Young-joon/AP

If you use an iPhone or iPad, your photos, web history, and GPS logs are vulnerable to theft and surveillance via back-door protocols running on all iOS devices, according forensic scientist Jonathan Zdziarski, better known by the hacker moniker “NerveGas.”

In a security-conscious era, we’re used to hearing about zero-day exploits—newly-discovered security holes that can be used to steal personal data or snoop on unsuspecting users. But Zdziarski says the vulnerabilities he has discovered were intentionally installed by Apple and have existed for years.

The new allegations could have a major impact on Apple in China, where state-owned media have argued that the company’s ability to access user data makes the iPhone a national security risk. Apple responded to those claims by saying that it never “worked with any government agency from any country to create a backdoor in any of our products or services.”

In a presentation at the Hackers On Planet Earth conference on Friday, Zdziarski outlined his investigation of the undocumented services, as published in the March issue of Digitial Investigation (paywall). His conclusion: while iOS 7 security is pretty good overall, it has hidden back doors that could be exploited.

The protocols and hidden tools he found use “paired” computers, which have been connected to the iOS device via a USB cable. They include a “packet sniffer” that monitors and logs network traffic, and a file transfer service which can deliver a data dump that could include social media logins, contacts, voicemail messages, and photo albums. The user data is unencrypted, even when a setting to encrypt backup data is turned on. Users could be tricked into allowing untrusted computers to pair when they plug their iDevices in to charge, or attackers could acquire pairing credentials from a computer that has synched in the past.

In a response to Zdziarski, Apple said iOS is designed “so that its diagnostic functions do not compromise user privacy and security, but still provides needed information to enterprise IT departments, developers, and Apple for troubleshooting technical issues.” The company added that users “must agree to share this information, and data is never transferred without their consent.”

Zdziarski disputed that users can control whether their data is shared. “I don’t buy for a minute that these services are intended solely for diagnostics,” he said on his blog.

So why then would these services exist? They could potentially be used by law enforcement or national security agencies to access the devices, either on their own or working with Apple through a subpoena, but Zdziarski urged people not to  jump to conclusions.

“I have NOT accused Apple of working with NSA, however I suspect (based on released documents) that some of these services MAY have been used by NSA to collect data on potential targets. I am not suggesting some grand conspiracy; there are, however, some services running in iOS that shouldn’t be there, that were intentionally added by Apple as part of the firmware, and that bypass backup encryption while copying more of your personal data than ever should come off the phone for the average consumer.”

There’s certainly a precedent of government taking advantage of iOS security holes. An NSA document leaked last year describes a program known as DROPOUTJEEP that targets iPhones and lets a remote attacker pull text messages, contact lists, voicemail, geolocation data, listen to the microphone, and take pictures. Installation requires physical access to the phone, but the leaked documents said “a remote installation capability will be pursued for a future release.”

Reprinted with permission from Quartz. The original story can be found here

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

    Download
  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

    Download
  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

    Download
  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

    Download
  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

    Download
  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security

    Download

When you download a report, your information may be shared with the underwriters of that document.