Forensic scientist identifies suspicious 'back doors' running on every iOS device

[starbuck]

During his talk at HOPE/X Jonathan Zdziarski detailed several undocumented services (with names like 'lockdownd,' 'pcapd,' 'mobile.file_relay,' and 'house_arrest') that run in the background on over 600 million iOS devices.

The HOPE conference started in 1994 and bills itself as "one of the most creative and diverse hacker events in the world."

Zdziarski, better known as the hacker "NerveGas" in the iPhone development community, worked as dev-team member on many of the early iOS jailbreaks and is the author of five iOS-related O’Reilly books including "Hacking and Securing iOS Applications."

In December 2013, an NSA program dubbed DROPOUTJEEP was reveled by security researcher Jacob Appelbaum that reportedly gave the agency almost complete access to the iPhone.

The leaked document, dated 2008, noted that the malware required "implant via close access methods" (presumably physical access to the iPhone) but ominously noted that "a remote installation capability will be pursued for a future release."

In his talk, Zdziarski demonstrates "a number of undocumented high-value forensic services running on every iOS device" and "suspicious design omissions in iOS that make collection easier." He also provides examples of forensic artifacts acquired that "should never come off the device" without user consent.

According to one slide the iPhone is "reasonably secure" to a typical attacker and the iPhone 5 and iOS 7 are more secure from everybody except Apple and the government. But he notes that Apple has "worked hard to ensure that it can access data on end-user devices on behalf of law enforcement" and links to Apple's Law Enforcement Process Guidelines, which clearly spell this out.

Several commercial forensic software manufacturers including Cellebrite, AccessData, and Elcomsoft are currently using these backdoor iOS services and selling their wares to law enforcement agencies for huge profits, according to Zdziarski.

Zdziarski's questions for Apple include:

• Why is there a packet sniffer running on 600 million personal iOS devices instead of moved to the developer mount?
• Why are there undocumented services that bypass user backup encryption that dump mass amounts of personal data from the phone?
• Why is most of my user data still not encrypted with the PIN or passphrase, enabling the invasion of my personal privacy by YOU?
• Why is there still no mechanism to review the devices my iPhone is paired with, so I can delete ones that don’t belong?

... and his last slide (page 57 of the PDF) sums it up nicely:

• Apple is dishing out a lot of data behind our backs
• It’s a violation of the customer’s trust and privacy to bypass backup encryption
• There is no valid excuse to leak personal data or allow packet sniffing without the user’s knowledge and permission.
• Much of this data simply should never come off the phone, even during a backup.
• Apple has added many conveniences for enterprises that make tasty attack points for .gov and criminals
• Overall, the otherwise great security of iOS has been compromised… by Apple… by design.

Source and Full report:
http://www.zdnet.com/forensic-scien...-every-ios-device-7000031795/#ftag=RSS86a1aa4

 

[AWS]

This is getting ridiculous. I guess our freedom is all but gone now.

 

[starbuck]

Yesterday I wrote about Forensic Scientist Jonathan Zdziarski's presentation at HOPE/X where he demonstrated "a number of undocumented high-value forensic services running on every iOS device" and "suspicious design omissions in iOS that make collection easier."

Apple today addressed some of his concerns with a new knowledgebase article called iOS: About diagnostic capabilities. In it Apple refers to the services identified by Zdziarski (including "pcapd," "file_relay," and "house_arrest") as "diagnostic capabilities to help enterprise IT departments, developers, and AppleCare troubleshoot issues."

The Apple kb article notes that the services require the iOS device to be unlocked and in trusting relationship with another computer. It also notes that data transmitted between the iOS device and trusted computer is encrypted with keys not shared with Apple.

The document justifies three of the services as follows:

1. com.apple.mobile.pcapd

pcapd supports diagnostic packet capture from an iOS device to a trusted computer. This is useful for troubleshooting and diagnosing issues with apps on the device as well as enterprise VPN connections. You can find more information at developer.apple.com/library/ios/qa/qa1176.

2. com.apple.mobile.file_relay

file_relay supports limited copying of diagnostic data from a device. This service is separate from user-generated backups, does not have access to all data on the device, and respects iOS Data Protection. Apple engineering uses file_relay on internal devices to qualify customer configurations. AppleCare, with user consent, can also use this tool to gather relevant diagnostic data from users' devices.

3. com.apple.mobile.house_arrest

house_arrest is used by iTunes to transfer documents to and from an iOS device for apps that support this functionality. This is also used by Xcode to assist in the transfer of test data to a device while an app is in development.

Jonathan Zdziarski has yet to respond to Apple's response.


Source and Full report:
http://www.zdnet.com/apple-refers-t...stic-capabilities-7000031898/#ftag=RSS86a1aa4

 

[IceMan37]

rInteresting read thanks starbuck.