Diagnostic tools in iOS have access to far more personal data than previously thought, bypass encryption
So which is it? Well, it is a bit of both depending on how you look at it. From our view, it looks like this follows similar news we shared a couple months ago about how encryption of data is managed and (not) respected on iOS devices.
Before delving into some of the details we should point out that no one, including the person who has been sharing his findings, is trying to make it look like the “sky is falling,” or that is the "zombie apocalyspe." That these features even exist probably should not come as a surprise to anyone as they have been around for years. Taking the nuance of who-said-what-to-whom-during-when out of the picture for a moment, this information is quite interesting, and revealing.
Jonathan Zdziarski is a forensic scientist, hacker, and reverse engineer. He is an established security authority when it comes to iOS and has written a number of books related to iOS development, the iPhone SDK, as well how to hack and secure iOS apps. What is all the hub-bub about?
First, is this about a backdoor? Yes. Is this something that any Tom-Dick-or-Harry can exploit? No. Does this reflect a number of services that any common person would ask, “Why does that need to be set-up in such a way?” We suspect many of you would say, “Yes.” Should you panic? In Zdziarski’s own words, “DON’T PANIC.”
As you may or may not know, or suspect, Apple does have tools baked into iOS that allow developers, IT departments, and Apple itself, to access an iOS device for purposes of troubleshooting, diagnostics, and file transfers. However, these tools ostensibly are prone to exploitation like any software or operating system. Given the number of services and amount of data in this case though, it is noteworthy.
For Zdziarski, the issue is not that these tools exist, it is due to the fact that there are over 40 services running on an iOS device that hold a great deal of personal data, and they are all accessible through these tools, bypassing encryption (as shown in the video below). Despite the legitimate uses these tools have, some of them could be activated and accessed without the user’s knowledge.
We should point out that the iPhone (or iPad) does need to be paired to a “trusted” device, but pairing can be spoofed, especially if such a pairing file resides on a compromised computer that syncs with an iPhone. That file could be copied and stolen and then used from another source. The iOS device would not know the difference, and its pair file does not go anywhere until it is wiped. The iOS device does not need to be jailbroken or tied into a private network either, and the services could be activated wirelessly.
From a security consultant’s point of view, that would be regarded as a vulnerability. As for the data that is accessible, it is not mere metadata, or what anyone could argue as diagnostic in nature. Indeed, once enabled, there is access to the complete photo album, SMS and iMessage messages, notes, contact list, screenshots, and GPS location data.
In his proof of concept video below, Zdziarski shows how once paired, data can be exploited in a number of different ways, under a variety of “threat models.” As you can see, this is not a scenario that makes it a “wild, wild west” for someone if their phone is lost or stolen. However, these services do bypass the user encryption.
The video is about 25 minutes long. The iPhone being used is running iOS 7.1.2, backup encryption is enabled with a PIN lock, and Wi-Fi sync was turned off. As we noted earlier, Zdziarski is not pushing a panic button, but he does believe it is something that needs to be a bit more visible in the public discourse, especially given the number of services running and the amount of information that is available by using these tools.
source: Jonathan Zdziarski (1, 2)