Apple Snuck Backdoor Surveillance Tools Into Their (i.e. Your) iOS

Innovation did not die with Steve Jobs. Apple has quietly installed data discovery software, including a file-relay tool that can bypass backup encryption, in around 600 million iPhones, iPads, and other devices running their latest iOS. You are correct to surmise that this has been a boon to law enforcement.

Jonathan Zdziarski, known in the the iPhone development community by his hacker name NerveGas, delivered a detailed analysis of the software tools at the Hackers On Planet Earth (HOPE/X) conference in New York last weekend. From ZDNet:

What's most suspicious about the undocumented services (and the data they collect) is that they're not referenced in any Apple software, the data is personal in nature (thus unlikely to be for debugging) and is stored in raw format, making it impossible to restore to the device (making it useless to carriers or during a trip to the Genius Bar).

Zdziarski further pointed out in his HOPE/X talk that these services are available without a "developer mode," ruling out "developer tool" as one of their potential purposes.

These kinds of point-by-point refutations are going to become integral to the greater public discourse on this suspicious impropriety, as Apple has already started issuing obfuscating public statements on their skullduggerous toolkit. Earlier this week, for example, to the readers of Macworld:

"We have designed iOS so that its diagnostic functions do not compromise user privacy and security, but still provides needed information to enterprise IT departments, developers and Apple for troubleshooting technical issues," an Apple spokesperson told Macworld. "A user must have unlocked their device and agreed to trust another computer before that computer is able to access this limited diagnostic data. The user must agree to share this information, and data is never transferred without their consent."

The company also reiterated its stance that it doesn't compromise its systems for the purpose of providing those access points to the authorities: "As we have said before, Apple has never worked with any government agency from any country to create a backdoor in any of our products or services."

Exercising an abundance of caution, it would appear that, or (if you prefer) it seems like, Apple is lying.

Apple Snuck Backdoor Surveillance Tools Into Their (i.e. Your) iOS

As Zdziarski (pictured at left) points out in a follow-up to Apple's press release, the programs he discovered—which have names like house_arrest, pcapd, file_relay and lockdownd—operate whether or not user's have switched on "Send Diagnostic Data to Apple." They also operate regardless of whether or not the device has been set-up for corporate oversight by some enterprise management policy.

"There is no way to disable these mechanisms," he writes. "As a result, every single device has these features enabled and there's no way to turn them off, nor are users prompted for consent to send this kind of personal data off the device. This makes it much harder to believe that Apple is actually telling the whole truth here."

Granted, mobile phone and internet-ready gadget manufacturers are all required to meet requirements set by the 1994 Communications Assistance for Law Enforcement Act (CALEA), by putting systems in place to permit law enforcement limited access for wiretapping. (Warranted wiretapping.) However:

"I think Apple has exceeded any requirements the CALEA law has with these tools," Zdziarski told reporter-boffins at UK's The Register. "The existence of these interfaces exceeds anything that law requires. It could be that there's some kind of secret court order requiring this, but if there is then the public needs to know about and understand that."

In presumption of just such a secret court order, some commentators have hyperbolically lept to the conclusion that Apple—celebrated makers of the iPod music pod—plotted to insert this software in formal cahoots with the National Security panopticon of the United States. Not so. At least, not provably so, at this juncture.

"Please remember my talk was titled 'iOS Back Doors, Attack Points, and Surveillance Mechanisms', NOT 'iOS Back Doors Written for NSA'," Zdziarski clarified on his blog. He further elaborated on these fine distinctions to Black Bag via email:

Apple's claim is "diagnostics"; I'm not saying I agree with them. Diagnostics doesn't need to hand over so much personal information… but at the same time jumping straight into conspiracy theory isn't completely fair either. While I haven't personally ruled that out, it could very likely be extremely sloppy engineering too. If we could get Apple to show us these alleged tools that they use to deliver AppleCare service to customers, maybe it would help understand why they need my complete photo album or SMS database to provide tech support.

Cold comfort (though precision is always appreciated), given that the NSA's Tailored Access Operations division has been working on methods of exploiting these kinds of attack points since, at least, 2008. That was the year dated on classified documents about the NSA's DROPOUTJEEP iPhone software implant, published last year by Der Spiegel from (all together now) the trove of documents leaked by NSA whistleblower Edward Snowden:

Apple Snuck Backdoor Surveillance Tools Into Their (i.e. Your) iOS

While the tools that Zdziarski has discovered would require jumping certain nontrivial hurdles to gain access (namely pairing the iOS device with the hacker's computer), further retaining access could be achieved via wi-fi and potentially cellular networks. Pair keys from trusted computers could also conceivably be lifted to gain entry to the iOS device, maybe even through the efforts of skilled laborers in the intelligence field whose job it is to tailor access somehow.

Beyond government actors, Zdziarski's presentation very alarmingly points out that several private companies specializing in forensic software, Cellebrite, AccessData, and Elcomsoft, are now profitably making use of these hidden services, selling their wares to law enforcement agencies at a generous mark up.

Cellebrite's products were at the center of a minor constitutional crisis between the ACLU and the Michigan State Police over the legality of using their data-sucking capabilities at traffic stops without a warrant. (The practice was later deemed unconstitutional by the Supreme Court in an unrelated California case.) Over a decade ago, Moscow-based Elcomsoft attempted arguing in court that it could not be tried for violating DMCA copyright violations, because neither the Internet, nor Russia, is part of the United States. So, to be frank, the people profiting off of Apple's intentional iOS vulnerabilities are weirdo data pirates operating out of some pretty cyberpunk legal grey areas.

"What more can you tell me about Old 'NerveGas' Zdziarski," the lay reader may be wondering, "whom you quote with such reckless confidence throughout this piece?"

Well, Jonathan Zdziarski is a digital forensics and security researcher, specializing in iOS, who has authored five iOS-related O'Reilly books including "Hacking and Securing iOS Applications." He has participated in red-team penetration tests, probing IT security for financial and government sector clients; consulted law enforcement agencies on high profile cases, as well as trained and assisted federal, state and local agencies internationally; he worked on the dev-team for several of the early iOS jailbreaks. This may be overstating the case, but he seems like some kind of original badass.

It will be interesting to see how They deal with him.

[photo via iDesignArch; Jonathan Zdziarski giving his talk, Bayesian Noise Reduction, at a 2005 spam conference via Gerald Oskoboiny; DROPOUTJEEP document via Der Spiegel.]