A well known iPhone hacker and forensic scientist has uncovered a number of undocumented and hidden features found in Apple’s iOS mobile operating system. The undocumented features make it possible for attackers to bypass the backup encryption on iOS devices and steal large amounts of personal user data without entering a password or personal identification code (Apples fingerprint reader does not enhance security here).
Data forensics expert Jonathan Zdziarski posted a presentation online titled: (PDF) “Identifying Back Doors, Attack Points, and Surveillance Mechanisms in iOS Devices” where he debuted his findings which he disclosed at the Hackers on Planet Earth (HOPE X) conference held in New York last Friday.
Jonathan Zdziarski is a hacker also known as “NerveGas” in the iPhone development community who has worked as a development team member on many early iOS jailbreaks and has also authored multiple iOS-related O’reilly books, specifically one named “Hacking and Securing iOS Applications.”
Zdziarski’s overall research on iOS devices indicates there are multiple backdoor in the iOS operating system.
Zdziarski found the backdoor in the feature that allows users to protect their iOS device camera roll, documents, email account passwords, messages, settings, passwords entered into websites and stored Wi-Fi passwords using iTunes backup mechanism. For further protection, iTunes allows users to protect the data with optional encryption.
Zdziarski researched the capabilities and services available in iOS for data acquisition and found that over 600 million iOS devices, particularly running iOS 7, have secret data recovery tools built in. He described it as ‘undocumented features’ that are able to bypass iTunes iOS backup encryption, but only under certain circumstances.
When the iOS backup is encrypted, it requires the device holder to enter the password to enable or disable encryption when restoring from the backup, but Zdziarski describes that iOS has a built in service called mobile file_relay, which can be easily accessed remotely or through a USB connection in order to bypass the backup encryption.
Data that can be recovered includes a full copy of the phones address book even deleted entries, stored photos, the voicemail database, audio files, account configurations on the device such as iCloud, email logins, Facebook accounts, Twitter accounts, and a number of other services. It also includes user cache of screenshots, keystrokes, the device’s clipboard, and GPS data all without required a backup password to be entered.
“Between this tool and other services, you can get almost the same information you could get from a complete backup,” Zdziarski said in an interview. “What concerns me the most is that this all bypasses the consumer backup encryption. When you click that button to encrypt the backup, Apple has made a promise that the data that comes off the device will be encrypted.”
Two other services were also uncovered by a packet sniffer, one dubbed, com.apple.pcapd and another com.apple.mobile.house_arrest on the device, the two services may have legitimate uses and help application developers, but they can also be used to intentionally spy on users by government agencies and other malicious users who know the backdoor is present.
The pcapd services is activated without notifying iOS devices owners and allows attackers to remotely monitor all network traffic filtering in and out of the device via a Wi-Fi connection, this is still active even when the device is not running a special developer or support mode. pacpd was found to be able to log and export network traffic and HTTP request/response data that was filtered in and out of the device.
The other uncovered house_arrest service allows iTunes to copy sensitive files from third party applications such as Facebook and Twitter, alongside other data stored in “vaults” and more.
Jonathan Zdziarski’s Questions for Apple
- Why is there a packet sniffer running on 600 million personal iOS devices instead of moved to the developer mount?
- Why are there undocumented services that bypass user backup encryption that dump mass amounts of personal data from the phone?
- Why is most of my user data still not encrypted with the PIN or passphrase, enabling the invasion of my personal privacy by YOU?
- Why is there still no mechanism to review the devices my iPhone is paired with, so I can delete ones that don’t belong?
Jonathan Zdziarski’s Conclusion on the Talk (found on slide 57)
- Apple is dishing out a lot of data behind our backs
- It’s a violation of the customer’s trust and privacy to bypass backup encryption
- There is no valid excuse to leak personal data or allow packet sniffing without the user’s knowledge and permission.
- Much of this data simply should never come off the phone, even during a backup.
- Apple has added many conveniences for enterprises that make tasty attack points for . gov and criminals
- Overall, the otherwise great security of iOS has been compromised… by Apple… by design.
Zdziarski said he is not claiming the undocumented services as intentional backdoors for the NSA or other agencies, but believes there is evidence that agencies may be using these services nonetheless.