14 DAY TRIAL // Apple’s iOS being targeted by the NSA is a fact, but in a talk last week at the Hackers On Planet Earth (HOPE X) conference in New York, data forensics expert Jonathan Zdziarski revealed the existence of certain services in iOS that offer a backdoor for surveillance.
According to the expert, this is a feature that has been available in the operating system for years and has evolved in time, constant updates being applied in each version of the mobile OS. Although present in about 600 million devices, Zdziarski says that the feature “is not a zero day and not some widespread security emergency.”
The services discovered to offer the possibility to extract data from Apple devices function separately from regular backup encryption, and are low-level components that can be handled through methods and mechanisms that are not publicly available, more appropriate for corporations and government agencies.
Zdziarski notes that “every single device has these features enabled and there’s no way to turn them off, nor are users prompted for consent to send this kind of personal data off the device.”
Among the components that can be used for data acquisition is the “mobile.file_relay” service, which can also be accessed remotely (WiFi) and bypasses the backup encryption of the iOS.
It can be used for exfiltrating information available in the address book, photos, voicemail, audio data, keystrokes, clipboard details, accounts (Twitter, iCloud, Facebook, etc.) configured on the device, as well as GPS logs.
On iOS 7, “mobile.file_relay” can provide a complete metadata disk sparse image of the file system, meaning that no actual content is available, only the details about each item: time stamp, file name, size, creation date, time of the last activation or wipe of the device, list of apps installed and their files, names of email attachments or phone numbers related to short text messages.
It appears that the services allow extraction of the data in raw format, which makes it impossible to put it back in an altered state, or to restore the original data of the phone.
This eliminates diagnostics and enterprise as reasons for their presence and suggests that they may be of use to spying agencies, especially since “the data they leak is of an extreme personal nature,” and no notification is sent to the user.
Among the components is a packet sniffer, called “com.apple.pcapd,” that can start capturing in/out traffic immediately. It is active on every iOS device, about 600 millions of them, and can be targeted via WiFi for remote monitoring; obviously, all activity is hidden from the user.
A set of slides from Jonathan Zdziarski explain the purpose of some of the features and why they couldn’t have been created specifically for the good of the user.
It is worth noting that most of these data acquisition features are documented by Apple, and that Zdziarski contacted both Steve Jobs and Tim Cook for an explanation about them, but received no reply from either of them.