Sign in with
Sign up | Sign in

Your iPhone May Spy on You (Update: Apple Responds)

By - Source: Tom's Guide US | B 12 comments

UPDATED July 22 9 a.m. ET with Apple's apparent response, and the researcher's response to that.

UPDATED July 23 9:30 a.m. ET with Apple's explanations of what some of the features are for.

Jonathan Zdziarski, an iOS forensic examiner, may know more about iPhones than any other non-Apple employee. Yet even he can't find a reason for some of the mystery features buried within the iOS operating system, which look an awful lot like security backdoors that bypass user-designated data protections. 

The features could be there to let Apple — or even the National Security Agency or the FBI — get access to most of your iOS device's data without you knowing it.

MORE: 5 Essential iPhone Security Tips

In a presentation Friday (July 18) at the HOPE X hacker conference here, Zdziarksi detailed his discoveries about the data-collection tools hidden on iOS devices. Some tools are listed by name, yet not explained, in the Apple developer manual and do far more than advertised. Others are undocumented and buried deep within the iOS code.

The hidden features may partly explain allegations, based on documents leaked in the Snowden archive, in the German newsmagazine Der Spiegel that the NSA has had the ability to access data on BlackBerrys and Android and iOS devices. Der Spiegel did not detail how the NSA would do so.

The undocumented features can be accessed by any PC or Mac to which a targeted iOS device has been connected via USB, Zdziarski says. Some hidden features can also be accessed via Wi-Fi while the phone is at rest, or even while the owner is using it.

Zdziarksi is certain that these mechanisms, whatever their purpose, are no accident. He has seen them become more complex, and they seem to get as much maintenance and attention as iOS' advertised features. Even as Apple adds new security features, the company may be adding ways to circumvent them.

"I am not suggesting some grand conspiracy," Zdziarski clarified in a blog post after his HOPE X talk. "There are, however, some services running in iOS that shouldn't be there, that were intentionally added by Apple as part of the firmware and that bypass backup encryption while copying more of your personal data than ever should come off the phone for the average consumer.

"My hope is that Apple will correct the problem," he added in the blog posting. "Nothing less, nothing more. I want these services off my phone. They don't belong there."

Apple has not yet responded to a request for comment.

The keys to the kingdom

How would someone connect to these mechanisms on an iPhone? Zdziarski explained the trick has to do with iOS "pairing." When an iOS device connects to a PC or a Mac via USB, the mobile device and the computer exchange security certificates that establish a trusted relationship between the two, and exchange encryption keys for setting up an encrypted SSL channel.

The keys and certificates are stored on the iOS device and on the desktop, and never deleted unless the iOS device is wiped (via the "Erase all contents and settings" feature) or the desktop is restored to factory settings. In most cases, this pairing relationship is established automatically  as soon as the devices are connected.

MORE: iPhone 6 Rumors: Specs, Sizes, Camera and More

The first step in spying on an iOS device is to get that pairing data. A targeted iPhone could be covertly connected to a computer without the owner's knowledge (sort of the James Bond approach). Or spyware could be installed on the targeted person's desktop, and the pairing data copied.

With the pairing data, attackers can locate the targeted iOS device on a Wi-Fi network. Because iPhones are set up to automatically join networks whose names they recognize (like "linksys" or "attwifi"), attackers can also force an iPhone to connect to an attacker-controlled network.

In a research paper published in March in the journal Digital Investigation, Zdziarski writes: "It may even be possible for a government agency with privileged access to a cellular carrier's network to connect to the device over cellular (although I cannot verify this, due to the carrier's firewalls)."

This is all a lot of ifs, of course. The attacker has to have the pairing keys; the attacker must know where the targeted iOS device is; the attacker has to get on the same Wi-Fi network as the device, and the iPhone needs to have its Wi-Fi switched on. This may be more than the average criminal could pull off, but it wouldn't be difficult for the NSA, an agency with an approximately $52 billion budget, or the FBI.

Something in the mechanism

Once the paired connection is established, access is granted to the mystery tools. Perhaps the most serious is one that Zdziarski described as an "undocumented file-relay service that really only has relevance to purposes of spying and/or law enforcement."

The feature (com.apple.mobile.file_relay) copies and relays nearly all the data stored on an iOS device, even when Backup Encryption is enabled. It is separate from iOS' documented backup and sync features.

Since around 2009, iOS devices have had an optional feature called Backup Encryption. The feature encrypts all data backed up from an iOS device to a PC or Mac running iTunes, complete with a separate password. File_relay bypasses the password.

