Forensic scientist identifies suspicious 'back doors' running on every iOS device

Forensic scientist identifies suspicious 'back doors' running on every iOS device

Summary: During his talk at HOPE/X Jonathan Zdziarski detailed several undocumented services (with names like 'lockdownd,' 'pcapd,' 'mobile.file_relay,' and 'house_arrest') that run in the background on over 600 million iOS devices.

SHARE:
TOPICS: Security, Apple, iOS, iPhone, iPad
75
Jonathan Zdziarski
Jonathan Zdziarski

Forensic scientist and author Jonathan Zdziarski has posted the slides (PDF) from his talk at the Hackers On Planet Earth (HOPE/X) conference in New York called Identifying Backdoors, Attack Points, and Surveillance Mechanisms in iOS Devices. 

The HOPE conference started in 1994 and bills itself as "one of the most creative and diverse hacker events in the world."

Zdziarski, better known as the hacker "NerveGas" in the iPhone development community, worked as dev-team member on many of the early iOS jailbreaks and is the author of five iOS-related O’Reilly books including "Hacking and Securing iOS Applications."

In December 2013, an NSA program dubbed DROPOUTJEEP was reveled by security researcher Jacob Appelbaum that reportedly gave the agency almost complete access to the iPhone.

The leaked document, dated 2008, noted that the malware required "implant via close access methods" (presumably physical access to the iPhone) but ominously noted that "a remote installation capability will be pursued for a future release."

In his talk, Zdziarski demonstrates "a number of undocumented high-value forensic services running on every iOS device" and "suspicious design omissions in iOS that make collection easier." He also provides examples of forensic artifacts acquired that "should never come off the device" without user consent.

According to one slide the iPhone is "reasonably secure" to a typical attacker and the iPhone 5 and iOS 7 are more secure from everybody except Apple and the government. But he notes that Apple has "worked hard to ensure that it can access data on end-user devices on behalf of law enforcement" and links to Apple's Law Enforcement Process Guidelines, which clearly spell this out. 

screenshot-2014-07-20-23-06-59-v1
(Slide: Jonathan Zdziarski)

Zdziarski also notes that simply screen-locking an iPhone doesn't encrypt the data; the only true way to encrypt data is to shut down/power off the iPhone. "Your device is almost always at risk of spilling all data, since it’s almost always authenticated, even while locked." This is made possible by undocumented services running on every iOS device, according to Zdziarski's presentation:

Jonathan Zdziarski's slide Encryption in iOS 7: Not Much Changed - Jason O'Grady
(Slide: Jonathan Zdziarski)

The presentation notes that commercial forensic tools perform deep extraction using these "back door" services and that law enforcement can acquire a device during a routine traffic stop or during arrest, before it can be shut down and encryption enabled. Zdziarski also notes that the Feds have always been interested in so-called "black bag" acquisition techniques (compromised docking stations, alarm clocks, etc.), also known as "juice jacking."

Undocumented iOS services exposed by Zdziarski (like "lockdownd," "pcapd" and "mobile.file_relay") can bypass encrypted backups and be accessed via USB, Wi-Fi and "maybe cellular." What's most suspicious about the undocumented services (and the data they collect) is that they're not referenced in any Apple software, the data is personal in nature (thus unlikely to be for debugging) and is stored in raw format, making it impossible to restore to the device (making it useless to carriers or during a trip to the Genius Bar). Zdziarski does a good job of refuting most plausible explanations for the code. 

Jonathan Zdziarski's slide on Undocumented iOS Services – Jason O'Grady
(Slide: Jonathan Zdziarski)

Several commercial forensic software manufacturers including Cellebrite, AccessData, and Elcomsoft are currently using these backdoor iOS services and selling their wares to law enforcement agencies for huge profits, according to Zdziarski. 

Zdziarski's questions for Apple include:

  • Why is there a packet sniffer running on 600 million personal iOS devices instead of moved to the developer mount?
  • Why are there undocumented services that bypass user backup encryption that dump mass amounts of personal data from the phone?
  • Why is most of my user data still not encrypted with the PIN or passphrase, enabling the invasion of my personal privacy by YOU?
  • Why is there still no mechanism to review the devices my iPhone is paired with, so I can delete ones that don’t belong?

... and his last slide (page 57 of the PDF) sums it up nicely: 

  • Apple is dishing out a lot of data behind our backs
  • It’s a violation of the customer’s trust and privacy to bypass backup encryption
  • There is no valid excuse to leak personal data or allow packet sniffing without the user’s knowledge and permission.
  • Much of this data simply should never come off the phone, even during a backup.
  • Apple has added many conveniences for enterprises that make tasty attack points for .gov and criminals
  • Overall, the otherwise great security of iOS has been compromised… by Apple… by design.

Two solutions for the security conscious are to: a) set a complex passcode, and b) install the Apple Configurator application (free, Mac App Store), set enterprise Mobile Device Management (MDM) restrictions on your device then delete all pairing records (a.k.a. pair locking). Zdziarski notes that while pair locking might stop commercial forensics tools, it won't help if your device is sent to Apple for acquisition.

