iOS foren­sic exam­in­er Jonathan Zdziars­ki may know more about iPhones than any oth­er non-Apple employ­ee. Yet even he can’t find a rea­son for some of the mys­tery fea­tures buried with­in the iOS oper­at­ing sys­tem, which look an awful lot like secu­ri­ty back­doors that bypass user-des­ig­nat­ed data protections.

The fea­tures could be there to let Apple — or even the Nation­al Secu­ri­ty Agency or the FBI — get access to most of your iOS device’s data with­out you know­ing it.

In a pre­sen­ta­tion Fri­day (July 18) at the HOPE X hack­er con­fer­ence here, Zdziark­si detailed his dis­cov­er­ies about the data-col­lec­tion tools hid­den on iOS devices. Some tools are list­ed by name, yet not explained, in the Apple devel­op­er man­u­al and do far more than adver­tised. Oth­ers are undoc­u­ment­ed and buried deep with­in the iOS code.

The hid­den fea­tures may part­ly explain alle­ga­tions, based on doc­u­ments leaked in the Snow­den archive, in the Ger­man news­magazine Der Spiegel that the NSA has had the abil­i­ty to access data on Black­Ber­rys and Android and iOS devices. Der Spiegel did not detail how the NSA would do so.

The undoc­u­ment­ed fea­tures can be accessed by any PC or Mac to which a tar­get­ed iOS device has been con­nect­ed via USB, Zdziars­ki says. Some hid­den fea­tures can also be accessed via Wi-Fi while the phone is at rest, or even while the own­er is using it.

Zdziark­si is cer­tain that these mech­a­nisms, what­ev­er their pur­pose, are no acci­dent. He has seen them become more com­plex, and they seem to get as much main­te­nance and atten­tion as iOS’s adver­tised fea­tures. Even as Apple adds new secu­ri­ty fea­tures, the com­pa­ny may be adding ways to cir­cum­vent them.

“I am not sug­gest­ing some grand con­spir­a­cy,” Zdziars­ki clar­i­fied in a blog post after his HOPE X talk. “There are, how­ev­er, some ser­vices run­ning in iOS that should­n’t be there, that were inten­tion­al­ly added by Apple as part of the firmware and that bypass back­up encryp­tion while copy­ing more of your per­son­al data than ever should come off the phone for the aver­age consumer.”

“My hope is that Apple will cor­rect the prob­lem,” he added in the blog post­ing. “Noth­ing less, noth­ing more. I want these ser­vices off my phone. They don’t belong there.”

Apple has not yet respond­ed to a request for comment.
The keys to the kingdom

How would some­one con­nect to these mech­a­nisms on an iPhone? Zdziars­ki explained the trick has to do with iOS “pair­ing.” When an iOS device con­nects to a PC or a Mac via USB, the mobile device and the com­put­er exchange secu­ri­ty cer­tifi­cates that estab­lish a trust­ed rela­tion­ship between the two, and exchange encryp­tion keys for set­ting up an encrypt­ed SSL channel.

The keys and cer­tifi­cates are stored on the iOS device and on the desk­top, and nev­er delet­ed unless the iOS device is wiped (via the “Erase All Con­tents and Set­tings” fea­ture) or the desk­top is restored to fac­to­ry set­tings. In most cas­es, this pair­ing rela­tion­ship is estab­lished auto­mat­i­cal­ly as soon as the devices are connected.

The first step in spy­ing on an iOS device is to get that pair­ing data. A tar­get­ed iPhone could be covert­ly con­nect­ed to a com­put­er with­out the own­er’s knowl­edge (sort of the James Bond approach). Or spy­ware could be installed on the tar­get­ed per­son­’s desk­top, and the pair­ing data copied.

With the pair­ing data, attack­ers can locate the tar­get­ed iOS device on a Wi-Fi net­work. Because iPhones are set up to auto­mat­i­cal­ly join net­works whose names they rec­og­nize (like “linksys” or “attwifi”), attack­ers can also force an iPhone to con­nect to an attack­er-con­trolled network.

