Jonathan Zdziarski concluded that the vast majority of iThing owners are unaware of lax mechanisms protecting their data.
Data forensics expert and author Zdziarski wrote an academic paper on his findings in March, and gave a related talk [PDF] at the Hackers On Planet Earth (HOPE X) conference in New York on Friday.
The results of his research – triggered by reports of the NSA spying on Apple products – indicate a backdoor in iOS, although it's not as wide open as some reports have suggested.
"There are certain steps that have to be taken to get this data," Zdziarski told The Register. "Backdoors are guarded, there are things protecting it – you don’t just type 'Joshua' for full access."
Zdziarski's analysis shows that 600 million iOS devices, particularly those running the most recent version 7 builds, have data discovery tools that are separate from those used by Apple for standard backup and storage. These include a file-relay service that can snoop out data, bypassing the Backup Encryption service offered by Apple.
This data includes a copy of the user's address book, stored photos, the voicemail database and audio files, any accounts configured on the device such as iCloud, Facebook or Twitter, a cache of screenshots, keystrokes and the device's clipboard, GPS data, and – on iOS 7 – metadata disk sparseimage of the iOS file system.
Zdziarski notes that this is a one-way tool, in that it's very useful for taking data off the device but not for putting it back on for a backup service. The data is also in too raw a format to be of any use to a Genius Bar tech support team.
In addition there is also, we're told, a packet sniffer dubbed
com.apple.pcapdon the device that fires up without notifying the iOS device's owner. This can log and export network traffic and HTTP request/response data from the device and could be targeted via Wi-Fi for remote monitoring, Zdziarski said.
This software isn't some legacy code left on the device by Apple engineers for testing – it has been actively updated and expanded in various iOS revisions, according to Zdziarski.
But it's not something Apple has talked about, or even officially documented, and seems to have little to offer other than for those who seek to slurp data off iOS devices. It is separate from the packet-tracing techniques described on the Apple developer website.
When the cops coming knocking...One possibility is that the software is needed so that the gadgets conform to the 1994 Communications Assistance for Law Enforcement Act (CALEA), which requires tech firms to have systems in place to allow properly accredited law enforcement limited access for wiretapping.
But Zdziarski told El Reg that the software didn’t look fit for that purpose.
"I think Apple has exceeded any requirements the CALEA law has with these tools," he said. "The existence of these interfaces exceeds anything that law requires. It could be that there's some kind of secret court order requiring this, but if there is then the public needs to know about and understand that."
Of course, to access all these hidden tools you'd need access to the target's iPhone, and Apple's security is invincible, right? Not so fast there: Zdziarski has also uncovered a way to get around this that, while hard for common-or-garden hackers, wouldn't be too tough for law enforcement.
When an iOS device pairs with a desktop system to sync data, the mobile operating system establishes a trusted connection and stores a set of keys and certificates on the PC and the device, and stores it in a single file on both machines. Only a factory reset wipes this pairing data from the iOS device.
While pairing is done over USB, if someone has access to this pairing data, the device becomes much easier to crack. The pairing data is exchanged via TCP port 62078, and an attacker could log onto the device in seconds if they share the same Wi-Fi network.
Getting access to pairing data would be tricky for a hacker working alone, but if law enforcement impounds someone's desktop, it's easy for a cop or g-man to crack any iOS device the PC is paired with. If you're the NSA, with a Tailored Access Operations division that specializes in this sort of thing, getting into Apple's backdoor is easy as pie.
Zdziarski said he was inspired to delve deeper into iOS security after reading a report in Der Spiegel that the NSA was targeting iOS gadgets and the systems they are paired with. While Zdziarski says he doesn't want to be sensationalist about his findings, it's clear Apple owes customers some answers.
Cook & Co were unavailable for comment at time of going to press. ®
Updated to addAfter publication, Apple apparently briefed journalists that the services identified by Zdziarski are not deliberately provided for government agencies to exploit. Instead, they are for "diagnostic" purposes and to allow enterprise IT bods to manage workers' devices.
"The problem with this is that these services dish out data (and bypass backup encryption) regardless of whether or not 'Send Diagnostic Data to Apple' is turned on or off, and whether or not the device is managed by an enterprise policy of any kind," Zdziarski responded on his blog.
"Every single device has these features enabled and there’s no way to turn them off, nor are users prompted for consent to send this kind of personal data off the device."
Defenders of Apple have been quick to suggest that the mechanisms highlighted by Zdziarski are known to some developers; for example, an unofficial open-source client exists for the file-relay service so that Linux computers can talk to iThings, and some notes exist for
lockdownd. However, the presence of these services are not flagged up to users, and the
pcapddaemon remains unexplained – indeed, Apple's documentation insists: "iOS does not support packet tracing directly." All of which is a cause for concern.
"The consumer is also not aware of these mechanisms, nor are they prompted in any way by the device. There is simply no way to justify the massive leak of data as a result of these services, and without any explicit consent by the user," he added.
"I don’t buy for a minute that these services are intended solely for diagnostics. The data they leak is of an extreme personal nature. There is no notification to the user. A real diagnostic tool would have been engineered to respect the user, prompt them like applications do for access to data, and respect backup encryption."