Jump to content

Much fuss over iOS security.....


ross549

Recommended Posts

The disclosure of backdoors within iOS has ruffled feathers in the security industry, and it is no surprise that the tech blogs have left out some crucial information.

 

Here's an example:

 

http://arstechnica.com/security/2014/07/undocumented-ios-functions-allow-monitoring-of-personal-data-expert-says/

 

The article goes on and on about the types of data that could be extracted from the device, but has this one key sentence which lays out the crucial step that MUST be taken in order to enable this eavesdropping:

 

Still, he said some of the services serve little or no purpose other than to make huge amounts of data available to anyone who has access to a computer, alarm clock, or other device that has ever been paired with a targeted device.

 

Did you catch that? The device must be paired with the host computer that will be doing the spying/extraction of this data. Some of the data can be read from the USB connection, and potentially over the air via wifi.

 

Anyone who does not have an iOS device should know something important. The device, if connected to a new host, will not establish a data connection unless specifically directed to do so by the user.

 

Here is an excerpt from the original blog post by the researcher:

 

Before the journalists blow this way out of proportion, this was a talk I gave to a room full of hackers explaining that while we were sleeping, this is how some features in iOS have evolved over the PAST FEW YEARS, and of course a number of companies have taken advantage of some of the capabilities. I have NOT accused Apple of working with NSA, however I suspect (based on released documents) that some of these services MAY have been used by NSA to collect data on potential targets. I am not suggesting some grand conspiracy; there are, however, some services running in iOS that shouldn’t be there, that were intentionally added by Apple as part of the firmware, and that bypass backup encryption while copying more of your personal data than ever should come off the phone for the average consumer. I think at the very least, this warrants an explanation and disclosure to the some 600 million customers out there running iOS devices. At the same time, this is NOT a zero day and NOT some widespread security emergency. My paranoia level is tweaked, but not going crazy. My hope is that Apple will correct the problem. Nothing less, nothing more. I want these services off my phone. They don’t belong there.

 

Is it any surprise that the press has largely ignored the details and instead focused on spreading FUD (Fear, uncertainty, and doubt) regarding this "back door"?

 

Apple has put up a support page regarding these services:

 

http://support.apple.com/kb/HT6331

 

Apple has also categorically denied working with any government agency to enable back door access to it's customer devices.

 

It cannot be restated enough- one thing MUST happen for these backdoors can be exploited. The device must be connected to a host computer and the device must be explicitly authorized to communicate with the host computer.

 

Good security is hard. Keep in mind that the Internet was originally designed as a "trust everyone" construct, and we are slowly moving to the idea that we should trust no one. Implementing bulletproof security would make using a device difficult at best. Look at how much we have to do in order to secure a Windows 7 machine, for example.

 

iOS was built from the ground up with security in mind, and things like this are still found. The real danger of information spillage is very, very low. However, if someone steals your device, they will have to defeat the passcode on the device FIRST before they can even use this "exploit" at all.

 

Adam

  • Like 2
Link to comment
Share on other sites

Guest LilBambi

Apple details iOS diagnostics capabilities in answer to 'backdoor' services allegations - AppleInsider

 

In what appears to be a response to allegations of installing "backdoor" services with the intent to harvest data from iOS devices, Apple on Tuesday posted to its website an explanation of three diagnostics capabilities built in to the mobile OS.

 

 

There are still situations where a user could be forced upon pain of jail time to give up that information and a USB cable could be connected to snag encrypted information bypassing that encryption.

 

I would say that in 'normal' situations, you are totally right Adam, in most situations, normal users would likely never have to worry about this.

 

But if someone is say; a journalist in hostile environments such as visiting a foreign country, etc., iOS devices may not be the best choice.

Link to comment
Share on other sites

There are still situations where a user could be forced upon pain of jail time to give up that information and a USB cable could be connected to snag encrypted information bypassing that encryption.

 

That is not a security breach, however. It is coercion. If you are being threatened with jail time or whatever, then they will still not be able to get at your data unless you cough up your pin/passphrase.

 

Sure, there are situations where any phone would be a risk. It's not just Apple devices that would be vulnerable.

 

My whole point is this- the numerous articles I have seen really gloss over the point that the device must be connected to a host computer and the passcode/phrase input by the owner in order to gain access to the data.

 

We can imagine all kinds of nightmarish scenarios, but nothing will stop those scenarios. I could be tortured for my pin code. They still could not get the data from the device unless I cough up the code.

 

Once again, I think this story is much ado about nothing.

 

Adam

  • Like 1
Link to comment
Share on other sites

Guest LilBambi

The thing is that many apps also have PINS and are encrypted. If you are forced to give up the main password/pin to get in, they can use the USB and backdoor to get what they want whether it's encrypted or not.

Link to comment
Share on other sites

Either way, if the device is itself physically compromised, then any number of tricks will result in the loss of your data. This does not really bring anything new to the table.

Link to comment
Share on other sites

To what end? As I mentioned earlier, this leak of data requires a couple of things to happen first. In that situation, the data could be leaked by any other variety of means. Once the device is in someone else's hands, all bets are off. No one is going to remotely spy on your phone. A hacker cannot use this to gain access to your phone.

 

This is why we have the remote wipe options. If your phone is lost/compromised, simply issue a remote wipe to the device. Your data will be gone.

 

Adam

Link to comment
Share on other sites

i agree with Ross549 on this one - way,way,way much ado about nothing. it is for sure not a hack nor a break in.

 

edit: and i see some of the I.T. media is backing away from their use of the negative terms.

Edited by crp
Link to comment
Share on other sites

  • 4 months later...

I'm a little confused--part of the time the article referred to "unlocking" a phone. Unlocking a phone and decrypting data stored on that phone (or it's associated cloud account) are two distinctly separate actions are they not? Or is this just me being obtuse?

Link to comment
Share on other sites

I'm a little confused--part of the time the article referred to "unlocking" a phone. Unlocking a phone and decrypting data stored on that phone (or it's associated cloud account) are two distinctly separate actions are they not? Or is this just me being obtuse?

2 different actions with different legal guidelines.
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...