Slashdot Mirror
Private Data On iOS Devices Not So Private After All
theshowmecanuck (703852) writes with this excerpt from Reuters summarizing the upshot of a talk that Jonathan Zdziarski gave at last weekend's HOPE conference:
Personal data including text messages, contact lists and photos can be extracted from iPhones through previously unpublicized techniques by Apple Inc employees, the company acknowledged this week. The same techniques to circumvent backup encryption could be used by law enforcement or others with access to the 'trusted' computers to which the devices have been connected, according to the security expert who prompted Apple's admission. Users are not notified that the services are running and cannot disable them, Zdziarski said. There is no way for iPhone users to know what computers have previously been granted trusted status via the backup process or block future connections.
If you'd rather watch and listen, Zdziarski has posted a video showing how it's done.
What did you expect from a hipster marketing company? Privacy? Respect? Decency? HAH!
These so-called "smart telephones" aren't telephones at all; they are computers. Computers that you cannot control. And if you aren't, who is?
Some folks thought Richard Stallman was crazy for saying no-one should run software or use hardware that is based on clandestine (proprietary, hidden) knowledge. This latest revelation is just one reason he was right all along.
There's only one operating system in existence today that is worthy of even a small degree of trust: OpenBSD.
OpenBSD is the only operating system I know of that is open source, continually undergoes rigorous review, and has developers who put security above all else.
Since OpenBSD is the only operating system that is anywhere close to being secure, the only type of secure mobile device would be one running OpenBSD. I'm not aware of any of those, so it's obvious that any device not running OpenBSD should be considered insecure to begin with.
I posted this last night. Old news now.
The more we buy devices whose master is someone else, the more things of this very nature will become a problem.
Do not buy devices that you do not control after you buy them. You must be able to run any kernel and any userspace you want, you must be able to control the machine top to bottom. If you give this up in exchange for convenience, then you will be taken advantage of by companies that don't have your interests at heart.
It's good that you have that much faith in an OS. Just don't install anything on it.
If you store sensitive stuff on your iPhone, don't make backups from it onto an insecure/unencrypted computer.
And if you were making backups from anything secure onto anything insecure, it is time to revise your security policy.
Large corporations cannot be trusted to protect our secrets -- particularly when under the thumb of big-brother government!
Almost all the reports are getting the gist of the paper wrong -- any press summation that doesn't go into the paper to understand it will get it wrong. The paper goes into deep detail that Apple has several services that, while protected by several layers of security that could be bypassed, can transfer data in the clear. There are also several services that don't have any obvious connecting software.
It's a rather deep hacker-style dive into iOS.
A good video about this is by TWiT Network. At http://twit.tv/sn465 Security Now ep 465 has expert Steve Gibson explain the actual paper.
--
# Canmephians for a better Linux Kernel
$Stalag99{"URL"}="http://stalag99.net";
a4nd mortify1ng
I completely agree with jabberw0k, the only phones that actually exist are our 'home phones'.
We think these 'smart phones' are safer and better - yes they are easier and much better to use for everyday usage, but overall they are not safe!
The "researcher" and Reuters forgot to clearly call out that for the information to be extracted with the developer tools an iOS device must be trusted. Trust is established by plugging the device into a computer and the device MUST be unlocked.
This is akin to giving someone you don't trust a key to your house.
The it only works with a trusted device AND the device being unlocked.
If you gave your device PIN to someone, they already have your data and don't need to do this.
Due to the great advances in technology and the continuing reduction in cost of these technologies, what were previously "dumb" devices are now extremely sophisticated computers doing specialized tasks but they are not limited to these specialized task or to being used in the manner they were conceived for. As such almost all modern device from cameras to mp3 players can be re-purposed as digital "snitches". This is often true even if the device was not design or envisioned to so from the beginning or had countermeasures to inhibit the use of the device in that way. Such sophisticated devices can be reprogrammed or "hacked". Just accept this as true and if you can't due the research and enlighten yourself. So the only practical recourse is accept it and be careful if you have a good reason to believe your data is incriminating to you. Assume all devices have vulnerabilities or use paper instead and hope everyone has forgotten how to read that way.
Already debunked.
Irresponsible post.
When did Apple admit to anything? They said the researcher was wrong and described the settings that he found and what they are used for! I would trust Apple over Google any day! Eric Schmidt has lied so many times along with his colleagues that the whole company isn't trustful!
http://support.apple.com/kb/HT6331
http://www.macrumors.com/2014/07/22/apple-ios-backdoors-support-document/
iPhones have always been able to sync data out of their secure storage to the user's computer since launch. How did people think USB sync worked? Magical leprechauns that flew out of your phone carrying the data?
Heck, one of these is the developer daemon that runs on the phone to install apps from Xcode. Again, how exactly did people think Xcode did that?
These tools all require the phone be logged in, and that the right key exchange take place.
I can't tell if the "security researcher" here is just trolling, has never actually used an iPhone, it is just stupid.
NOT!
and yet /. folk cheer on the demise of BlackBerry.. the one phone that has a near flawless security record.
and yes, full disclosure, I own a z10. I also find it to be the best smart phone I've ever owned with battery life that my android friends can only dream about.
What's with all the repeat articles recently?
Both this story and the verizon/netflix story have already been posted to /. in the last week.
WRONG! I have the keys and yes the iPhone/iDevice can be accessed via remote tools. HOWEVER the device does not need to be unlocked!!! You need to use the force (google) my friend.
I agree. There is nothing new here. The only way this can be exploited in my experience is with iTunes Sync and using local (sharing)...not through a LAN. The guy is full of it....just another publicity hound.
I was however able to duplicate his process via usb though...but not over a LAN or WAN link.
So not sure how NSA/Hackers/Malware/Panic fits into this....it is all FUD!
Yeah, you know me! Why trust Other People's Encryption? If you encrypt data yourself, you control who can decrypt it - unless all crypto algorithms are compromised. When Google or Apple encrypt on your behalf, you don't really know what they're doing.
The conditions of use of Apple produced hardware don't amount to ownership. You don't control the device - Apple does. Apple being a US company, has the same contempt for the rights of individuals as the US government. Steer clear.
Who would have thought that a trusted device would have access to your data? Why that would allow you to share your data with devices! Not to mention the technical aspects that allow them to diagnose and correct problems! HOW DARE THEY.
J.Z. has been trying to 'bust through' with some 'epic' backdoor revolation for along time. This is not it. Sadly the media have eaten it up. Seriously this is like saying that IF you unlock your truecrypt container ..... truecrypt can read ALL your data!
In a conference presentation this week, researcher Jonathan Zdziarski showed how the services take a surprising amount of data for what Apple now says are diagnostic services meant to help engineers.
...
Apple denied creating any “back doors” for intelligence agencies. “We have designed iOS so that its diagnostic functions do not compromise user privacy and security, but still provides needed information to enterprise IT departments, developers and Apple for troubleshooting technical issues,” Apple said. “A user must have unlocked their device and agreed to trust another computer before that computer is able to access this limited diagnostic data.”
These two paragraphs (three paragraphs apart) completely contradict each other. Off hand I will believe the security researcher over Apple. Everyone with any brains understands that ALL "smart" phones (both Android AND iOS) are designed from the ground up to spy on you.
Asked if Apple had used the tools to fulfill law enforcement requests, Apple did not immediately respond.
That is pretty much an admission that they are gagged by a national security letter and their lawyers are working on a response that won't really say anything.