Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researcher Finds Hidden Data-Dumping Services In iOS

Posted by samzenpus on from the don't-take-my-data-bro dept.

Trailrunner7 writes There are a number of undocumented and hidden features and services in Apple iOS that can be used to bypass the backup encryption on iOS devices and remove large amounts of users' personal data. Several of these features began as benign services but have evolved in recent years to become powerful tools for acquiring user data.

Jonathan Zdziarski, a forensic scientist and researcher who has worked extensively with law enforcement and intelligence agencies, has spent quite a bit of time looking at the capabilities and services available in iOS for data acquisition and found that some of the services have no real reason to be on these devices and that several have the ability to bypass the iOS backup encryption. One of the services in iOS, called mobile file_relay, can be accessed remotely or through a USB connection can be used to bypass the backup encryption. If the device has not been rebooted since the last time the user entered the PIN, all of the data encrypted via data protection can be accessed, whether by an attacker or law enforcement, Zdziarski said. Update: 07/21 22:15 GMT by U L : Slides.

23 of 98 comments (clear)

  1. Pedos, drug lords, and terrorists take notice!! by rodrigoandrade · · Score: 5, Funny

    Everyone else, every law-abiding citizen, may move on, nothing to see here...

    1. Re:Pedos, drug lords, and terrorists take notice!! by gstoddart · · Score: 4, Insightful

      I'm going with "if you have nothing to hide, you have nothing to fear".

      Which isn't so much a paranoid delusion, as it is a prevalent sentiment.

      --
      Lost at C:>. Found at C.
  2. 2 Questions by CanHasDIY · · Score: 3, Interesting

    1) Can this method be used to bypass iCloud?

    2) Does anyone have a write-up of how it works? I've got a lost-to-pawn iPad that need wiped, and will likely have more come into the shop in the future.

    --
    An enigma, wrapped in a riddle, shrouded in bacon and cheese
  3. Huge Caveat! by rabtech · · Score: 5, Informative

    There is a huge caveat here:

    You can only do this if you have the keys from a computer you have sync'd with previously. That only happens if you enter your passcode then see the "Trust this Computer" prompt on a computer that has iTunes installed and you click "Trust" at the prompt. That creates a set of sync keys that the iOS device will then accept to access the various services.

    Some of the stuff he complains about is only enabled for devices used for development or if the device is enrolled in enterprise provisioning. As far as I'm aware, Apple requires that the company purchase the device on the company account to support over the air enrollment in this system so it wouldn't affect personal devices. Even for USB connected devices, you must enter the password/passcode to allow the device to be visible to MDM tools in the first place. Even enabling development mode requires entering the password/passcode.

    The one main point he brings up (which I agree with) is Apple needs to provide a way to see the list of computers on your device and remove them.

    There are some other more theoretical issues here that Apple should address, but no your iPhone is not running a packet sniffer and will not hand over files to anyone who connects. If your device isn't provisioned for enterprise and has never connected to a PC to sync (the vast majority of iOS devices these days) then as far as I can tell, none of the issues he found are of any use whatsoever.

    --
    Natural != (nontoxic || beneficial)
    1. Re:Huge Caveat! by 93+Escort+Wagon · · Score: 4, Informative

      That only happens if you enter your passcode then see the "Trust this Computer" prompt on a computer that has iTunes installed and you click "Trust" at the prompt. That creates a set of sync keys that the iOS device will then accept to access the various services.

      The article made that very clear. But it's not clear to me where these keys are stored - is it on the disk, unprotected, or is it in your encrypted keychain? If the former, it seems to me that - unless you encrypt your computer's hard disk - this means anyone with unfettered access to your computer could get at these keys and thereby get at everything on your iOS device. If the latter, it would be much more difficult to do, even if they otherwise got access to your account.

      The guy said he uses this to monitor his kids (which, depending on their age, might be a bit jerky in my opinion). However since he seems like an overzealous parent, I'm wondering if he has his kids' passwords etc., which would be necessary if these keys are in the keychain.

      --
      #DeleteChrome
    2. Re:Huge Caveat! by jittles · · Score: 4, Informative

      That only happens if you enter your passcode then see the "Trust this Computer" prompt on a computer that has iTunes installed and you click "Trust" at the prompt. That creates a set of sync keys that the iOS device will then accept to access the various services.

      The article made that very clear. But it's not clear to me where these keys are stored - is it on the disk, unprotected, or is it in your encrypted keychain? If the former, it seems to me that - unless you encrypt your computer's hard disk - this means anyone with unfettered access to your computer could get at these keys and thereby get at everything on your iOS device. If the latter, it would be much more difficult to do, even if they otherwise got access to your account.

      The guy said he uses this to monitor his kids (which, depending on their age, might be a bit jerky in my opinion). However since he seems like an overzealous parent, I'm wondering if he has his kids' passwords etc., which would be necessary if these keys are in the keychain.