MORE: 10 Tips Every iPhone Owner Should Know

Other tools are are only partly documented in official Apple publications. One is a packet sniffer, or network traffic analyzer, called com.apple.pcapd that views all network traffic and HTTP header data going to and from the iOS device. (Some packet sniffers can also analyze traffic to and from other devices on the same Wi-Fi network.)

Packet sniffers can be useful for iOS developers testing their apps, but Zdziarksi said the feature is enabled on all iOS devices, even those not in developer mode.

"Why do we need a packet sniffer running on 600 million personal iOS devices?" Zdziarski asked during his presentation.

No visual indication is given when com.apple.pcapd is running; it could be triggered and run without the user's knowledge.

"It remains a mystery why Apple decided that every single recent device needed to come with a packet sniffer," Zdziarksi wrote in his research paper.

Tell me why

Why do these features exist? Zdziarski can't prove that they were created as backdoors for law enforcement, and isn't even sure they were. But in his talk, he eliminated some of the other possibilities.

Could the features be there for developers? No, said Zdziarski: Most of the mechanisms he identified are not in the official Apple developer manual.

Are they there for Apple's engineers? No: Engineering tools don't need to be installed on every single iPhone.

Is it simply forgotten code? No: Zdziarksi has seen these tools grow more capable with each iteration of iOS. When Apple added the Backup Encryption feature, he said, it also added the means to circumvent it. Clearly, Zdziarski feels, Apple is keeping these secret abilities alive.

"They're maintaining this code," Zdziarski said at the HOPE X talk. "Over the years, year after year, there are new data sources in file_relay ... nobody has forgotten about [these mechanisms]."

"I think at the very least, this warrants an explanation and disclosure to the some 600 million customers out there running iOS devices," Zdziarksi wrote on his blog. "At the same time, this is NOT a zero day and NOT some widespread security emergency. My paranoia level is tweaked, but not going crazy." 

UPDATE JULY 22: Zdziarski updated his blog with an apparent Apple statement given to media outlets (but not to Tom's Guide): "We have designed iOS so that its diagnostic functions do not compromise user privacy and security, but still provides needed information to enterprise IT departments, developers and Apple for troubleshooting technical issues. A user must have unlocked their device and agreed to trust another computer before that computer is able to access this limited diagnostic data. The user must agree to share this information, and data is never transferred without their consent."

Zdziarski responded in the same blog post that that the mechanisms he documented can send information to Apple regardless of whether the user has authorized it.

"Every single [iOS] device has these features enabled, and there's no way to turn them off, nor are users prompted for consent to send this kind of personal data off the device," he wrote. "This makes it much harder to believe that Apple is actually telling the truth here." 

The apparent Apple statement concluded: "As we have said before, Apple has never worked with any government agency from any country to create a backdoor in any of our products or services."

Zdziarski countered that the undocumented mechanisms he described in his presentation create security and privacy vulnerabilities that surveillance and law-enforcement agencies could exploit with relative ease.

"I understand that every OS has diagnostic functions," he wrote. "However, these services break the promise that Apple makes with the consumer when they enter a backup password: that the data on their device will only come off the phone encrypted."

UPDATE JULY 23: Late Tuesday evening (July 22), Apple posted a support document on its website providing explanations for three of the undocumented features Zdziarski had showcased.

"Pcapd supports diagnostic packet capture from an iOS device to a trusted computer," the posting said in part. "This is useful for troubleshooting and diagnosing issues with apps on the device as well as enterprise VPN connections."

As for file_relay, it "is separate from user-generated backups, does not have access to all data on the device, and respects iOS Data Protection," the document stated. "Apple engineering uses file_relay on internal devices to qualify customer configurations. AppleCare, with user consent, can also use this tool to gather relevant diagnostic data from users' devices."

A third feature, com.apple.mobile.house_arrest, "is used by iTunes to transfer documents to and from an iOS device for apps that support this functionality."

Apple affirmed that using these functions requires a Mac or PC to first establish a pairing relationship with an iOS device, as Zdziarski had noted — and that the functions may be accessed wirelessly.

"Each of these diagnostic capabilities requires the user to have unlocked their device and agreed to trust another computer," the document said. "Any data transmitted between the iOS device and trusted computer is encrypted with keys not shared with Apple. For users who have enabled iTunes Wi-Fi Sync on a trusted computer, these services may also be accessed wirelessly by that computer."

