Several undocumented forensic services running on all iOS devices can be leveraged as attack points and surveillance mechanisms, a security researcher revealed at the Hope X conference last week.
Jonathan Zdziarski, an expert in iOS security and forensics who has often assisted law enforcement and the US military on projects and criminal cases, says the services in question have evolved a great deal over the past years, up to the point where they can be used to access unencrypted data.
According to the researcher, the services, which are available without “developer mode,” require the iOS device to be paired with a computer or other device. iOS 7 asks users for confirmation when pairing to a device, but on older versions it’s done automatically.
One of the services analyzed by Zdziarski is com.apple.pcapd, which is basically a packet sniffer that dumps network traffic and HTTP request/response data traveling to and from the device.
An even more interesting service, called com.apple.mobile.file_relay, completely bypasses the backup encryption provided to device owners. The feature, which once was thought to be benign, can be used to access email and social media accounts, the SQLite database for the user’s address book (including deleted records), GPS logs, caches, photos, email metadata, call history, and the databases for SMS, voicemail, calendar, alarm, and notes. In iOS 7, the service can be used even to obtain a complete metadata disk sparse image of the file system (without actual content), the researcher said.
The com.apple.mobile.house_arrest service, which was initially developed to allow iTunes to copy documents to and from third-party applications, can now be used to access various folders that contain photos, social media caches, and other sensitive data, Zdziarski explained in his presentation.
The researcher has pointed out that these capabilities are similar to ones described recently by German publication Der Spiegel in a report on how the United States National Security Agency’s (NSA) can access smartphone data. Zdziarski says that while he’s not accusing Apple of working with the NSA, he believes that some of the services he has described might have been used by the agency to collect data.
“I am not suggesting some grand conspiracy; there are, however, some services running in iOS that shouldn’t be there, that were intentionally added by Apple as part of the firmware, and that bypass backup encryption while copying more of your personal data than ever should come off the phone for the average consumer. I think at the very least, this warrants an explanation and disclosure to the some 600 million customers out there running iOS devices,” Zdziarski wrote in a blog post on Friday.
Apple admits assisting law enforcement based on subpoenas, search warrants, and court orders, but in a statement made after Zdziarski’s presentation, the company has reiterated that it has never worked with any government agency from any country to create backdoors in products or services.
“We have designed iOS so that its diagnostics functions do not compromise user privacy and security, but still provides needed information to enterprise IT departments, developers and Apple for troubleshooting technical issues,” Apple stated. “A user must have unlocked their device and agreed to trust another computer before that computer is able to access the limited diagnostics data. The user must agree to share this information, and data is never transferred without their consent.”
However, the expert is not satisfied with Apple’s explanation, arguing that since the services expose too much personal information and there is no notification to the user, it’s unlikely that they’re intended solely for diagnostics.
“I understand that every OS has diagnostic functions, however these services break the promise that Apple makes with the consumer when they enter a backup password; that the data on their device will only come off the phone encrypted. The consumer is also not aware of these mechanisms, nor are they prompted in any way by the device. There is simply no way to justify the massive leak of data as a result of these services, and without any explicit consent by the user,” Zdziarski said in a blog post published on Monday in response to Apple’s statement.
