Feeds

iOS slurpware brouhaha: It's for diagnostics, honest, says Apple

Hidden packet sniffer claims hit Cupertino

Beginner's guide to SSL certificates

Faced with a growing backlash, Apple has added a page to its support website explaining iOS's previously unexplained data-slurping tools – which were recently highlighted by security researcher Jonathan Zdziarski.

The utilities – which includes a silent packet sniffer, a file relay system that bypasses Apple's Backup Encryption, and other information-shifting systems – sparked alarm this week: Cupertino hadn't officially warned millions of its iThing users about the built-in mechanisms nor the potential for attackers to harvest personal data from iOS devices using said entry points.

In the support document, Apple says the mysterious subsystems can only work when used between a desktop and iOS device that trust each other. Unfortunately, that doesn't completely stop miscreants and the feds from abusing that trust – thanks to the pairing system detailed by Zdziarski in an academic paper in March and presentation [PDF] at the Hackers On Planet Earth (HOPE X) conference.

Apple's side of the story

Apple says iOS's undocumented packet sniffer, com.apple.mobile.pcapd, is used for setting up enterprise VPN tunnels, and for troubleshooting problems on iPhones, iPads and iPods. The file relay, com.apple.mobile.file_relay, is designed to be used by its engineers and AppleCare staff, and the company insists that it "does not have access to all data on the device."

The third component under the microscope, com.apple.mobile.house_arrest, is used by Xcode to transfer test data to a device and to shift documents around in iTunes, Apple claims.

Cupertino's explanations haven't impressed Zdziarski. In a detailed blog post, he has taken apart Apple's documentation, and highlights some fairly worrying aspects of the code as it stands.

Researcher's rebuttal

He points out that in all cases, the under-fire software in iOS is activated and run without the owner's consent or knowledge. Some of the tools may be just for developers and enterprise IT managers, but that it is built into every iOS device as standard is just plain weird or lazy.

The network packet sniffer in particular can be activated silently in the background and used to send a whole host of personal data from the gadget wirelessly, provided the correct pairing data is available. There's no way for normal folk to know if their iPhone, iPad or iPod is leaking data.

As for the file relay system, Zdziarski scoffed at Apple's insistence that it is only needed for diagnostic data. The software can download text messages, notes, a device's address book, personal photos, location data, and screenshots – something a diagnostics engineer would never need, he argued.

In addition, the file relay bypasses the inbuilt data encryption to gather all this information – and this can be done wirelessly and without the user's knowledge or consent. "File relay is far too sloppy with personal data, and serves up a lot more than 'diagnostics' data," he concludes.

As for the House Arrest function, Zdziarski agrees that iTunes and Xcode use the software, but points out that it also accesses a wealth of personal data, including the OAuth tokens that can be used to access personal accounts and private conversations, which isn’t strictly speaking needed for the functions Apple states.

"I give Apple credit for acknowledging these services, and at least trying to give an answer to people who want to know why these services are there – prior to this, there was no documentation about file relay whatsoever, or its 44 data services to copy off personal data," he wrote. (Bear in mind Zdziarski's website has been buckling under the weight of visitors hitting it.)

"They appear to be misleading about its capabilities, however, in downplaying them, and this concerns me. I wonder if the higher ups at Apple really are aware of how much non-diagnostic personal information it copies out, wirelessly, bypassing backup encryption."

In response to some of the more excitable media reports of NSA backdoors being built in by Apple, Zdziarski tells users not to panic. Many of the problems with the software are down to their overly broad reach and have flaws that could be used by an outside attacker, but there's no evidence that they were put there for any reason other than poor engineering. ®

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
Jihadi terrorists DIDN'T encrypt their comms 'cos of Snowden leaks
Intel bods' analysis concludes 'no significant change' after whistle was blown
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.