"I give Apple credit for acknowledging these services, and at least trying to give an answer to people who want to know why these services are there," Zdziarski responded on his blog, but added that the company was being "misleading" and evasive.

"The problem I have with [pcadpd is with] its implementation," he wrote. "Pcapd is available on every iOS device out there, and can be activated on any device without the user's knowledge. ... it can be employed for snooping by third parties in a privileged position."

"Apple is being completely misleading by claiming that file_relay is only for copying diagnostic data," Zdziarski added. "If, by diagnostic data, you mean the user's complete photo album, their SMS, Notes, Address Book, GeoLocation data, screenshots of the last thing they were looking at, and a ton of other personal data, then sure — but this data is far too personal in nature to ever be needed for diagnostics."

"I suspect [Apple will] also quietly fix many of the issues I've raised," he wrote. "It would be wildly irresponsible for Apple not to address these issues, especially now that the public knows about them."

Email jscharr@tomsguide.com or follow her @JillScharr and Google+.  Follow us @TomsGuide, on Facebook and on Google+.

Discuss
Add a comment
Ask a Category Expert
React To This Article

Create a new thread in the Streaming Video & TVs forum about this subject

Example: Notebook, Android, SSD hard drive

  • 0 Hide
    acinity , July 21, 2014 11:33 AM
    All of you concerned about what these tech-GIANTS are doing should be following DAHBOO77 on YouTube. Look him up and subscribe.
  • -1 Hide
    p75 , July 21, 2014 11:44 AM
    Iphones "are" rigged to spy on you. It's all true and apple should be avoided because they work for the NSA and other security agency's. Apple iphones have GPS tracking and know where you are at all times. I would advise to also avoid android, as Google is well known for spying and works for the CIA.
  • -1 Hide
    nebun , July 21, 2014 12:24 PM
    android is no different....everyone is so quick to judge apple...google is an EVIL we can't live without :(  and the same goes for apple....
  • Add your comment Display all 12 comments.
  • 5 Hide
    irish_adam , July 21, 2014 12:53 PM
    When will you realise that its not these tech companies that are evil its the US government!

    These companies have no choice but to comply, Google is always the first to take on the government to protect its data but at the end of the day they have to comply or they cant operate in the USA. Everyone else in the world then has to put up with being spied upon because of YOUR government.
  • 3 Hide
    mitch074 , July 21, 2014 1:00 PM
    @nebun : yeah, but on the other hand, it IS possible to access, read and compile Android's source code, and several teams have done so (at least for devices that run either an unmodified AOSP, or on 3rd-party firmwares like CyanogenMod), and considering that no-one has raised such a red flag about Android, Google itself at least didn't insert backdoors in core Android (that's not to say there's no such backdoor in Google Apps, which are installed by default on most devices and do have root access) - but while this remains a possibility, we're talking here about features voluntarily added to an operating system, undocumented, and probably impossible to remove or circumvent without crippling the platform - while using Android with no Gapps installed is perfectly possible.
  • 2 Hide
    bootsattheboar , July 21, 2014 1:07 PM
    Yeah, yeah, no surprise. If your spouse turns up missing, the police always have pointed questions at the ready that could not have been thought up without access to your phone, which is always the first thing they confiscate, warranted or not.
  • 1 Hide
    SirTrollsALot , July 21, 2014 1:35 PM
    I just installed 20 updates on my Windows System... So I guess they are getting all my porn preferences down...
  • -3 Hide
    robochump , July 21, 2014 2:12 PM
    If people only knew what was stopped by the US NSA. A fraction is ever reported just to ensure the baddies dont know the US is onto them. Then of course if anything is missed and another 911 happens everyone will blame the US fro not doing enough, cant win situation.

    That said, its a anti-Apple title since ALL tech companies can be spied upon or watching you at some level.
  • -4 Hide
    f-14 , July 21, 2014 3:05 PM
    ["Why do we need a packet sniffer running on 600 million personal iOS devices?" Zdziarski asked" ] & [""I think at the very least, this warrants an explanation and disclosure to the some 600 million customers out there running iOS devices," Zdziarksi wrote on his blog."

