Your iPhone May Spy on You (Update: Apple Responds)
UPDATED July 22 9 a.m. ET with Apple's apparent response, and the researcher's response to that.
UPDATED July 23 9:30 a.m. ET with Apple's explanations of what some of the features are for.
Jonathan Zdziarski, an iOS forensic examiner, may know more about iPhones than any other non-Apple employee. Yet even he can't find a reason for some of the mystery features buried within the iOS operating system, which look an awful lot like security backdoors that bypass user-designated data protections.
The features could be there to let Apple — or even the National Security Agency or the FBI — get access to most of your iOS device's data without you knowing it.
In a presentation Friday (July 18) at the HOPE X hacker conference here, Zdziarksi detailed his discoveries about the data-collection tools hidden on iOS devices. Some tools are listed by name, yet not explained, in the Apple developer manual and do far more than advertised. Others are undocumented and buried deep within the iOS code.
The hidden features may partly explain allegations, based on documents leaked in the Snowden archive, in the German newsmagazine Der Spiegel that the NSA has had the ability to access data on BlackBerrys and Android and iOS devices. Der Spiegel did not detail how the NSA would do so.
The undocumented features can be accessed by any PC or Mac to which a targeted iOS device has been connected via USB, Zdziarski says. Some hidden features can also be accessed via Wi-Fi while the phone is at rest, or even while the owner is using it.
Zdziarksi is certain that these mechanisms, whatever their purpose, are no accident. He has seen them become more complex, and they seem to get as much maintenance and attention as iOS' advertised features. Even as Apple adds new security features, the company may be adding ways to circumvent them.
"I am not suggesting some grand conspiracy," Zdziarski clarified in a blog post after his HOPE X talk. "There are, however, some services running in iOS that shouldn't be there, that were intentionally added by Apple as part of the firmware and that bypass backup encryption while copying more of your personal data than ever should come off the phone for the average consumer.
"My hope is that Apple will correct the problem," he added in the blog posting. "Nothing less, nothing more. I want these services off my phone. They don't belong there."
Apple has not yet responded to a request for comment.
The keys to the kingdom
How would someone connect to these mechanisms on an iPhone? Zdziarski explained the trick has to do with iOS "pairing." When an iOS device connects to a PC or a Mac via USB, the mobile device and the computer exchange security certificates that establish a trusted relationship between the two, and exchange encryption keys for setting up an encrypted SSL channel.
The keys and certificates are stored on the iOS device and on the desktop, and never deleted unless the iOS device is wiped (via the "Erase all contents and settings" feature) or the desktop is restored to factory settings. In most cases, this pairing relationship is established automatically as soon as the devices are connected.
The first step in spying on an iOS device is to get that pairing data. A targeted iPhone could be covertly connected to a computer without the owner's knowledge (sort of the James Bond approach). Or spyware could be installed on the targeted person's desktop, and the pairing data copied.
With the pairing data, attackers can locate the targeted iOS device on a Wi-Fi network. Because iPhones are set up to automatically join networks whose names they recognize (like "linksys" or "attwifi"), attackers can also force an iPhone to connect to an attacker-controlled network.
In a research paper published in March in the journal Digital Investigation, Zdziarski writes: "It may even be possible for a government agency with privileged access to a cellular carrier's network to connect to the device over cellular (although I cannot verify this, due to the carrier's firewalls)."
This is all a lot of ifs, of course. The attacker has to have the pairing keys; the attacker must know where the targeted iOS device is; the attacker has to get on the same Wi-Fi network as the device, and the iPhone needs to have its Wi-Fi switched on. This may be more than the average criminal could pull off, but it wouldn't be difficult for the NSA, an agency with an approximately $52 billion budget, or the FBI.
Something in the mechanism
Once the paired connection is established, access is granted to the mystery tools. Perhaps the most serious is one that Zdziarski described as an "undocumented file-relay service that really only has relevance to purposes of spying and/or law enforcement."
The feature (com.apple.mobile.file_relay) copies and relays nearly all the data stored on an iOS device, even when Backup Encryption is enabled. It is separate from iOS' documented backup and sync features.
Since around 2009, iOS devices have had an optional feature called Backup Encryption. The feature encrypts all data backed up from an iOS device to a PC or Mac running iTunes, complete with a separate password. File_relay bypasses the password.
Other tools are are only partly documented in official Apple publications. One is a packet sniffer, or network traffic analyzer, called com.apple.pcapd that views all network traffic and HTTP header data going to and from the iOS device. (Some packet sniffers can also analyze traffic to and from other devices on the same Wi-Fi network.)
Packet sniffers can be useful for iOS developers testing their apps, but Zdziarksi said the feature is enabled on all iOS devices, even those not in developer mode.
"Why do we need a packet sniffer running on 600 million personal iOS devices?" Zdziarski asked during his presentation.
