Hidden iOS Services Bypass Security - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Mobile // Mobile Applications
News
7/21/2014
04:22 PM
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Hidden iOS Services Bypass Security

A computer researcher asks why Apple allows undocumented services to bypass encryption and access user data.

Apple-IBM Deal: 9 Moves Rivals Should Make
Apple-IBM Deal: 9 Moves Rivals Should Make
(Click image for larger view and slideshow.)

Apple's iPhone and iPad run undisclosed services that allow security features to be bypassed, according to a prominent computer security researcher.

In a presentation at the HOPE/X hacking conference in New York on Friday, forensic researcher Jonathan Zdziarski described several undocumented iOS services that can function backdoors, allowing ostensibly encrypted data to be accessed and subverting user privacy.

Zdziarski in a blog post stresses that he is not accusing Apple of working with the NSA, but he voices suspicion that the NSA might have used some of these services to access data on iOS devices, as described in a recent Der Spiegel report.

[It's round two for an old type of virus you thought was dead. Read Retro Macro Viruses: They're Baaack.]

"I am not suggesting some grand conspiracy," Zdziarski explains. "There are, however, some services running in iOS that shouldn't be there, that were intentionally added by Apple as part of the firmware, and that bypass backup encryption while copying more of your personal data than ever should come off the phone for the average consumer."

Zdziarski says he hopes Apple will correct the issue because these services should not be present. He claims to have emailed both CEO Tim Cook and former CEO Steve Jobs about these "backdoors," some of which have existed for years, and to have received no response.

In a paper describing his findings, the services com.apple.pcapd and com.apple.mobile.file_relay are among the most questionable code routines that Zdziarski discusses. The former launches a silent packet sniffer that allows the the client to copy the network traffic and HTTP header data coming in and out of the device. The latter accepts a list of requested data sources, and delivers an archive of the data requested, bypassing Apple's built-in backup encryption system in the process.

These services and related ones, which have been augmented over the years by Apple, appear to represent an effort to provide law enforcement agencies with easier access to device data. Yet it's accepted wisdom among computer security experts that backdoors are a bad idea because they're potentially exploitable by anyone -- investigators, intelligence agencies, or cyber criminals.

"When parties communicate using services with [lawful intercept] features, there is an increased likelihood that an unauthorized and/or malicious adversary with the right technical knowledge and access to the system could capture communications contents without detection," a Center for Democracy and Technology report noted last year.

Zdziarski questions why Apple allows a packet sniffer to run on some 600 million iOS devices, why there are undocumented services that bypass user backup encryption, and why most iOS user data is still not encrypted to protect it from Apple.

Apple did not respond to a request for comment.

Nobody wants to be the next data breach headline. But ensuring that cyber-security defenses are operating effectively and efficiently is a monumental challenge given the sheer volume of information coming at us. Here's how to streamline your program. Get the Metrics That Work: Practical Cyber-Security Risk Measurements report today (registration required).

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Author
7/21/2014 | 8:46:22 PM
Re: Why is acceptable to betray your customers?
Cars require a government-issued license to operate and there's some rationale for imposing a privacy cost if it means road safety can be improved and lives can be saved. Communication has become similarly regulated but there's less of a public safety rationale and more of a government burden to respect the constitutionally guaranteed right to free speech. As such, phones should not be compromised by default. 
Lorna Garey
100%
0%
Lorna Garey,
User Rank: Author
7/21/2014 | 5:04:51 PM
Re: Why is acceptable to betray your customers?
It's not acceptable, and if Microsoft or Google were the snooper in question, people would screaming a whole lot louder. Can't say I get the appeal of iThings, but you have to hand it to Apple. It's got some strong Kool-Aid.
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Author
7/21/2014 | 4:51:24 PM
Why is acceptable to betray your customers?
People would be up in arms if they learned the home they bought or the car they bought carried surveillance technology that authorities could enable at their convenience. Yet somehow it's acceptable in electronic devices?

Apple says it "designed the iOS platform with security at its core." It sounds like what Apple meant is that it designed the iOS platform with security that can be ignored.
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Commentary
New Storage Trends Promise to Help Enterprises Handle a Data Avalanche
John Edwards, Technology Journalist & Author,  4/1/2021
Slideshows
11 Things IT Professionals Wish They Knew Earlier in Their Careers
Lisa Morgan, Freelance Writer,  4/6/2021
Commentary
How to Submit a Column to InformationWeek
InformationWeek Staff 4/9/2021
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Successful Strategies for Digital Transformation
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Slideshows
Flash Poll