    600 million x $500 = $300 billion dollars just from device purchases alone, he is a lying sack of doggie do. i question his credibility if he is going to lie over something trivial just to sensationalize his findings, which i might add from experience means are also over sensationalized by which he has already proven he's a liar. and we all know what type of people buy iCr@. }:p  the PETA mongers, the greenpeace fish food wannabes, the people who voted for obama...etc etc. which those groups continually lie and have proven themselves huge liars repeatedly to the point the boy who cried wolf looks like a saint. the people who call in fake fires just to see fire trucks speeding on their way are more truthful in comparison.

    i don't trust them for their proven decpetion and out right lies, but at the same time, one of their own (3 time rapist cover up prior to being arkansas govenor pot smoker 'slippery willy' clinton: " i did not have sexual relations with that woman" & the democratic congress majority that wrote the ILLEGAL digital/mandatory internet spy laws) signing and making it a law requiring the government spy on every one and that manufacturers are required to give the united states government access to everything back in the 90's to which the vice president Al " i invented the internet " Gore was the president of the united states senate and casts tie breaking votes. it also helps when those people appoint the ultimate rulers of what is legal and not legal to the supreme court. all i see is a bunch of low grade hitlers and stalins and mao's as supreme court justices.

    also to note, these devices are made in china to which the chinese government owns everything, and given chinas long history and track record of stealing everything from every one else, it wouldn't surprise me if some or all of this spygate ways were chinese government mandate as a contractual conditional agreements with apple, to which steve jobs a loyalist clinton and obama supporter, agreed and signed the contract.
    china is communist, obama is a Democratic Socialist of America.
    Over three hundred people attended the first of two Town Meetings on Economic Insecurity on February 25 in Ida Noyes Hall at the University of Chicago. Entitled "Employment and Survival in Urban America", the meeting was sponsored by the UofC DSA Youth Section, Chicago DSA and University Democrats. The panelists were Toni Preckwinkle, Alderman of Chicago's 4th Ward; Barack Obama, candidate for the 13th Illinois Senate District; Professor William Julius Wilson, Center for the Study of Urban Inequality at the University of Chicago; Professor Michael Dawson, University of Chicago; and Professor Joseph Schwartz, Temple University and a member of DSA's National Political Committee.

    and the main stream american media isn't going to rat out one of their own especially when they are breaking the laws of the bill of rights and the constitution
    http://www.archives.gov/exhibits/charters/bill_of_rights_transcript.html
    http://whatreallyhappened.com/WRHARTICLES/commbillrights.php
    http://www.archives.gov/exhibits/charters/constitution_transcript.html
    The mainstream media might refer to Washington Post columnist Harold Meyerson as liberal when in fact he's a leader of the Democratic Socialists of America.The liberal media also refers to Gloria Steinem,Cornel West,and Barbara Ehrenreich as "liberals" when in fact they also are actually socialist leaders.
    The Democratic Socialists of America(DSA) is America largest socialist organization with an easy to understand goal.Here's a quote from their website http://www.dsausa.org/about_dsa:
    We are socialists because we reject an international economic order sustained by private profit.

    normally i wouldn't go to such lengths to (mildly in my view point ) explain alot of this but i have read some post on other websites by people all over the world angry and not comprehending how things are in america or why people in america do such things that in their world is crazy and am trying to provide some perspective to them (i've trimmed it down to the bare minimum i think pertains to their understanding so as not to be overly long winded.) and since apple products are a world wide this applies to them and they do have rights against the american government from spying on them as i double checked the famous documents to see if there were inclusions or exclusions based on locality, & it turns out "We hold these truths to be self-evident, that all men are created equal, " (it doesn't say just in america) ".....do ordain and establish this Constitution for the United States of America. " (it only says it is enforceable FOR the united states of america, again it does not give any location restrictions against foreigners or against other governments) "THE Conventions of a number of the States, having at the time of their adopting the Constitution, expressed a desire, in order to prevent misconstruction or abuse of its powers, that further declaratory and restrictive clauses should be added: And as extending the ground of public confidence in the Government, will best ensure the beneficent ends of its institution." (reasons for further definitions against the united states government, but again, not limiting or restricting WHO, WHERE, WHY, WHEN meaning the world can hold the american government accountable for violations of americas own laws and it is even spelled out in the constitution "To define and punish Piracies and Felonies committed on the high Seas, and Offences against the Law of Nations;" "In all Cases affecting Ambassadors, other public Ministers and Consuls, and those in which a State shall be Party, the supreme Court shall have original Jurisdiction. In all the other Cases before mentioned, the supreme Court shall have appellate Jurisdiction, both as to Law and Fact, with such Exceptions, and under such Regulations as the Congress shall make." "The judicial Power shall extend to all Cases, in Law and Equity, arising under this Constitution, the Laws of the United States, and Treaties made, or which shall be made, under their Authority;--to all Cases affecting Ambassadors, other public Ministers and Consuls;--to all Cases of admiralty and maritime Jurisdiction;--to Controversies to which the United States shall be a Party;--to Controversies between two or more States;-- between a State and Citizens of another State,--between Citizens of different States,--between Citizens of the same State claiming Lands under Grants of different States, and between a State, or the Citizens thereof, and foreign States, Citizens or Subjects."
    "Amendment X
    The powers not delegated to the United States by the Constitution, nor prohibited by it to the States, are reserved to the States respectively, or to the people."
    (again either spelled out or does not expressly define who. states can be both foreign or domestic but no such wording defines either except lawsuits in the constitution which defines which courts handle which cases and does not restrict foreign or domestic states from making suit!)

