Hidden Backdoors Open in 600 Million Apple Devices
A well known iPhone hacker and forensic
scientist has unearthed a range of undocumented and hidden functions in
Apple iOS mobile operating system that make it possible for a hacker to
completely bypass the backup encryption on iOS devices and can steal large amounts of users’ personal data without entering passwords or personal identification numbers.
The results of his overall research on the iOS devices indicate a
backdoor into iOS device’ operating system, although it is not at all
that much widely open as a number of reports have suggested.
You can protect your iOS device settings, Messages, Camera Roll,
documents, saved games, email account passwords, Wi-Fi passwords, and
passwords that you enter into websites using iTunes Backup feature.
iTunes also allows users to protect their backup data with an
encryption.
EVERY SET OF INFORMATION OF iOS USERS IS AT RISK
He researched about the capabilities and services available in iOS for
data acquisition and found that over 600 million personal iOS devices,
particularly those running the latest version iOS 7, have secret data
discovery tools or ‘undocumented features’ that have the ability to
bypass the iOS backup encryption, but only under certain circumstances.
When your backup is encrypted, you will need to enter the password when
enabling or disabling encryption or when restoring from the backup, but
according to Zdziarski, there is a iOS service called mobile file_relay, can be accessed remotely or through a USB connection to bypass the backup encryption.
This staggering amount of data includes a full copy of the user's
address book including deleted entries, stored photos, the voicemail
database and audio files, any account data configured on the device such
as iCloud, email, Facebook, Twitter, and other services, the user cache
of screenshots, keystrokes and the device's clipboard, GPS data—all
without requiring a backup password to be entered.
“Between this tool and other services, you can get almost the same information you could get from a complete backup,” Zdziarski said in an interview. “What concerns me the most is that this all bypasses the consumer backup encryption. When you click that button to encrypt the backup, Apple has made a promise that the data that comes off the device will be encrypted.”
Apart from this, there are two other services as well, a packet sniffer dubbed com.apple.pcapd and the other com.apple.mobile.house_arrest
on the device that may have legitimate uses for users and app
developers but can also be used to spy on users by the government
intelligence agencies and bad actors.
The pcapd service fires up without notifying the iOS
device's owners and allows an attacker to remotely monitor all network
traffic traveling into and out of the device via Wi-Fi, even when the
device is not running in a special developer or support mode. pcapd
service can log and export network traffic and HTTP request/response
data traveling into and out of the device.
The House_arrest service, on the other side, allows iTunes
to copy sensitive files and documents from third party applications
such as Twitter, Facebook, and other data stored in “vaults”, and much
more.
QUESTIONS TO BE ANSWERED BY APPLE
- Zdziarski also includes some questions in its presentation for Apple:
- Why is there a packet sniffer running on 600 million personal iOS devices instead of moved to the developer mount?
- Why are there undocumented services that bypass user backup encryption that dump mass amounts of personal data from the phone?
- Why is most of my user data still not encrypted with the PIN or passphrase, enabling the invasion of my personal privacy by YOU?
- Why is there still no mechanism to review the devices my iPhone is paired with, so I can delete ones that don’t belong?
IN SHORT - CONCLUSION
and summed it up logically in his last slide (page 57 of the PDF) as follows:
- Apple is dishing out a lot of data behind our backs.
- It’s a violation of the customer’s trust and privacy to bypass backup encryption.
- There is no valid excuse to leak personal data or allow packet sniffing without the user’s knowledge and permission.
- Much of this data simply should never come off the phone, even during a backup.
- Apple has added many conveniences for enterprises that make tasty attack points for .gov and criminals.
- Overall, the otherwise great security of iOS has been compromised… by Apple… by design.
DEPENDENCIES
- The Attacker first need to grab the pairing keys
- The targeted iOS device should be physically near to the attacker
- Targeted iPhone needs to have its Wi-Fi switched ON
- The Attacker and targeted iOS device should be in the same Wi-Fi network
- Targeted device should not been rebooted since the last time the user entered the PIN
If we consider these dependency,
practically it is not possible for an attacker to carry out the attack
as it can be executed when a user’s device matches all the above
circumstances.
ROLE OF NSA
A number of undocumented services and features in iOS map are pretty
close to the capabilities of some NSA’s tools, specifically DROPOUTJEEP hacking tool,
implant for Apple iOS devices that allows the NSA to remotely control
and monitor nearly all the features of an iPhone, including text
messages, Geo-Location, microphone and the Camera, which was revealed by
documents leaked by Edward Snowden.
“If you're the NSA, with a Tailored Access Operations division that specializes in this sort of thing, getting into Apple's backdoor is easy as pie,” the Register notes.
Zdziarski clarified that he is not pin-pointing to these services as
intentional backdoors for the NSA or other intelligence agency, but he
believes there is evidence that the agency may be using the services,
nonetheless.
Data forensics expert named Jonathan Zdziarski has posted the slides (PDF) titled “Identifying Backdoors, Attack Points, and Surveillance Mechanisms in iOS Devices” showing his findings, from his talk at the Hackers On Planet Earth (HOPE X) conference held in New York on Friday.
Jonathan Zdziarski, known as the hacker "NerveGas" in
the iPhone development community, worked as dev-team member on many of
the early iOS jailbreaks and is also the author of five iOS-related
O'Reilly books including "Hacking and Securing iOS Applications."
No comments
Post a Comment