      Unless Apple has changed the way this process works, the keys you need to get it to sync aren't in the keychain at all. ON a mac you can find them in ~/Library/MobileSync or something like that. On later versions of Windows it'll be in Users\\AppData\Roaming\Apple\MobileSync

      You can quite literally copy and paste them from one machine to another in order to trick an iDevice into syncing with multiple iTunes libraries at once, though you can run into problems with that if you're not careful. However, if encryption is enabled on backups, then you must know the passphrase to actually access a device backup. It's been years since I've played around with this, so I may bit a bit off on the exact directory locations, but they are basically just files sitting around in your user folder.

  4. Attacker or law enforcement? by Anonymous Coward · · Score: 4, Insightful

    whether by an attacker or law enforcement

    For those who are innocent, law enforcement IS the attacker.

  5. DROPOUTJEEP backdoor by Animats · · Score: 4, Interesting

    This may be the backdoor known as DROPOUTJEEP, which was described in some Snowden-leaked documents last year.

    Looks like Apple sold out, put in a backdoor, and then lied about it.

    1. Re:DROPOUTJEEP backdoor by HornWumpus · · Score: 3, Funny

      Not a MS shill. But a consultant. Just because I'm a whore, doesn't mean I'm cheap.

      --
      John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
  6. XOR by Himmy32 · · Score: 4, Insightful

    The summary seems to imply that law enforcement and being an attacker are mutually exclusive...

  7. DON'T PANIC by Anonymous Coward · · Score: 5, Informative

    Why link to a re-post and not to the source: http://www.zdziarski.com/blog/

    There we find this:

    DON'T PANIC

    Before the journalists blow this way out of proportion, this was a talk I gave to a room full of hackers explaining that while we were sleeping, this is how some features in iOS have evolved over the PAST FEW YEARS, and of course a number of companies have taken advantage of some of the capabilities. I have NOT accused Apple of working with NSA, however I suspect (based on released documents) that some of these services MAY have been used by NSA to collect data on potential targets. I am not suggesting some grand conspiracy; there are, however, some services running in iOS that shouldnâ(TM)t be there, that were intentionally added by Apple as part of the firmware, and that bypass backup encryption while copying more of your personal data than ever should come off the phone for the average consumer. I think at the very least, this warrants an explanation and disclosure to the some 600 million customers out there running iOS devices. At the same time, this is NOT a zero day and NOT some widespread security emergency. My paranoia level is tweaked, but not going crazy. My hope is that Apple will correct the problem. Nothing less, nothing more. I want these services off my phone. They donâ(TM)t belong there.

    1. Re:DON'T PANIC by 0123456 · · Score: 4, Insightful

      How can you say that and yet still buy such devices? It's not like one doesn't have a choice...

      Yes, they could buy Android instead. Or Windows.

      Oh, hang one...

    2. Re:DON'T PANIC by TechyImmigrant · · Score: 3, Funny

      Try BeOS.
      Not a high profile target for the feds, the police or the Russian mob.

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    3. Re:DON'T PANIC by gstoddart · · Score: 5, Insightful

      How can you say that and yet still buy such devices? It's not like one doesn't have a choice...

      And how much crap is installed on Android you can't disable (or know is there) without rooting your phone?

      How much crap on Windows phone? I bet you can neither disable nor know it's there.

      Your BlackBerry?

      So, please, tell us, how are Android, Windows or BlackBerry phones any better? Can you prove none of them has something similar?

      I very much doubt you can.

      You can choose to not have a device at all, but I have my doubts you can choose a phone which doesn't have similar security holes you know nothing about.

      --
      Lost at C:>. Found at C.
    4. Re:DON'T PANIC by joh · · Score: 4, Insightful

      Android has the Google Play Services that has all permissions, that can update itself without asking or even telling the user and that has access to EVERYTHING on the phone. If the NSA wants you data, it gets it. Period.

      And really, you need to do some reality-check here. You can't protect yourself against that. No way. Not without building your own hardware, writing your own software, including the firmware and the baseband.

      All the geeks dreaming of technical solutions to political problems are just dreamers. What we need is some sane checks and balances for when and in which cases such things are used. This is a political problem and the first step to home in to a solution is accepting that there ARE cases where law enforcement and government agencies indeed have a right and a need to do this. Without accepting this you will only continue to shake your fists and even IF you may get into power with steadfastly requiring 100% security against everyone: Once you will notice that people will use the Internet and mobile devices to organize against you then, you WILL turn around and cry for surveillance and WILL try to defend yourself. Freedom has to have some teeth and hands and eyes to defend itself. The point is not to pull the teeth, the point is how to tame them. There are no technical solutions to that problem.

    5. Re:DON'T PANIC by mysidia · · Score: 3, Funny

      The only secure Android phone is what is running Cyanogenmod.