    so people of the world, if you can get to america, you can file a lawsuit against the government of the united states if these spy programs are found to be of the united states government mandate or origin as the bill of rights expressly protects you from the american government.
  • 0 Hide
    Bondfc11 , July 21, 2014 3:10 PM
    I would love the hear this explanation. I do love my iPhone and have known there are backdoors on almost all devices since the whole Snowden thing hit, but man cant we have some place to ourselves anymore (talking to myself no longer works there are too many people)?
  • 0 Hide
    icemunk , July 21, 2014 3:24 PM
    Welcome to East Germany.
  • -1 Hide
    f-14 , July 21, 2014 5:13 PM
    Quote:
    All of you concerned about what these tech-GIANTS are doing should be following DAHBOO77 on YouTube. Look him up and subscribe.

    i looked at his "BUSTED! Ukraine Caught Trying to 'Frame Russia' for Shooting Down Malaysia Flight MH17!" he either made a mistake or is a moron he is judging by the date on youtube server time which is american. i was playing a video game on american time on the 15th at 10pm my time, holland is 8 hours ahead of me (that makes it almost 6 am for holland ) and a bunch of euro players and african players started squawking on chats about this plane being shot down in ukraine, so i went and checked the news, but people started sending me youtube links in the game, there were about 5 better cell phone videos of people who posted this shoot down but i can't find them so it looks like they got pulled down, this one the main news agencies has posted is terrible. i understand why, in the other 5 videos i had first seen every one was happy and laughing and dancing while the plane was crashing ( very similar to the palestinians doing this during 9-11) and one of a SA-8 GECKO behind some buildings in a town near a wooded area another video showed an SA-11 going thru about 4 hours prior to the shoot down ( if i remember right) in torez just east of donetskhttps://www.google.com/maps/place/Torez,+Donetsk+Oblast,+Ukraine/@47.9621989,38.2845013,10z/data=!4m2!3m1!1s0x40e0510df0e54653:0x95eb26e70828bdff 'Missile System' Spotted In Torez Just Hours Before Aeroplane Crash http://www.youtube.com/watch?v=0U9t4MOVKoQ the original video is gone but this one shows part of the original video i watched. (i'm guessing all rebel commanders ordered the removal of such things after they found out it was a passenger jet because some of these videos showed the actual shoot down to crash and people driving to the crash site.) the main town video that is being shown if you look at the 7 second mark you can see the missile contrail and that it's less than a 45º which looks alot like the SA-8 as most of the surface to air vehicle launchers require a 45º or greater or a 90º such as the SA-20's however the SA-20s are relatively new and i am unsure if the ukraine ever received any or how many before the break up of the U.S.S.R./CCCP.

    u.s. military spy satellittes have been monitoring the ukraine every pass they get, i know damn well that american forces know where every asset of both sides has been driven since fighting broke out in crimea. i have heard that russia is trying to secure everything up to the denieper river same as before in WW2 with the Nazi's. i have also seen on every media website the propaganda for the russians side that they are in the right and no mention of the non aggression pact ukraine signed with u.s.a. and russia that neither the u.s.a. nor the russians would use military action against the ukraine in exchange for the ukraine giving up their portion of soviet nuclear weapons.

    quite frankly with russian military where it is i think it highly appropriate if the united states gives the ukraine back nuclear weapons out of the american arsenal. a full complement out of one of america's nuclear attack submarines would squash this fighting and force putin to remove his so called " PSTD chechnyan veterans/rabid out of control wild dogs terrorizing the balkan neighborhood" and quite frankly i think the U.N. (united states) should help eliminate them if kgb colonel putin fails to regain control of his military that's taking russian equipment to attack their friendly neighbor.
React To This Article

Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter