Researcher Reveals: All iOS Devices Allow Access to All Data Through Hidden Services

Apple Think Different

JONATHAN ZDZIARSKI presented how all iOS devices are running Apple created, undocumented, hidden services, that allow access to all data on your device, even encrypted data.  His slides are available here.  Below I have summarized some of the more interesting parts and tried to put them in less technical terms.

Highlights 

  • Apple has worked hard to make iOS devices reasonably secure against typical attackers
  • Apple has worked hard to ensure that Apple can access data on end-user devices on behalf of law enforcement
  • Almost all native application / OS data is encrypted with a key
  • As of iOS 7, third party documents are encrypted, but Library and Caches folders are usually not
  • Once the device is first unlocked after reboot, most of the encrypted data can be accessed until the device is shut down
  • The undocumented services running on every iOS device help make this possible
  • Your device is almost always at risk of spilling all data, since it’s almost always authenticated, even while locked

Undocumented Services Overview

  • Accessed through lockdownd, requiring pairing authentication
  • iOS 7 trust dialog helps, but third party accessories are making people stupid again
  • Bypasses “Backup Encryption” mechanism provided to users
  • —Can be accessed both via USB and wirelessly (WiFi, maybe cellular); networks can be scanned for a specific target
  • —If device has not been rebooted since user last entered PIN, can access all data encrypted with data-protection (third party app data, etc)
  • —Other (more legitimate) services enable software installation, APN installation (adding proxy servers) for continued monitoring
  • A number of commercial law enforcement forensic manufacturers have started tapping these services:
    ï‚Ą Cellebrite
    ï‚Ą AccessData (Mobile Phone Examiner)
    ï‚Ą Elcomsoft
  • A number of private tools and source are out there as well to take advantage of these services

Ransomware on your iPhone?  Oh my!  Using your own iOS pictures for blackmail? OH MY!!

The undocumented and hidden services your i-device is running that Apple never told you about

First service: com.apple.mobile.file_relay

  • Completely bypasses Apple’s backup encryption for end-user security
  • Very intentionally placed by Apple and intended to send data from the device by request
  • Can collect data from the phone that user has deleted but still remains on the device because the memory has not been reused yet
  • This undocumented, hidden service can collect and send any and all data on your device, including data you probably didn’t know your device even kept but the list is too long to include

Second Service: com.apple.mobile.house_arrest

  • Allows access to the Library, Caches, Cookies, Preferences folders as well
  • These folders provide highly sensitive account storage, social/Facebook caches, photos and other data stored in “vaults”, and much more

Additional services:

com.apple.iosdiagnostics.relay Provides detailed network usage per-application on a per-day basis

com.apple.mobile.installation_proxy Given an enterprise certificate, can use this to load custom software onto the device (which can run invisibly and in the background)

com.apple.syslog_relay Syslog, provides a lot of details about what the device is doing, and often leaks user credentials from 3rd party apps via NSLog()

Already documented and fairly public method of using these undocumented services 

DROPOUTJEEP – a software implant for iPhones that allows for the ability to remotely copy or place files on a device, retrieve text messages, contacts, voicemail, location information, turn on mic, camera, cell tower location.  Requires “close access” for implant, which means they don’t need to physically touch the device bluetooth or WiFi might be ‘close enough’.  Data extraction is done over GPRS (cellular essentially) or through text messaging.  Ironically all communication with the implant is “covert and encrypted”.

If you want to prevent some of these attack surfaces there is a simple and free solution from Apple called Apple Configurator that will allow you to prevent it from pairing with other devices.

Report: Rare leaked NSA source code reveals Tor servers targeted | Ars Technica

Report: Rare leaked NSA source code reveals Tor servers targeted | Ars Technica.

*Note: the code has not actually been leaked to the public.  I personally wouldn’t expect it to be made public anytime soon.

Two Germany-based Tor Directory Authority servers, among others, have been specifically targeted by the National Security Agency’s XKeyscore program, according to a new report from German public broadcaster ARD. Tor is a well-known open source project designed to keep users anonymous and untraceable—users’ traffic is encrypted and bounced across various computers worldwide to keep it hidden.

This marks the first time that actual source code from XKeyscore has been published. ARD did not say how or where it obtained the code. Unlike many other NSA-related stories, the broadcaster did not specifically mention the information being part of the trove leaked by whistleblower Edward Snowden.

XKeyscore is one of the high-level NSA surveillance programs that have been revealed via Snowden over the last year. The interface allows NSA and allied intelligence agencies to search all kinds of short-term data captured directly off of various Internet Exchanges worldwide.

This new code, which was published on Thursday, appears to flag people who are believed to live outside the United States and who request Tor bridge information via e-mail or who search for or download Tor or the security-minded TAILS operating system. Those users’ IP addresses can then be tracked for further monitoring.

The report’s authors include Jacob Appelbaum, a well-known American computer security researcher who has taken up residence in Berlin. Appelbaum is also a paid employee of the Tor Project. Two others listed as authors are either contractors or volunteers to Tor.

“Their research in this story is wholly independent from the Tor Project and does not reflect the views of the Tor Project in any way,” ARD stated in a disclosure. “During the course of the investigation, it was further discovered that an additional computer system run by Jacob Appelbaum for his volunteer work with helping to run part of the Tor network was targeted by the NSA. Moreover, all members of this team are Tor users and appear to be have been targets of the mass surveillance described in the investigation.”

The code specifically cites IP addresses of the Tor Directory Authority—these servers act as the nine high-level control points that make up the backbone of the Tor Network. These authorities are what keep track of new Tor relays, and they are updated every hour.

Tor was originally developed as part of the Onion Routing project at the US Naval Research Laboratory. While today it exists as an independent nonprofit organization headquartered in Massachusetts, it still receives 60 percent of its income (PDF) from US government sources. Tor is used by journalists, law enforcement, military officers, and activists worldwide.

Another rule in the published code shows that the NSA is also targeting users of an anonymous e-mail program called MixMinion, which is hosted on a server at the Massachusetts Institute of Technology. Roger Dingledine, who is the head of the Tor Project, also runs this MixMinion server.

Vanee Vines, the spokeswoman for the NSA, responded to Ars’ request for comment with the same statement that she provided to ARD:

In carrying out its mission, NSA collects only what it is authorized by law to collect for valid foreign intelligence purposes—regardless of the technical means used by foreign intelligence targets. The communications of people who are not foreign intelligence targets are of no use to the agency.

In January, President Obama issued U.S. Presidential Policy Directive 28, which affirms that all persons—regardless of nationality—have legitimate privacy interests in the handling of their personal information, and that privacy and civil liberties shall be integral considerations in the planning of U.S. signals intelligence activities.

The president’s directive also makes clear that the United States does not collect signals intelligence for the purpose of suppressing or burdening criticism or dissent, or for disadvantaging persons based on their ethnicity, race, gender, sexual orientation, or religion.

XKeyscore is an analytic tool that is used as a part of NSA’s lawful foreign signals intelligence collection system. Such tools have stringent oversight and compliance mechanisms built in at several levels. The use of XKeyscore allows the agency to help defend the nation and protect U.S. and allied troops abroad.

All of NSA’s operations are conducted in strict accordance with the rule of law, including the President’s new directive.