STE WILLIAMS

Hidden network packet sniffer in MILLIONS of iPhones, iPads – expert

Reducing security risks from open source software

An analysis of iOS by a security expert digging into claims of the NSA spying on Apple products has revealed some unexplained surveillance tools in the operating system.

His study has also shown that a user’s data may not be as safe as Cupertino is making out.


Data forensics expert and author Jonathan Zdziarski wrote an academic paper on the topic in March, and gave a talk [PDF] at the Hackers On Planet Earth (HOPE X) conference in New York on Friday showing his findings. The results of his research indicate a backdoor into iOS, although it’s not as wide open as some reports have suggested.

“There are certain steps that have to be taken to get this data,” Zdziarski told The Register. “Backdoors are guarded, there are things protecting it – you don’t just type ‘Joshua’ for full access.”

Zdziarski’s analysis shows that 600 million iOS devices, particularly those running the most recent version 7 builds, have data discovery tools that are separate from those used by Apple for standard backup and storage. These include a file-relay service that can snoop out data, bypassing the Backup Encryption service offered by Apple.

This data includes a copy of the user’s address book, stored photos, the voicemail database and audio files, any accounts configured on the device such as iCloud, Facebook or Twitter, a cache of screenshots, keystrokes and the device’s clipboard, GPS data, and – on iOS 7 – metadata disk sparseimage of the iOS file system.

Zdziarski notes that this is a one-way tool, in that it’s very useful for taking data off the device but not for putting it back on for a backup service. The data is also in too raw a format to be of any use to a Genius Bar tech support team.

In addition there is also, we’re told, a packet sniffer dubbed com.apple.pcapd on the device that fires up without notifying the iOS device’s owner. This can log and export network traffic and HTTP request/response data from the device and could be targeted via Wi-Fi for remote monitoring, Zdziarski said.

This software isn’t some legacy code left on the device by Apple engineers for testing – it has been actively updated and expanded in various iOS revisions, according to Zdziarski.

But it’s not something Apple has talked about, or even documented, and seems to have little to offer other than for those who seek to slurp data off iOS devices. It is separate from the packet-tracing techniques described on the Apple developer website.

When the cops coming knocking…

One possibility is that the software is part of the 1994 Communications Assistance for Law Enforcement Act (CALEA), which requires many tech firms to have systems in place to allow properly accredited law enforcement limited access for wiretapping. But Zdziarski told El Reg that the software didn’t look fit for that purpose.

“I think Apple has exceeded any requirements the CALEA law has with these tools,” he said. “The existence of these interfaces exceeds anything that law requires. It could be that there’s some kind of secret court order requiring this, but if there is then the public needs to know about and understand that.”

Of course, to access all these hidden tools you’d need access to the target’s iPhone, and Apple’s security is invincible, right? Not so fast there: Zdziarski has also uncovered a way to get around this that, while hard for hackers, wouldn’t be too tough for law enforcement.

When an iOS device pairs with a desktop system to sync data, the mobile operating system establishes a trusted connection and stores a set of keys and certificates on the PC and the device, and stores it in a single file on both machines. Only a factory reset wipes this pairing data from the iOS device.

While pairing is done over USB, if someone has access to this pairing data, the device becomes much easier to crack. The pairing data is exchanged via TCP port 62078, and an attacker could log onto the device in seconds if they share the same Wi-Fi network.

Getting access to pairing data would be tricky for a hacker working alone, but if law enforcement impounds someone’s desktop, it’s easy for a cop or g-man to crack any iOS device the PC is paired with. If you’re the NSA, with a Tailored Access Operations division that specializes in this sort of thing, getting into Apple’s backdoor is easy as pie.

Zdziarski said he was inspired to delve deeper into iOS security after reading a report in Der Spiegel that the NSA was targeting iOS gadgets and the systems they are paired with. While Zdziarski says he doesn’t want to be sensationalist about his findings, it’s clear Apple owes customers some answers.

Cook Co were unavailable for comment at time of going to press. ®

Mobile application security vulnerability report

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2014/07/21/ios_firmware_contains_packet_sniffer_and_host_of_secret_spying_tools/

  • 22/07/2014
  • adm
Comments are closed.