      No... the only secure Android phone is the one you pulled the battery out on.

      iPhone is trickier... since there's no removable battery: it is very hard to secure. Best bet is to wrap it in tin foil and let the battery drain down on its own, then when it reaches 0% it will be secure

  8. Legitimate engineering uses by tipo159 · · Score: 4, Interesting

    Apple is often prone to adding capabilities without thinking through the security implications. But this researcher should do some more research into what constitutes legitimate engineering uses.

    From TFA:

    “Some of this data shouldn’t be on the phone. HFSMeta creates a disk image of everything that’s on the phone, not the content but the metadata,” Zdziarski said. “There’s not even an engineering use for that.”

    I can imagine plenty of legitimate uses of just metadata. For example, the old iOS backup mechanism basically took a snapshot of everything and something like HFSMeta could be used to identify the files that have changed so only those files are backed up.

    1. Re:Legitimate engineering uses by thoromyr · · Score: 4, Informative

      not to mention "...creates a disk image of everything that’s on the phone..." is misleading, even with the following caveat. It would be far more accurate to say something like "...creates a copy of file access times of everything that's on the phone, and other metadata such as file size and other timestamps." But that wouldn't be bait for journalists and misquotation. (And if the dumped iOS file system metadata includes other things, perhaps mention those -- but timestamps and file size are the main things.)

  9. ? Well it's also kind of problematic by Crashmarik · · Score: 4, Insightful

    For people who lose/have their device stolen.

  10. Too many words by joh · · Score: 5, Insightful

    People want to read something like "The iPhone has a secret backdoor for the NSA!!!". Anything much longer than that will never be read or understood by most people.

    It's hopeless. Ask 100 people who have heard of this and 95 of them will tell you that it is proven now that the iPhone has a secret backdoor for the NSA over which all data can just be read by them.

    (And I'm not even saying that it has NO such backdoor. Maybe it has. But this isn't it. This just isn't designed for mass surveillance, it needs a cooperating user and individual access to a device the user has connected his iPhone to. Maybe it's a side door for law enforcement and/or forensics additionally to a debugging tool.)

    1. Re:Too many words by Charliemopps · · Score: 3, Informative

      People want to read something like "The iPhone has a secret backdoor for the NSA!!!". Anything much longer than that will never be read or understood by most people.

      It's hopeless. Ask 100 people who have heard of this and 95 of them will tell you that it is proven now that the iPhone has a secret backdoor for the NSA over which all data can just be read by them.

      (And I'm not even saying that it has NO such backdoor. Maybe it has. But this isn't it. This just isn't designed for mass surveillance, it needs a cooperating user and individual access to a device the user has connected his iPhone to. Maybe it's a side door for law enforcement and/or forensics additionally to a debugging tool.)

      Except for the fact that Apples handing all of your data over to the NSA anyway. Apple has a very cozy relationship with the US federal government.
      http://cdn.bgr.com/2013/11/app...

      But at least Apple held off for longer than some of the others:
      http://static.guim.co.uk/sys-i...

      Long story short? The NSA doesn't need this backdoor, it's a lot easier to just go strait to apple.

    2. Re:Too many words by joh · · Score: 4, Insightful

      People want to read something like "The iPhone has a secret backdoor for the NSA!!!". Anything much longer than that will never be read or understood by most people.

      It's hopeless. Ask 100 people who have heard of this and 95 of them will tell you that it is proven now that the iPhone has a secret backdoor for the NSA over which all data can just be read by them.

      (And I'm not even saying that it has NO such backdoor. Maybe it has. But this isn't it. This just isn't designed for mass surveillance, it needs a cooperating user and individual access to a device the user has connected his iPhone to. Maybe it's a side door for law enforcement and/or forensics additionally to a debugging tool.)

      Except for the fact that Apples handing all of your data over to the NSA anyway. Apple has a very cozy relationship with the US federal government.
      http://cdn.bgr.com/2013/11/app...

      According to that table there were 0 - 1000 cases in which "some" content data was disclosed to law enforcement in the US (and 1 in the UK and 0 in about 30 other countries). You call this "a very cozy relationship"? With 313 million citizens in the US there were less than 1000 requests granted. What's "cozy" about that?

  11. Re:JCS does not like Crypto devices by Anonymous Coward · · Score: 3, Insightful

    Don't by the corporate colored glass beads, but roll your own crypto. Its not actually hard.

    WHAT THE FUCK ARE YOU SMOKING? Rolling your own crypto is HARD. The near infinite number of ways you can screw up (fucked implementations like "optimizations", timing attacks, electromagnetic leakage, poor handling of entropy and key material--the list goes on and on) automatically make rolling your own crypto a bad idea.

    You want better security, support the open source hardware and software guys (especially crypto devs who put out established/trustworthy products like OpenBSD).

    And yes, I've written plenty of crypto code and STILL don't trust any of it.