Apple "inadvertently admitted" to iOS backdoor: forensics expert

Apple has "inadvertently admitted" to creating a "backdoor" in iOS, according to a post by a forensics scientist, iOS author and ex-hacker

Apple has "inadvertently admitted" to creating a "backdoor" in iOS, according to a new post by a forensics scientist, iOS author and former hacker, who this week created a stir when he posted a presentation laying out his case.

Apple has created "several services and mechanisms" that let Apple -- and, potentially, government agencies or malicious third parties -- extract lots of personal data from iOS devices, says Jonathan Zdziarski. There is, he says, no way to shut off this data leakage and there is no explicit consent granted by endusers.

He made his case in a talk, "Identifying back doors, attack points, and surveillance mechanisms in iOS devices," [available in PDF] at the annual HOPE X hackers conference last week in New York City. The talk was based on a paper published in the March issue of "Digital Investigation," which can be ordered online.

Essentially, Zdziarski says that Apple over time has deliberately added several "undocumented high-value forensic services" in iOS, along with "suspicious design omissions...that make collection easier." The result is these services can copy a wide range of a user's personal data, and bypass Apple's backup encryption. That gives Apple, and potentially government agencies, such as the National Security Agency, or just bad people intent on exploiting these service, the ability to extract personal data without the user knowing this is happening.

In the past two years, Apple has become much more open about the iOS security architecture, and how and why it's making changes to it, according to security professionals and IT consultants who are praising both the company's transparency and its approach to protecting iOS devices, Internet security and users' data. [see "Apple reveals unprecedented details in iOS security"] The latest Apple-authored iOS Security whitepaper is available as a PDF.

The Zdziarski presentation slides were the basis of a round of summarizing news and blog postings about his claims, such as this one at ZDNet by Jason O'Grady. But Apple responded officially to a query by Rene Ritchie, editor of the Apple-focused iMore website, saying it had never worked with "any government create a backdoor in any of our products." Here's the text of the Apple response, as posted by Ritchie:

"We have designed iOS so that its diagnostic functions do not compromise user privacy and security, but still provides needed information to enterprise IT departments, developers and Apple for troubleshooting technical issues. A user must have unlocked their device and agreed to trust another computer before that computer is able to access this limited diagnostic data. The user must agree to share this information, and data is never transferred without their consent. As we have said before, Apple has never worked with any government agency from any country to create a backdoor in any of our products or services."

The last sentence, which is the one Ritchie emphasized in his headline and at the top of his blogpost, is very carefully worded. Zdziarski doesn't allege that Apple worked with the NSA, or any other agency, to create a backdoor. He alleges that Apple itself created undocumented services, which can be used by Apple, and potentially by someone like the NSA, to extract personal data.

Zdziarski did his own parsing of the Apple statement, in a new post on his blog: "[I]t looks like Apple might have inadvertently admitted that, in the classic sense of the word, they do indeed have back doors in iOS, however [they] claim that the purpose is for 'diagnostics' and 'enterprise.'"

Ritchie succinctly summarizes the mechanism identified by Zdziarski, which involves two explicit decisions by the end user: "When you connect your iPhone or iPad to iTunes on Mac or Windows -- and choose to trust that computer -- a pairing record is created that maintains that trust for future connections. Zdziarski claimed that if someone takes physical possession of that computer, they can steal those pairing records, connect to your device, and retrieve your personal information and/or enable remote logging. If they don't have your computer, Zdziarski claimed they can try and generate a pairing record by tricking you into connecting to a compromised accessory, like a dock (juice jacking), and/or by using mobile device management (MDM) tools intended for [the] enterprise to get around safeguards like Apple's Trusted Device requestor."

In his own post, Zdziarski repeats his contention that pairing records can be stolen in all kinds of ways, and acknowledges that every operating system has legitimate diagnostic capabilities. But he's not convinced by the Apple statement.

"I don't buy for a minute that these services are intended solely for diagnostics," he writes. "The data they leak is of an extreme personal nature. There is no notification to the user. A real diagnostic tool would have been engineered to respect the user, prompt them like applications do for access to data, and respect backup encryption. Tell me, what is the point in promising the user encryption if there is a back door to bypass it?"

In a separate post, Zdziarski says he is not accusing Apple of working with the NSA nor is he "suggesting some grand conspiracy."

"[T]here are, however, some services running in iOS that shouldn't be there, that were intentionally added by Apple as part of the firmware, and that bypass backup encryption while copying more of your personal data than ever should come off the phone for the average consumer," he writes. "I think at the very least, this warrants an explanation and disclosure to the some 600 million customers out there running iOS devices....My hope is that Apple will correct the problem. Nothing less, nothing more. I want these services off my phone. They don't belong there."

John Cox covers wireless networking and mobile computing for "Network World."



Join the CSO newsletter!

Error: Please check your email address.

Tags Appleiossecuritynsasoftwareoperating systems

More about AppleindeedNational Security AgencyNSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John Cox

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place