Researcher Jonathan Zdziarski, who is also a forensic scientist and author have identifies that there are many hidden service in Apple iOS device that are being used to bypass the backup encryption on iOS device, and with a backdoor also. On the Slide/ paper that he published at the Hackers On Planet Earth (HOPE/X) conference in New York called Identifying Backdoors, Attack Points, and Surveillance Mechanisms in iOS Devices reveals many undocumented and hidden features and services on Apple iOS device.
Who is Zdziarski
Zdziarski, also known as the hacker "NerveGas" in the iPhone development community, worked as dev-team member on many of the early iOS jailbreaks and is the author of five iOS-related O’Reilly books including "Hacking and Securing iOS Applications."
Undocumented iOS services exposed by Zdziarski (like "lockdownd," "pcapd" and "mobile.file_relay") can bypass encrypted backups and be accessed via USB, wifi and "maybe cellular." Most suspicious about the undocumented services is that they're not referenced in any Apple software.
Who is Zdziarski
Zdziarski, also known as the hacker "NerveGas" in the iPhone development community, worked as dev-team member on many of the early iOS jailbreaks and is the author of five iOS-related O’Reilly books including "Hacking and Securing iOS Applications."
Zdziarski found that there are many service on the iOS device which don't have any reason to be on the device and several such service have the ability to bypass the iOS backup encryption.
file_relay Backdoor
One of the services in iOS, called mobile file_relay, can be accessed remotely or through a USB connection can be used to bypass the backup encryption. If the device has not been rebooted since the last time the user entered the PIN, all of the data encrypted via data protection can be accessed, whether by an attacker or law enforcement, Zdziarski said.
HTTP Packet Capturing
Moreover, Zdziarski have designed several methods to get the forensic data from iOS device, have also noted that there is a packet capturing tool present in every of the iOS device. This tool dump all the inbound and outbound HTTP data of device and it run silently in backgrounds without the prior notice of users.
There is an another tool called file_relay, which have the ability to dump a list of email and social media accounts and the address book which contains screenshots , keyboard typing cache, copy paste data and other personal data too. The tool can also provide a log of periodic location snapshots from the device.
Undocumented iOS services exposed by Zdziarski (like "lockdownd," "pcapd" and "mobile.file_relay") can bypass encrypted backups and be accessed via USB, wifi and "maybe cellular." Most suspicious about the undocumented services is that they're not referenced in any Apple software.
In the last slides of the published PDF, points that
- Apple is dishing out a lot of data behind users backs
- It’s a violation of the customer’s trust and privacy to bypass backup encryption
- There is no valid excuse to leak personal data or allow packet sniffing without the user’s knowledge and permission.
- Much of this data simply should never come off the phone, even during a backup.
- Apple has added many conveniences for enterprises that make tasty attack points for .gov and criminals
Researcher says that some of the undocumented service is similar to the NSA tool DROPOUTJEEP , which was reveal by the Edward Snowden leaks.
Users to Follow
For the security concerns Zdziarski recommend several points as like
- Users have to set the complex password
- Aked to install the Apple Configurator application
- set enterprise Mobile Device Management (MDM) restrictions on your device
At this time Apple have not commented anything about this reveals, but as we get further details on this will update the post.