ASCII.jp iOS "backdoor" -what you need to know

iOS Security FAQ

The other day, security researcher Jonathan Gigialski has found a backdoor that seems to have been deliberately set on iOS by Apple and has criticized it a lot. Under certain circumstances, a third party can obtain personal information through an iPhone or iPad in a way that the user does not agree without notice.

In response to Gigialski's analysis, Apple denies its existence as usual (at a later date, Apple acknowledged the existence of a backdoor in the form of a "diagnostic function").

Related article: Apple admits the existence of iOS "backdoor", but explains that it is just a "diagnostic function"

This is a confusing story. So I prepared a FAQ to sort out the problem.

Is this something you have to panic?

No such thing. A summary of what Gigialski did on his blog also says, "Don't panic."

According to him, backdoors are easy for average-level cyber criminals to set up. Also, there is no evidence that this is for Apple's use for eavesdropping or other criminal purposes. At the point I know now.

On a different note, if you think the NSA or other state agency is tracking you, these agents may have some backdoors in place to monitor your digital life. Not known, says Gigialski.

Anyway, this may be an interesting rumor, but Apple has to explain it.

Wait a minute, what is a backdoor in the first place?

As the word implies, a backdoor is an unguarded route that can enter a secure system. Recall Matthew Broderick's play in the movie "WarGames" when he came up with a backdoor password set up by the person who created the system to access WOPR (by the way, the password is the developer). It was the name of his dead son. It's a classic terrible password).

How do institutions such as the NSA use this backdoor?

Gigialski is an expert in forensics and once wrote a book about developing on the iPhone. He is also well known for his iOS jailbreak. According to him, three of the iOS services have unusual access to sensitive data recorded on the iPhone. These services are designed to collect this data and dump it over USB or Wi-Fi on request.

This feature was not documented. This means that Apple is not disclosing information for use by third parties in development. According to Gigialski, the service has been installed and activated on approximately 600 million iOS devices. There is no such thing as an announcement that the service is working and users cannot turn it off.

And the worst part is that the service can send data unencrypted, even if you set it to be encrypted when backing up with iTunes. Gigialski describes this behavior as "bypassing backup encryption," a human deception.

It sounds like you're panicking?

We know that this problem happens when the iPhone or iPad is paired with a trusted device, such as a PC that always has iTunes running (such as Bluetooth or headphone connections). It does not fall within this). This will significantly limit the chances of being attacked.

However, disguising pairing is possible. All pairings issue encrypted keys and certificates between trusted devices. And on the iPhone side, this key and certificate will not disappear unless it is completely restored or restored to the factory state.

If your iOS version is earlier than 7, (that is, it's currently used on many iPhones), pairing will happen automatically without any user inquiries. (In iOS7, when pairing, you will be asked "Do you trust this device?")

According to Gigialski's March 2014 journal post, the PC passes the skeleton key to the iPhone when connected to the iPhone (especially iOS 7 and earlier). And the key and certificate can be copied to another device if the attacker feels like it.

Who copies the key and causes problems?

If you are involved in a systematic crime, police may take advantage of it. The same goes for intelligence agencies such as the NSA and FBI. Of course, this problem can be exploited by pairing with seemingly unobtrusive devices such as watches and charging machines. But as I said earlier, this isn't about hackers being able to hijack your iPhone at any time.

Tell us a little more about this unwritten service. What is this in the first place?

At his presentation at Hope X's hacker conference in New York last weekend, Gigialski is known by the technical names com.apple.pcapd, com.apple.mobile.file_relay and com.apple.mobile.house_arrest3. He talked about two services (see the slides at that time, 58 in total).

The pcapd service runs what security experts call "packet sniffing," a service that records traffic in and out of devices. It can be expected that this is not a feature for development purposes, as the device will continue to run whether or not it is running in development mode. Also, when it's active, nothing is announced to the user.

"This means that anyone with a pairing record can connect to the target device via USB or WiFi and monitor the network traffic on that device," Gigialski wrote in a March report.

The file_relay service exists to dump large amounts of data from the iPhone and dump it in an unencrypted form. A few years ago, file_relay seemed to be okay. In iPhoneOS2.0 (predecessor of iOS), file_relay could only access 6 data including "Apple Support", "network" and "Crash Reporter".

That's 44 in iOS 7, mostly about the owner's personal information. These include address books, account information, GPS logs, mapping information for all iPhone file systems, entered words, photos, notepads, calendars, call history, voicemail and other personal information cached in temporary files. include.

Gigialski describes file_relay as "the greatest source of criminal access to information about device owners" and can extract large amounts of data such as those obtained through legal enforcement or espionage. It's not surprising to say, "The main service of the backdoor."

The third service, house_arrest, was originally designed by iTunes to interact with third-party apps. But now you have access to more app-related data, including photos, databases, screenshots, and temporary crash information files.

Is it possible that the functionality of these services was provided for legitimate purposes?

It is difficult to understand why we prepared such a large amount of information without permission, but it is possible.

If the purpose is legitimate, Gigialski may be because these services are used in iTunes and Xcode (Apple's IDE), for developer debugging, and for Apple's technical support. It gives examples, such as for Apple developers to use for debugging, and denies them one by one.

It's not documented like this, it doesn't encrypt when backing up, it accesses data that is normally inaccessible, and it dumps the data without notifying the user. It's very difficult to come up with an explanation that convinces the service to have some good reason, not something like surveillance or eavesdropping. And don't forget, Apple continues to maintain code for these services across several versions of iOS.

Considering that Apple's engineering department has repeatedly rubbed the inner circle for cooperation, there is no particular intention to make these services, and it is just an accident that has survived until now. It can be thought that it was something like. Engineers are struggling to solve technical problems without writing new code, and although it's a strange way to do it, the idea is that they've used these services to solve problems.

Is it a plausible explanation? I think your idea is the same as mine. And anyway, this is a big security flaw.

What does Apple have to explain about this?

I've emailed Apple to comment on the matter, but as usual, there's no answer so far.

However, there seems to be an answer to the Financial Times reporter Tim Bradshaw. He is tweeting like this.

Apple statement denies working with “any government agency… to create a backdoor in any of our products”

— Tim Bradshaw (@tim) Jul 22, 2014

"Apple denies that the product has a backdoor in the hands of government agencies."

This answer is, of course, vague and mundane. This isn't Apple's specific name for pcapd, file_relay, or house_arrest, it's just a general statement about device diagnostics. (Then, there was an answer to my question, along with a notice from an Apple spokeswoman that the backdoor service was documented).

Also, this answer does not answer the basic question of Gigialski. If these services are diagnostics, why weren't they documented? Why can't users refuse to send information to Apple? Why can't they be turned off?

It's also interesting to note that Apple will be forced to explain to deny the fact that it has put a backdoor in its products "by the work of government agencies."

Does Gigialski have any opinion on Apple's statement?

of course. In a blog post last Monday evening, he summarized his opinion:

Any OS has a diagnostic function. But these services in question break Apple's promise with users that "if you enter a backup password, your iPhone will output the data in encrypted form." Users are neither aware of these mechanisms nor are they notified of anything. The fact that these services leaked large amounts of data without the user's consent cannot be justified.

I'm asking Gigialski for comment again, but he hasn't responded so far (at a later date, Gigialski said, "I don't have time to talk too much").

Image courtesy of top image: Mooganic (from Flickr) Swan image: blinking idiot (from Flickr), CC 2.0

David Hamilton

* This article is reprinted from Read Write Japan.Click here for reprint source

■ Read Write Japan related articles

What is ASCII Club?

To List

To List

Display format: PC ⁄ smartphone