Undocumented iOS Features left Hidden Backdoors Open in 600 Million Apple Devices
A well known iPhone hacker and forensic scientist has unearthed a range of undocumented and hidden functions in Apple iOS mobile operating system that make it possible for a hacker to completely bypass the backup encryption on iOS devices and can steal large amounts of users' personal data without entering passwords or personal identification numbers.

Data forensics expert named Jonathan Zdziarski has posted the slides (PDF) titled "Identifying Backdoors, Attack Points, and Surveillance Mechanisms in iOS Devices" showing his findings, from his talk at the Hackers On Planet Earth (HOPE X) conference held in New York on Friday.

Jonathan Zdziarski, better identified as the hacker "NerveGas" in the iPhone development community, worked as dev-team member on many of the early iOS jailbreaks and is also the author of five iOS-related O'Reilly books including "Hacking and Securing iOS Applications."

The results of his overall research on the iOS devices indicate a backdoor into iOS device' operating system, although it is not at all that much widely open as a number of reports have suggested.

You can protect your iOS device settings, Messages, Camera Roll, documents, saved games, email account passwords, Wi-Fi passwords, and passwords that you enter into websites using iTunes Backup feature. iTunes also allows users to protect their backup data with an encryption.

He researched about the capabilities and services available in iOS for data acquisition and found that over 600 million personal iOS devices, particularly those running the latest version iOS 7, have secret data discovery tools or 'undocumented features' that have the ability to bypass the iOS backup encryption, but only under certain circumstances.

When your backup is encrypted, you will need to enter the password when enabling or disabling encryption or when restoring from the backup, but according to Zdziarski, there is a iOS service called mobile file_relay, can be accessed remotely or through a USB connection to bypass the backup encryption.

This staggering amount of data includes a full copy of the user's address book including deleted entries, stored photos, the voicemail database and audio files, any account data configured on the device such as iCloud, email, Facebook, Twitter, and other services, the user cache of screenshots, keystrokes and the device's clipboard, GPS data—all without requiring a backup password to be entered.
"Between this tool and other services, you can get almost the same information you could get from a complete backup," Zdziarski said in an interview. "What concerns me the most is that this all bypasses the consumer backup encryption. When you click that button to encrypt the backup, Apple has made a promise that the data that comes off the device will be encrypted."
Apart from this, there are two other services as well, a packet sniffer dubbed com.apple.pcapd and the other com.apple.mobile.house_arrest on the device that may have legitimate uses for users and app developers but can also be used to spy on users by the government intelligence agencies and bad actors.

The pcapd service fires up without notifying the iOS device's owners and allows an attacker to remotely monitor all network traffic traveling into and out of the device via Wi-Fi, even when the device is not running in a special developer or support mode. pcapd service can log and export network traffic and HTTP request/response data traveling into and out of the device.

The House_arrest service, on the other side, allows iTunes to copy sensitive files and documents from third party applications such as Twitter, Facebook, and other data stored in "vaults", and much more.

  • Zdziarski also includes some questions in its presentation for Apple:
  • Why is there a packet sniffer running on 600 million personal iOS devices instead of moved to the developer mount?
  • Why are there undocumented services that bypass user backup encryption that dump mass amounts of personal data from the phone?
  • Why is most of my user data still not encrypted with the PIN or passphrase, enabling the invasion of my personal privacy by YOU?
  • Why is there still no mechanism to review the devices my iPhone is paired with, so I can delete ones that don't belong?
and summed it up logically in his last slide (page 57 of the PDF) as follows:
  • Apple is dishing out a lot of data behind our backs.
  • It's a violation of the customer's trust and privacy to bypass backup encryption.
  • There is no valid excuse to leak personal data or allow packet sniffing without the user's knowledge and permission.
  • Much of this data simply should never come off the phone, even during a backup.
  • Apple has added many conveniences for enterprises that make tasty attack points for .gov and criminals.
  • Overall, the otherwise great security of iOS has been compromised… by Apple… by design.
  • The Attacker first need to grab the pairing keys
  • The targeted iOS device should be physically near to the attacker
  • Targeted iPhone needs to have its Wi-Fi switched ON
  • The Attacker and targeted iOS device should be in the same Wi-Fi network
  • Targeted device should not been rebooted since the last time the user entered the PIN
If we consider these dependency, practically it is not possible for an attacker to carry out the attack as it can be executed when a user's device matches all the above circumstances.

A number of undocumented services and features in iOS map are pretty close to the capabilities of some NSA's tools, specifically DROPOUTJEEP hacking tool, implant for Apple iOS devices that allows the NSA to remotely control and monitor nearly all the features of an iPhone, including text messages, Geo-Location, microphone and the Camera, which was revealed by documents leaked by Edward Snowden.
"If you're the NSA, with a Tailored Access Operations division that specializes in this sort of thing, getting into Apple's backdoor is easy as pie," the Register notes.
Zdziarski clarified that he is not pin-pointing to these services as intentional backdoors for the NSA or other intelligence agency, but he believes there is evidence that the agency may be using the services, nonetheless.


Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.