Feeds

HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert

Don't panic though – Apple's backdoor is not wide open to all, guru tells us

Protecting against web application threats using SSL

Updated An analysis of Apple's iOS operating system by a security expert has revealed various tools in the software that could be used for surveillance if one were so inclined.

Jonathan Zdziarski concluded that the vast majority of iThing owners are unaware of lax mechanisms protecting their data.

Data forensics expert and author Zdziarski wrote an academic paper on his findings in March, and gave a related talk [PDF mirror] at the Hackers On Planet Earth (HOPE X) conference in New York on Friday.

The results of his research – triggered by reports of the NSA spying on Apple products – indicate a backdoor in iOS, although it's not as wide open as some reports have suggested.

"There are certain steps that have to be taken to get this data," Zdziarski told The Register. "Backdoors are guarded, there are things protecting it – you don’t just type 'Joshua' for full access."

Zdziarski's analysis shows that 600 million iOS devices, particularly those running the most recent version 7 builds, have data discovery tools that are separate from those used by Apple for standard backup and storage. These include a file-relay service that can snoop out data, bypassing the Backup Encryption service offered by Apple.

This data includes a copy of the user's address book, stored photos, the voicemail database and audio files, any accounts configured on the device such as iCloud, Facebook or Twitter, a cache of screenshots, keystrokes and the device's clipboard, GPS data, and – on iOS 7 – metadata disk sparseimage of the iOS file system.

Zdziarski notes that this is a one-way tool, in that it's very useful for taking data off the device but not for putting it back on for a backup service. The data is also in too raw a format to be of any use to a Genius Bar tech support team.

In addition there is also, we're told, a packet sniffer dubbed com.apple.pcapd on the device that fires up without notifying the iOS device's owner. This can log and export network traffic and HTTP request/response data from the device and could be targeted via Wi-Fi for remote monitoring, Zdziarski said.

This software isn't some legacy code left on the device by Apple engineers for testing – it has been actively updated and expanded in various iOS revisions, according to Zdziarski.

But it's not something Apple has talked about, or even officially documented, and seems to have little to offer other than for those who seek to slurp data off iOS devices. It is separate from the packet-tracing techniques described on the Apple developer website.

When the cops coming knocking...

One possibility is that the software is needed so that the gadgets conform to the 1994 Communications Assistance for Law Enforcement Act (CALEA), which requires tech firms to have systems in place to allow properly accredited law enforcement limited access for wiretapping.

But Zdziarski told El Reg that the software didn’t look fit for that purpose.

"I think Apple has exceeded any requirements the CALEA law has with these tools," he said. "The existence of these interfaces exceeds anything that law requires. It could be that there's some kind of secret court order requiring this, but if there is then the public needs to know about and understand that."

Of course, to access all these hidden tools you'd need access to the target's iPhone, and Apple's security is invincible, right? Not so fast there: Zdziarski has also uncovered a way to get around this that, while hard for common-or-garden hackers, wouldn't be too tough for law enforcement.

When an iOS device pairs with a desktop system to sync data, the mobile operating system establishes a trusted connection and stores a set of keys and certificates on the PC and the device, and stores it in a single file on both machines. Only a factory reset wipes this pairing data from the iOS device.

While pairing is done over USB, if someone has access to this pairing data, the device becomes much easier to crack. The pairing data is exchanged via TCP port 62078, and an attacker could log onto the device in seconds if they share the same Wi-Fi network.

Getting access to pairing data would be tricky for a hacker working alone, but if law enforcement impounds someone's desktop, it's easy for a cop or g-man to crack any iOS device the PC is paired with. If you're the NSA, with a Tailored Access Operations division that specializes in this sort of thing, getting into Apple's backdoor is easy as pie.

Zdziarski said he was inspired to delve deeper into iOS security after reading a report in Der Spiegel that the NSA was targeting iOS gadgets and the systems they are paired with. While Zdziarski says he doesn't want to be sensationalist about his findings, it's clear Apple owes customers some answers.

Cook & Co were unavailable for comment at time of going to press. ®

Updated to add

After publication, Apple apparently briefed journalists that the services identified by Zdziarski are not deliberately provided for government agencies to exploit. Instead, they are for "diagnostic" purposes and to allow enterprise IT bods to manage workers' devices.

"The problem with this is that these services dish out data (and bypass backup encryption) regardless of whether or not 'Send Diagnostic Data to Apple' is turned on or off, and whether or not the device is managed by an enterprise policy of any kind," Zdziarski responded on his blog.

"Every single device has these features enabled and there’s no way to turn them off, nor are users prompted for consent to send this kind of personal data off the device."

Defenders of Apple have been quick to suggest that the mechanisms highlighted by Zdziarski are known to some developers; for example, an unofficial open-source client exists for the file-relay service so that Linux computers can talk to iThings, and some notes exist for lockdownd. However, the presence of these services are not flagged up to users, and the pcapd daemon remains unexplained – indeed, Apple's documentation insists: "iOS does not support packet tracing directly." All of which is a cause for concern.

"The consumer is also not aware of these mechanisms, nor are they prompted in any way by the device. There is simply no way to justify the massive leak of data as a result of these services, and without any explicit consent by the user," he added.

"I don’t buy for a minute that these services are intended solely for diagnostics. The data they leak is of an extreme personal nature. There is no notification to the user. A real diagnostic tool would have been engineered to respect the user, prompt them like applications do for access to data, and respect backup encryption."

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
'Speargun' program is fantasy, says cable operator
We just might notice if you cut our cables
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.