No visual indication is given when com.apple.pcapd is running; it could be triggered and run without the user's knowledge.
"It remains a mystery why Apple decided that every single recent device needed to come with a packet sniffer," Zdziarksi wrote in his research paper.
Tell me why
Why do these features exist? Zdziarski can't prove that they were created as backdoors for law enforcement, and isn't even sure they were. But in his talk, he eliminated some of the other possibilities.
Could the features be there for developers? No, said Zdziarski: Most of the mechanisms he identified are not in the official Apple developer manual.
Are they there for Apple's engineers? No: Engineering tools don't need to be installed on every single iPhone.
Is it simply forgotten code? No: Zdziarksi has seen these tools grow more capable with each iteration of iOS. When Apple added the Backup Encryption feature, he said, it also added the means to circumvent it. Clearly, Zdziarski feels, Apple is keeping these secret abilities alive.
"They're maintaining this code," Zdziarski said at the HOPE X talk. "Over the years, year after year, there are new data sources in file_relay ... nobody has forgotten about [these mechanisms]."
"I think at the very least, this warrants an explanation and disclosure to the some 600 million customers out there running iOS devices," Zdziarksi wrote on his blog. "At the same time, this is NOT a zero day and NOT some widespread security emergency. My paranoia level is tweaked, but not going crazy."
UPDATE JULY 22: Zdziarski updated his blog with an apparent Apple statement given to media outlets (but not to Tom's Guide): "We have designed iOS so that its diagnostic functions do not compromise user privacy and security, but still provides needed information to enterprise IT departments, developers and Apple for troubleshooting technical issues. A user must have unlocked their device and agreed to trust another computer before that computer is able to access this limited diagnostic data. The user must agree to share this information, and data is never transferred without their consent."
Zdziarski responded in the same blog post that that the mechanisms he documented can send information to Apple regardless of whether the user has authorized it.
"Every single [iOS] device has these features enabled, and there's no way to turn them off, nor are users prompted for consent to send this kind of personal data off the device," he wrote. "This makes it much harder to believe that Apple is actually telling the truth here."
The apparent Apple statement concluded: "As we have said before, Apple has never worked with any government agency from any country to create a backdoor in any of our products or services."
Zdziarski countered that the undocumented mechanisms he described in his presentation create security and privacy vulnerabilities that surveillance and law-enforcement agencies could exploit with relative ease.
"I understand that every OS has diagnostic functions," he wrote. "However, these services break the promise that Apple makes with the consumer when they enter a backup password: that the data on their device will only come off the phone encrypted."
UPDATE JULY 23: Late Tuesday evening (July 22), Apple posted a support document on its website providing explanations for three of the undocumented features Zdziarski had showcased.
"Pcapd supports diagnostic packet capture from an iOS device to a trusted computer," the posting said in part. "This is useful for troubleshooting and diagnosing issues with apps on the device as well as enterprise VPN connections."
As for file_relay, it "is separate from user-generated backups, does not have access to all data on the device, and respects iOS Data Protection," the document stated. "Apple engineering uses file_relay on internal devices to qualify customer configurations. AppleCare, with user consent, can also use this tool to gather relevant diagnostic data from users' devices."
A third feature, com.apple.mobile.house_arrest, "is used by iTunes to transfer documents to and from an iOS device for apps that support this functionality."
Apple affirmed that using these functions requires a Mac or PC to first establish a pairing relationship with an iOS device, as Zdziarski had noted — and that the functions may be accessed wirelessly.
"Each of these diagnostic capabilities requires the user to have unlocked their device and agreed to trust another computer," the document said. "Any data transmitted between the iOS device and trusted computer is encrypted with keys not shared with Apple. For users who have enabled iTunes Wi-Fi Sync on a trusted computer, these services may also be accessed wirelessly by that computer."
"I give Apple credit for acknowledging these services, and at least trying to give an answer to people who want to know why these services are there," Zdziarski responded on his blog, but added that the company was being "misleading" and evasive.
"The problem I have with [pcadpd is with] its implementation," he wrote. "Pcapd is available on every iOS device out there, and can be activated on any device without the user's knowledge. ... it can be employed for snooping by third parties in a privileged position."
"Apple is being completely misleading by claiming that file_relay is only for copying diagnostic data," Zdziarski added. "If, by diagnostic data, you mean the user's complete photo album, their SMS, Notes, Address Book, GeoLocation data, screenshots of the last thing they were looking at, and a ton of other personal data, then sure — but this data is far too personal in nature to ever be needed for diagnostics."
"I suspect [Apple will] also quietly fix many of the issues I've raised," he wrote. "It would be wildly irresponsible for Apple not to address these issues, especially now that the public knows about them."
- 9 Tips to Stay Safe on Public Wi-Fi
- Best Free PC Antivirus Software 2014
- How Your Next Hotel Room Could Be Hacked