Intentional backdoors in iOS devices uncovered

A researcher has revealed that Apple has equipped its mobile iOS with several undocumented features that can be used by attackers and law enforcement to access the sensitive data contained on the devices running it.

Jonathan Zdziarski, a well-known iOS forensics expert, was spurred into digging into the OS after he read a report by Der Spiegel that said that the NSA used a software implant to access information on a target’s iPhone and turn it into a recording device.

He discovered “several services and mechanisms that can be abused by a government agency or malicious party to extract intelligence on a subject, including services that may in fact be back doors introduced by the manufacturer,” and detailed it in a paper published earlier this year, then shared it this week-end with the audience at the HOPE X conference.

He found a service (com.apple.mobile.file_relay) that bypasses Apple’s backup encryption mechanism and allows attackers to remotely dump data (address book, photo album, voicemail and audio files, geolocation data, accounts configured on the device, and much more) and metadata from the device by request.

He also a found a packet sniffer (com.apple.pcapd) that can be targeted via WiFi for remote monitoring, and that is active on every iOS device but can’t be spotted by users.

A third service (com.apple.mobile.house_arrest) allows access to documents from third party applications, the Library, Caches, Cookies, Preferences folders, and data stored in various “vaults.”

While the latter service is used by iTunes, it doesn’t use it to that extent. He pointed out that none of these services are likely to be used by tech support because the data is in too raw a format, is too personal in nature, and can’t be put back onto the phone. He also noted that the services are not used by developers for debugging and, finally, that the services are not there by mistake, i.e. have been maintained and enhanced throughout the years.

Apple did another thing that makes it easy for law enforcement or supervisors in an enterprise to access data on iOS-running devices: the pairing of an iOS device with a desktop system to sync data requires the establishing of a trusted connection and makes both devices store a set of keys and certificates. This pairing data can be sniffed when exchanged, and used to access the data on the iOS device.

While this could be difficult (if not impossible) for random attackers, law enforcement and intelligence agents that have physical access to both devices can easily perform the task.

In the wake of the presentation, Apple has stated that the services found by Zdziarski are used for diagnostic purposes, troubleshooting, and by enterprise IT departments to manage their employees’ devices. They also stated that the services were not put there on purpose for law enforcement to take advantage of them.

But Zdziarski doesn’t buy the explanation. “These services dish out data (and bypass backup encryption) regardless of whether or not ‘Send Diagnostic Data to Apple’ is turned on or off, and whether or not the device is managed by an enterprise policy of any kind,” he pointed out. “A real diagnostic tool would have been engineered to respect the user, prompt them like applications do for access to data, and respect backup encryption.”

“Apple’s seeming admission to having these back doors, however legitimate a use they serve Apple, unfortunately have opened up some serious privacy weaknesses as well,” he concluded.

Apple has also stated

Don't miss