14 DAY TRIAL // Apple added a new page on its knowledge base site, explaining the purpose of the previously undocumented services that were revealed by forensics expert Jonathan Zdziarski at the Hackers On Planet Earth (HOPE X) conference in New York.
The documentation says that the tools presented by the expert have a diagnostic purpose and require pairing with a trusted device.
However, Zdziarski’s findings contradict this type of usage, and one of the reasons is the fact that the service is turned on by default on all devices and runs without the knowledge of the user.
Apple says that “com.apple.mobile.pcapd,” a tool for capturing in and out network traffic on the iOS device, “is useful for troubleshooting and diagnosing issues with apps on the device as well as enterprise VPN connections.”
In his presentation, Zdziarski says the tool can be used through WiFi remote monitoring if connection to a device is established, which, he says, can be achieved easily, without user consent, and there is no indication to the user that the packet sniffer is running and information is leaked.
“com.apple.mobile.file_relay,” also accessible remotely, is presented by Zdziarski as a complete tool for exfiltrating personal user information, bypassing backup encryption.
It provides access to address book details, photos, voicemail, audio data, keystrokes, clipboard details, accounts (Twitter, iCloud, Facebook, etc.) configured on the device, as well as GPS logs. Another functionality is creating a metadata disk sparseimage about files on the device.
In Apple’s documentation of the service it is said that “Apple engineering uses file_relay on internal devices to qualify customer configurations. AppleCare, with user consent, can also use this tool to gather relevant diagnostic data from users' devices.”
But the forensic expert argues that “mobile.file_relay” has access to information that is not needed for diagnostics and which should not be available to a diagnostics engineer.
By revealing all this, Zdziarski does not accuse Apple of working with government agencies, even if he did not receive an answer about their purpose when he contacted the last two CEOs of the company.
But although most of them also have legitimate uses, the details they can exfiltrate are of extreme personal nature, and he points out that government entities could take advantage of the functionality of these tools for spying activities.
“I give Apple credit for acknowledging these services, and at least trying to give an answer to people who want to know why these services are there – prior to this, there was no documentation about file relay whatsoever, or its 44 data services to copy off personal data.
“They appear to be misleading about its capabilities, however, in downplaying them, and this concerns me. I wonder if the higher ups at Apple really are aware of how much non-diagnostic personal information it copies out, wirelessly, bypassing backup encryption,” writes the expert on his blog.