iOS 8 fixes ‘backdoor’ surveillance and forensics vulnerabilities

BY Joe Rossignol

Published 14 Sep 2014

iOS 8 iPhone 5s Trio

iPhone jailbreak expert and forensic scientist Jonathan Zdziarski has published an extensive article that confirms Apple has addressed the various iOS surveillance and forensics vulnerabilities that he brought to light during a presentation at the Hackers On Planet Earth (HOPE/X) conference in July. A number of services that allowed for the collection of personal or the threat of wireless surveillance have been guarded or restricted in iOS 8. 

Earlier this year, Zdziarski claimed that iOS had several so-called “backdoor” services that made data collection easier for both Apple and government agencies. The allegations came at a time of heightened privacy concerns, after former NSA contractor and whistleblower Edward Snowden leaked several documents revealing how the NSA collects phone records on millions of customers and has software to spy on iOS device owners.

Apple subsequently denied creating these services for government agencies to spy on iPhone users, issuing the following statement:

“We have designed iOS so that its diagnostic functions do not compromise user privacy and security, but still provides needed information to enterprise IT departments, developers and Apple for troubleshooting technical issues. A user must have unlocked their device and agreed to trust another computer before that computer is able to access this limited diagnostic data. The user must agree to share this information, and data is never transferred without their consent.”

Apple also provided an Update on National Security and Law Enforcement Orders in January.

File Relay Denied

Attempts to dump any one of dozens of file relay data sources on iOS 8 are denied

Zdziarski claims that File Relay, the service responsible for the biggest privacy threat, has been properly safe-guarded in the latest iPhone software version and now prevents law enforcement forensics tools from dumping sensitive data like complete photo albums, SMS messages, address books, typing caches, geolocation caches, application screenshots and more. According to Zdziarski, file relay can only be activated under certain circumstances like beta releases or managed devices.

“File Relay (com.apple.mobile.file_relay) was the service responsible to causing the biggest potential privacy threat, by dumping large amounts of personal data from the device and bypassing the user’s backup encryption password,” writes Zdziarski. “The file relay service is now guarded. While the service still exists, all attempts to extract data from it will fail with a permission denied error.”

The forensics expert notes that Apple has restricted connections to a number of other services, including “house_arrest, afc, and others,” adding that wireless clients are no longer permitted to obtain file handles to application sandboxes and, as such, cannot dump third-party application data across Wi-Fi. Wireless clients are also not permitted access to a user’s media folder via Apple File Connection (AFC) or to certain other types of data.

Last, he reports that Apple has disabled wireless access to the built-in packet sniffer (com.apple.pcapd) in iOS 8.

While file relay is now restricted, with certain mechanisms to guard it, Zdziarski claims that further research into the service needs to be done. The forensics expert also notes that there is another mechanism that has not been properly addressed:

“One mechanism that hasn’t been addressed adequately is the ability to obtain a handle to application sandboxes across a USB connection, even while the device is locked. This capability is used by iTunes to access application data, but also presents a vulnerability: commercial forensics tools can (and presently do) take advantage of this mechanism to dump the third party application data from a seized device, if they have access to (or can generate) a valid pairing record with the device.

For example, if you are detained at an airport or arrested and both your laptop and your phone is seized, or if your phone is seized unlocked (without a laptop present), a number of forensics tools including those from Oxygen, Cellebrite, AccessData, Elcomsoft and others are capable of dumping third party application data across USB. It is not designed to be protected with a backup password either, putting the data at risk of being intercepted in cleartext.”

In the meantime, to ensure the security of your device, it is recommended that you power off your device when traveling through airports or if you suspect you may be detained by law enforcement.

Ultimately, Zdziarski concludes that iOS 8 sufficiently addresses the threat of persistent wireless surveillance and exposure of Apple devices to commercial forensics tools.

iOS 8 is the latest version of Apple’s mobile operating system for iPhone, iPad and iPod touch. The software will come pre-installed on the iPhone 6 and iPhone 6 Plus, while it is available as a free update for other compatible devices beginning September 17th. iOS 8 has several new features that make the software platform much more open, including functionality like third-party keyboards, widgets and interactive notifications.

[via Jonathan Zdziarski]