Apple acknowledged that its iOS operating system for iPhones and iPads contains several previously undisclosed “diagnostic capabilities”—services that an iOS forensics expert recently described as “backdoors” that could allow broad access to a user’s personal data on those devices under certain circumstances.
The issue involves problematic iOS services identified several months ago by Jonathan Zdziarski, the forensics expert who is also a one-time iOS jailbreaker and the author of several books on iPhone development. Zdziarski gave a presentation on his findings last weekend and published the slide deck to his talk, which drew wider attention to his findings. (See our FAQ about Zdziarski’s backdoor findings here.)
Through The Backdoor
The three backdoors Zdziarski highlighted in his talk are present in 600 million iPhones and iPads, and are capable of accessing a great deal of personal information and then dumping it off the phone to a “trusted” device, such as the desktop computers many iPhone users plug their devices into. The backdoors can only be accessed via such trusted devices, limiting the danger of exploit—although that trust mechanism itself could also be spoofed by a determined attacker.
Until last night, Apple had apparently never described these iOS services publicly. Zdziarski reported the services do not notify users when they begin accessing personal data; do not require the consent of users if they access personal data; and cannot be turned off by users.
In a support document released Tuesday night, Apple described the three backdoors as “diagnostic capabilities to help enterprise IT departments, developers, and AppleCare troubleshoot issues” and offered a few details about each:
pcapd supports diagnostic packet capture from an iOS device to a trusted computer. This is useful for troubleshooting and diagnosing issues with apps on the device as well as enterprise VPN connections. You can find more information at developer.apple.com/library/ios/qa/qa1176.
file_relay supports limited copying of diagnostic data from a device. This service is separate from user-generated backups, does not have access to all data on the device, and respects iOS Data Protection. Apple engineering uses file_relay on internal devices to qualify customer configurations. AppleCare, with user consent, can also use this tool to gather relevant diagnostic data from users’ devices.
house_arrest is used by iTunes to transfer documents to and from an iOS device for apps that support this functionality. This is also used by Xcode to assist in the transfer of test data to a device while an app is in development.
Apple’s support document acknowledges that a third party can access these services wirelessly via Wi-Fi from a trusted device, as Zdziarski had previously reported. It neither confirms nor denies Zdziarski’s finding that these three services operate without the knowledge or explicit consent of the user.
Apple also claims a much more limited role for the file_relay service than Zdziarski found, saying it is used only for “limited copying of diagnostic data from a device.” Zdziarski, by contrast, reported that file_relay has access to 44 data sources within an iPhone, including highly personal information as call records, SMS text messages, voicemail, GPS logs and more. Such personal information has little in common with diagnostic data in most cases.
In a blog post reply, Zdziarski criticized Apple for being “completely misleading” in some of its descriptions and for failing to address his other concerns such as user consent and notification. But he also acknowledged that Apple will probably begin fixing those issues behind the scenes:
All the while that Apple is downplaying it, I suspect they’ll also quietly fix many of the issues I’ve raised in future versions. At least I hope so. It would be wildly irresponsible for Apple not to address these issues, especially now that the public knows about them.
(Zdziarski’s blog is having server problems; here’s a cached version of his reply to Apple should you need it.)
I’ve asked Apple for further clarification, and will update if and when I hear back from the company.