iOS forensic examiner Jonathan Zdziarski may know more about iPhones than any other non-Apple employee. Yet even he can’t find a reason for some of the mystery features buried within the iOS operating system, which look an awful lot like security backdoors that bypass user-designated data protections.
The features could be there to let Apple — or even the National Security Agency or the FBI — get access to most of your iOS device’s data without you knowing it.
In a presentation Friday (July 18) at the HOPE X hacker conference here, Zdziarksi detailed his discoveries about the data-collection tools hidden on iOS devices. Some tools are listed by name, yet not explained, in the Apple developer manual and do far more than advertised. Others are undocumented and buried deep within the iOS code.
The hidden features may partly explain allegations, based on documents leaked in the Snowden archive, in the German newsmagazine Der Spiegel that the NSA has had the ability to access data on BlackBerrys and Android and iOS devices. Der Spiegel did not detail how the NSA would do so.
The undocumented features can be accessed by any PC or Mac to which a targeted iOS device has been connected via USB, Zdziarski says. Some hidden features can also be accessed via Wi-Fi while the phone is at rest, or even while the owner is using it.
Zdziarksi is certain that these mechanisms, whatever their purpose, are no accident. He has seen them become more complex, and they seem to get as much maintenance and attention as iOS’s advertised features. Even as Apple adds new security features, the company may be adding ways to circumvent them.
“I am not suggesting some grand conspiracy,” Zdziarski clarified in a blog post after his HOPE X talk. “There are, however, some services running in iOS that shouldn’t be there, that were intentionally added by Apple as part of the firmware and that bypass backup encryption while copying more of your personal data than ever should come off the phone for the average consumer.”
“My hope is that Apple will correct the problem,” he added in the blog posting. “Nothing less, nothing more. I want these services off my phone. They don’t belong there.”
Apple has not yet responded to a request for comment.
The keys to the kingdom
How would someone connect to these mechanisms on an iPhone? Zdziarski explained the trick has to do with iOS “pairing.” When an iOS device connects to a PC or a Mac via USB, the mobile device and the computer exchange security certificates that establish a trusted relationship between the two, and exchange encryption keys for setting up an encrypted SSL channel.
The keys and certificates are stored on the iOS device and on the desktop, and never deleted unless the iOS device is wiped (via the “Erase All Contents and Settings” feature) or the desktop is restored to factory settings. In most cases, this pairing relationship is established automatically as soon as the devices are connected.
The first step in spying on an iOS device is to get that pairing data. A targeted iPhone could be covertly connected to a computer without the owner’s knowledge (sort of the James Bond approach). Or spyware could be installed on the targeted person’s desktop, and the pairing data copied.
With the pairing data, attackers can locate the targeted iOS device on a Wi-Fi network. Because iPhones are set up to automatically join networks whose names they recognize (like “linksys” or “attwifi”), attackers can also force an iPhone to connect to an attacker-controlled network.
In a research paper published in March in the journal Digital Investigation, Zdziarski writes: “It may even be possible for a government agency with privileged access to a cellular carrier’s network to connect to the device over cellular (although I cannot verify this, due to the carrier’s firewalls).”
This is all a lot of ifs, of course. The attacker has to have the pairing keys; the attacker must know where the targeted iOS device is; the attacker has to get on the same Wi-Fi network as the device; and the iPhone needs to have its Wi-Fi switched on. This may be more than the average criminal could pull off, but it wouldn’t be difficult for the NSA, an agency with an approximately $52 billion budget, or the FBI.
Something in the mechanism
Once the paired connection is established, access is granted to the mystery tools. Perhaps the most serious is one that Zdziarski described as an “undocumented file-relay service that really only has relevance to purposes of spying and/or law enforcement.”
The feature, com.apple.mobile.file_relay, copies and relays nearly all the data stored on an iOS device, even when Backup Encryption is enabled. It is separate from iOS’s documented backup and sync features.
Since around 2009 iOS devices have had an optional feature called Backup Encryption. The feature encrypts all data backed up from an iOS device to a PC or Mac running iTunes, complete with a separate password. File_relay bypasses the password.
Other tools are are only partly documented in official Apple publications. One is a packet sniffer, or network traffic analyzer, called com.apple.pcapd that views all network traffic and HTTP header data going to and from the iOS device. (Some packet sniffers can also analyze traffic to and from other devices on the same Wi-Fi network.)
Packet sniffers can be useful for iOS developers testing their apps, but Zdziarksi said the feature enabled on all iOS devices, even those not in developer mode.
“Why do we need a packet sniffer running on 600 million personal iOS devices?” Zdziarski asked during his presentation.
No visual indication is given when com.apple.pcapd is running; it could be triggered and run without the user’s knowledge.
“It remains a mystery why Apple decided that every single recent device needed to come with a packet sniffer,” Zdziarksi wrote in his research paper.
Tell me why
Why do these features exist? Zdziarski can’t prove that they were created as backdoors for law enforcement, and isn’t even sure they were. But in his talk, he eliminated some of the other possibilities.
Could the features be there for developers? No, said Zdziarski: Most of the mechanisms he identified are not in the official Apple developer manual.
Are they there for Apple’s engineers? No: Engineering tools don’t need to be installed on every single iPhone.
Is it simply forgotten code? No: Zdziarksi has seen these tools grow more capable with each iteration of iOS. When Apple added the Backup Encryption feature, he said, it also added the means to circumvent it. Clearly, Zdziarski feels, Apple is keeping these secret abilities alive.
“They’re maintaining this code,” Zdziarski said at the HOPE X talk. “Over the years, year after year, there are new data sources in file_relay … nobody has forgotten about [these mechanisms].”
“I think at the very least, this warrants an explanation and disclosure to the some 600 million customers out there running iOS devices,” Zdziarksi wrote on his blog. “At the same time, this is NOT a zero day and NOT some widespread security emergency. My paranoia level is tweaked, but not going crazy.”