Update 2014-0722: Apple has posted a knowledgebase article that classifies the services identified by Zdziarski as "diagnostic capabilities."

Topics: Security, Apple, iOS, iPhone, iPad

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

75 comments
Log in or register to join the discussion
  • Data usage is high

    Compared with every other phone, just sitting idle with all apps closed, iOS devices consume a lot of data (approx 300MB a month) . The typical Android or Win Phone will consume less than half of that. At&t recognized this years ago and forced every one with an iPhone to high data plan on new contract, while Android and Win Phone had more options. There may not be an Apple conspiracy, but iOS certainly has chatty services and poor data management for sure.
    Sean Foley
    • Mine doesn't

      I only used 11.025 Kilobytes in my last billing period. I just checked my usage on my iPhone and since May 11, 2014 I only SENT 17 Megabytes and RECEIVED 111 Megabytes. But my iPhone is OFF whenever I'm not actively using it. One thing is that when on (and connected to the cellular data network), cell phones routinely "ping" the network and also GPS; perhaps this might account for a lot of data usage?
      romad1
      • not really

        A ping is tiny and while talking to the tower is normal, its done over your voice connection (the one that sends recieves calls and text messages) not your data connection, thus does not count towards your data cap. GPS is a one way connection with the usa governments GPS satallite network, your phone only recieves the information, actually you don't even need a service plan to use GPS.

        One thing that ios does is if you text another device with ios, instead of using your carriors voice network it uses your data network instead. So if you have an iphone and buy unlimited texting and all your friends have iphone too, your nat using any of your texting just your more expensive more limited data.
        djdunn420
        • IOS is intrinsically INSECURE

          That's a known fact.

          Now that the cat is out of the bag, it's risk is even higher!

          How long until Apple has a huge mess in its hands?
          Uralbas
          • they have a huge mess now

            ...and it will only get worse. Without doubt the criminal hacker community will be all over this if they are not already

            Still not too late to move to Blackberry folks
            SloppyMagic
        • Slight correction about GPS

          iPhones don't use "pure" GPS signals, they use "Assisted GPS" (aGPS). iPhones (& other aGPS-equipped devices) use [b]network resources to reduce the time needed to achieve an initial lock on the GPS satellite, and to maintain a connection[/b]...but to do so they require Internet connectivity (Wi-Fi or data plan) to function.

          So...if you have GPS enabled on your iPhone, you [b]will[/b] use your monthly data plan even when you're not actually using your phone.
          spdragoo
          • GPS with no SIM works fine on iPhone 5

            I routinely use my iPhone 5 without its SIM card for GPS apps when on treks in overseas countries, or using street maps, in both cases with previously downloaded map data. No issues, and I know for sure that I will not get hit for either voice or data roaming charges. You might be led to think otherwise because most GPS apps want to download map data in real time, but many have options to store it while using cheap wifi.
            philaaa20
    • if you're concerned about that

      switch to BlackBerry, which uses a fraction of the data anyone else uses.
      Mac_PC_FenceSitter
      • Switch to a rock.

        Uses zero data.
        keless
        • Yes, but...

          A rock doesn't make calls... :)
          mhfernandes
          • I beg to differ

            I sent some very important messages as a child with nothing but rocks.
            blarelli
          • Yes, but . . .

            With a rock, you can listen to hard rock.
            Valiant Thor
      • Just get a Blackberry and rest easy

        and of course, as a Canadian company, Blackberry have no incentive or motivation to cooperate with the US government /NSA in any way really.

        If anyone ever doubted the superiority of Blackberry security this has got to be the proof anyone sane individual needs
        SloppyMagic
        • Right. Because

          Wanting to do business in the country doesn't put them under any kind of pressure to follow government mandates. Just ask Google and China.
          baggins_z
    • not true

      With moderate usage,my iPhone rarely ever consumers over 200mb a month and almost nothing when not in use. My wife consumes usually much less. It would depend on what applications you use, ultimately. My kid chews trough a gigabyte in well under a week "doing nothing".

      YMMV
      danbi
      • not true

        My son's iPhone 5 consumes about 21.6Mb each month. he only uses the phone and no apps. One month, February I think, it was 3.3mb. He has it on 24/7.
        saoir
        • Apologists come running

          You guys are full of sh17
          Cloud dependency for basic things like opening a document or file simply means iOS is bandwidth heavy.
          There is nothing on iOS designed to reduce bandwidth and everything geared towards chewing data bandwidth.
          warboat
          • Cloud Dependency? Really?

            What are you talking about? I just turned off wifi and cellular, then opened several Pages documents, all without any problems.
            Wingsy
          • can you bluetooth it to me?

            I'm only 2 feet away.
            warboat
    • These are just NSA backdoors

      Apple has deals just like Microsoft. They only real way to be safe is to use open source that has been thoroughly reviewed. For the most part that only leaves Linux as a viable OS. Unfortunately the Ubuntu Phone isn't ready yet.
      T1Oracle