ross549 Posted July 23, 2014 Share Posted July 23, 2014 The disclosure of backdoors within iOS has ruffled feathers in the security industry, and it is no surprise that the tech blogs have left out some crucial information. Here's an example: http://arstechnica.com/security/2014/07/undocumented-ios-functions-allow-monitoring-of-personal-data-expert-says/ The article goes on and on about the types of data that could be extracted from the device, but has this one key sentence which lays out the crucial step that MUST be taken in order to enable this eavesdropping: Still, he said some of the services serve little or no purpose other than to make huge amounts of data available to anyone who has access to a computer, alarm clock, or other device that has ever been paired with a targeted device. Did you catch that? The device must be paired with the host computer that will be doing the spying/extraction of this data. Some of the data can be read from the USB connection, and potentially over the air via wifi. Anyone who does not have an iOS device should know something important. The device, if connected to a new host, will not establish a data connection unless specifically directed to do so by the user. Here is an excerpt from the original blog post by the researcher: Before the journalists blow this way out of proportion, this was a talk I gave to a room full of hackers explaining that while we were sleeping, this is how some features in iOS have evolved over the PAST FEW YEARS, and of course a number of companies have taken advantage of some of the capabilities. I have NOT accused Apple of working with NSA, however I suspect (based on released documents) that some of these services MAY have been used by NSA to collect data on potential targets. I am not suggesting some grand conspiracy; there are, however, some services running in iOS that shouldn’t be there, that were intentionally added by Apple as part of the firmware, and that bypass backup encryption while copying more of your personal data than ever should come off the phone for the average consumer. I think at the very least, this warrants an explanation and disclosure to the some 600 million customers out there running iOS devices. At the same time, this is NOT a zero day and NOT some widespread security emergency. My paranoia level is tweaked, but not going crazy. My hope is that Apple will correct the problem. Nothing less, nothing more. I want these services off my phone. They don’t belong there. Is it any surprise that the press has largely ignored the details and instead focused on spreading FUD (Fear, uncertainty, and doubt) regarding this "back door"? Apple has put up a support page regarding these services: http://support.apple.com/kb/HT6331 Apple has also categorically denied working with any government agency to enable back door access to it's customer devices. It cannot be restated enough- one thing MUST happen for these backdoors can be exploited. The device must be connected to a host computer and the device must be explicitly authorized to communicate with the host computer. Good security is hard. Keep in mind that the Internet was originally designed as a "trust everyone" construct, and we are slowly moving to the idea that we should trust no one. Implementing bulletproof security would make using a device difficult at best. Look at how much we have to do in order to secure a Windows 7 machine, for example. iOS was built from the ground up with security in mind, and things like this are still found. The real danger of information spillage is very, very low. However, if someone steals your device, they will have to defeat the passcode on the device FIRST before they can even use this "exploit" at all. Adam 2 Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted July 23, 2014 Share Posted July 23, 2014 Apple details iOS diagnostics capabilities in answer to 'backdoor' services allegations - AppleInsider In what appears to be a response to allegations of installing "backdoor" services with the intent to harvest data from iOS devices, Apple on Tuesday posted to its website an explanation of three diagnostics capabilities built in to the mobile OS. There are still situations where a user could be forced upon pain of jail time to give up that information and a USB cable could be connected to snag encrypted information bypassing that encryption. I would say that in 'normal' situations, you are totally right Adam, in most situations, normal users would likely never have to worry about this. But if someone is say; a journalist in hostile environments such as visiting a foreign country, etc., iOS devices may not be the best choice. Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted July 23, 2014 Share Posted July 23, 2014 But likely no commercially available phone would be right in that circumstance. Likely one of Silent Circle's Blackphone might be a much better choice for those folks. Quote Link to comment Share on other sites More sharing options...
ross549 Posted July 23, 2014 Author Share Posted July 23, 2014 There are still situations where a user could be forced upon pain of jail time to give up that information and a USB cable could be connected to snag encrypted information bypassing that encryption. That is not a security breach, however. It is coercion. If you are being threatened with jail time or whatever, then they will still not be able to get at your data unless you cough up your pin/passphrase. Sure, there are situations where any phone would be a risk. It's not just Apple devices that would be vulnerable. My whole point is this- the numerous articles I have seen really gloss over the point that the device must be connected to a host computer and the passcode/phrase input by the owner in order to gain access to the data. We can imagine all kinds of nightmarish scenarios, but nothing will stop those scenarios. I could be tortured for my pin code. They still could not get the data from the device unless I cough up the code. Once again, I think this story is much ado about nothing. Adam 1 Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted July 24, 2014 Share Posted July 24, 2014 The thing is that many apps also have PINS and are encrypted. If you are forced to give up the main password/pin to get in, they can use the USB and backdoor to get what they want whether it's encrypted or not. Quote Link to comment Share on other sites More sharing options...
ross549 Posted July 24, 2014 Author Share Posted July 24, 2014 Either way, if the device is itself physically compromised, then any number of tricks will result in the loss of your data. This does not really bring anything new to the table. Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted July 24, 2014 Share Posted July 24, 2014 However, it is an element, and should be talked about. Quote Link to comment Share on other sites More sharing options...
ross549 Posted July 24, 2014 Author Share Posted July 24, 2014 To what end? As I mentioned earlier, this leak of data requires a couple of things to happen first. In that situation, the data could be leaked by any other variety of means. Once the device is in someone else's hands, all bets are off. No one is going to remotely spy on your phone. A hacker cannot use this to gain access to your phone. This is why we have the remote wipe options. If your phone is lost/compromised, simply issue a remote wipe to the device. Your data will be gone. Adam Quote Link to comment Share on other sites More sharing options...
ross549 Posted July 25, 2014 Author Share Posted July 25, 2014 Steve Gibson has broken this down in a high level of detail in this week's Security Now podcast.... https://www.grc.com/sn/sn-465-notes.pdf http://twit.tv/show/security-now/465 Adam Quote Link to comment Share on other sites More sharing options...
crp Posted July 25, 2014 Share Posted July 25, 2014 (edited) i agree with Ross549 on this one - way,way,way much ado about nothing. it is for sure not a hack nor a break in. edit: and i see some of the I.T. media is backing away from their use of the negative terms. Edited July 25, 2014 by crp Quote Link to comment Share on other sites More sharing options...
crp Posted December 4, 2014 Share Posted December 4, 2014 Prosecutors invoke 18th-century All Writs Act to get around thorny problem. http://arstechnica.c...gal-case-shows/ 2 Quote Link to comment Share on other sites More sharing options...
ebrke Posted December 4, 2014 Share Posted December 4, 2014 I'm a little confused--part of the time the article referred to "unlocking" a phone. Unlocking a phone and decrypting data stored on that phone (or it's associated cloud account) are two distinctly separate actions are they not? Or is this just me being obtuse? Quote Link to comment Share on other sites More sharing options...
crp Posted December 5, 2014 Share Posted December 5, 2014 I'm a little confused--part of the time the article referred to "unlocking" a phone. Unlocking a phone and decrypting data stored on that phone (or it's associated cloud account) are two distinctly separate actions are they not? Or is this just me being obtuse? 2 different actions with different legal guidelines. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.