In a research paper pub­lished in March in the jour­nal Dig­i­tal Inves­ti­ga­tion, Zdziars­ki writes: “It may even be pos­si­ble for a gov­ern­ment agency with priv­i­leged access to a cel­lu­lar car­ri­er’s net­work to con­nect to the device over cel­lu­lar (although I can­not ver­i­fy this, due to the car­ri­er’s firewalls).”

This is all a lot of ifs, of course. The attack­er has to have the pair­ing keys; the attack­er must know where the tar­get­ed iOS device is; the attack­er has to get on the same Wi-Fi net­work as the device; and the iPhone needs to have its Wi-Fi switched on. This may be more than the aver­age crim­i­nal could pull off, but it would­n’t be dif­fi­cult for the NSA, an agency with an approx­i­mate­ly $52 bil­lion bud­get, or the FBI.
Some­thing in the mechanism

Once the paired con­nec­tion is estab­lished, access is grant­ed to the mys­tery tools. Per­haps the most seri­ous is one that Zdziars­ki described as an “undoc­u­ment­ed file-relay ser­vice that real­ly only has rel­e­vance to pur­pos­es of spy­ing and/or law enforcement.”

The fea­ture, com.apple.mobile.file_relay, copies and relays near­ly all the data stored on an iOS device, even when Back­up Encryp­tion is enabled. It is sep­a­rate from iOS’s doc­u­ment­ed back­up and sync features.

Since around 2009 iOS devices have had an option­al fea­ture called Back­up Encryp­tion. The fea­ture encrypts all data backed up from an iOS device to a PC or Mac run­ning iTunes, com­plete with a sep­a­rate pass­word. File_relay bypass­es the password.

Oth­er tools are are only part­ly doc­u­ment­ed in offi­cial Apple pub­li­ca­tions. One is a pack­et snif­fer, or net­work traf­fic ana­lyz­er, called com.apple.pcapd that views all net­work traf­fic and HTTP head­er data going to and from the iOS device. (Some pack­et snif­fers can also ana­lyze traf­fic to and from oth­er devices on the same Wi-Fi network.)

Pack­et snif­fers can be use­ful for iOS devel­op­ers test­ing their apps, but Zdziark­si said the fea­ture enabled on all iOS devices, even those not in devel­op­er mode.

“Why do we need a pack­et snif­fer run­ning on 600 mil­lion per­son­al iOS devices?” Zdziars­ki asked dur­ing his presentation.

No visu­al indi­ca­tion is giv­en when com.apple.pcapd is run­ning; it could be trig­gered and run with­out the user’s knowledge.

“It remains a mys­tery why Apple decid­ed that every sin­gle recent device need­ed to come with a pack­et snif­fer,” Zdziark­si wrote in his research paper.
Tell me why

Why do these fea­tures exist? Zdziars­ki can’t prove that they were cre­at­ed as back­doors for law enforce­ment, and isn’t even sure they were. But in his talk, he elim­i­nat­ed some of the oth­er possibilities.

Could the fea­tures be there for devel­op­ers? No, said Zdziars­ki: Most of the mech­a­nisms he iden­ti­fied are not in the offi­cial Apple devel­op­er manual.

Are they there for Apple’s engi­neers? No: Engi­neer­ing tools don’t need to be installed on every sin­gle iPhone.

Is it sim­ply for­got­ten code? No: Zdziark­si has seen these tools grow more capa­ble with each iter­a­tion of iOS. When Apple added the Back­up Encryp­tion fea­ture, he said, it also added the means to cir­cum­vent it. Clear­ly, Zdziars­ki feels, Apple is keep­ing these secret abil­i­ties alive.

“They’re main­tain­ing this code,” Zdziars­ki said at the HOPE X talk. “Over the years, year after year, there are new data sources in file_relay … nobody has for­got­ten about [these mechanisms].”

“I think at the very least, this war­rants an expla­na­tion and dis­clo­sure to the some 600 mil­lion cus­tomers out there run­ning iOS devices,” Zdziark­si wrote on his blog. “At the same time, this is NOT a zero day and NOT some wide­spread secu­ri­ty emer­gency. My para­noia lev­el is tweaked, but not going crazy.”