Apple continues to fight an uphill battle over claims that iOS ins’t secure and is leaving people’s iPhone and over device data at risk.
One forensic scientist is alleging that iOS contains a proverbial backdoor that could allow Apple, the government or hackers in general, to obtain personal information from the user.
The accusation was presented at the recent Hope X security conference by researcher Jonathan Zdziarski, who has also published a paper on the alleged security hole. He says Apple does not adequately encrypt data from its own apps, which leaves it open to third parties should they be sophisticated enough to access it.
Zdziarski explained:
“Once the device is first unlocked after reboot, most of the data-protection encrypted data can be accessed until the device is shut down. Your device is almost always at risk of spilling all data, since it’s almost always authenticated, even while locked … the only true way to encrypt data is to shut down/power off the iPhone.”
It’s not just throw away data either, Zdziarski says it’s extremely sensitive stuff like what you’ve typed on the keyboard, your locations, and caches of data left behind from deleting contacts and screenshots of pages. He says it also includes account information for social media apps like Twitter, as well as iCloud and email.
He says the vulnerability is exposed by using any device, PC, iPhone dock etc that has previously been linked to the iOS device in question.
While your average smartphone user is not going to have a clue about how to breach iPhone security, he suggests that the security hole is there for those well versed and inclined to breach it.
The term backdoor usually implies that a security hole has been deliberately built in to the device, but Zdziarski has not accused Apple of doing it intentionally. He does however suggest the US National Security Agency (NSA) may be utilizing the vulnerability as part of its citizen surveillance program.
Apple themselves insist there’s nothing sinister going on, and the security hole is part of a routine process that users agree to.
“We have designed iOS so that its diagnostic functions do not compromise user privacy and security, but still provides needed information to enterprise IT departments, developers and Apple for troubleshooting technical issues. A user must have unlocked their device and agreed to trust another computer before that computer is able to access this limited diagnostic data. The user must agree to share this information, and data is never transferred without their consent. As we have said before, Apple has never worked with any government agency from any country to create a backdoor in any of our products or services.”
Zdziarski however does not accept this explanation. “I don’t buy for a minute that these services are intended solely for diagnostics,” he wrote on a recent blog. “The data they leak is of an extreme personal nature. There is no notification to the user. A real diagnostic tool would have been engineered to respect the user, prompt them like applications do for access to data, and respect backup encryption.”
“I have NOT accused Apple of working with NSA, however I suspect (based on released documents) that some of these services MAY have been used by NSA to collect data on potential targets.”
Zdziarski also claims that forensic software manufacturers are on to this backdoor and are already selling their services to law enforcement agencies.
So how do you stay protected? Zdziarski suggests installing the Apple Configurator app, and then deleting all pairing records within Mobile Device Management.
Leave a Reply