Threat Thursday: iOS Backdoors Confirmed by Apple, Swiss Banks Hammered, BlackHat Session Chatter

07/24/2014

Security researcher Jonathan Zdziarski recently presented a session at the Hackers On Planet Earth (HOPE) conference titled Identifying Backdoors, Attack Points, and Surveillance Mechanisms in iOS Devices, in which he revealed the discovery of multiple undocumented forensic processes that are installed and running on all iOS devices, ostensibly for legitimate data collection purposes.

The question remains as to exactly who are these backdoors are intended to be used by and what kinds of information are they collecting. Given the current environment regarding data collection, government surveillance, and companies building such processes into firmware, operating systems and applications, it is worth taking a minute to better understand the implications of this revelation.

In a nutshell, an iOS device can be securely paired with a computer where they exchange security certificates by way of a USB connection, and this relationship is maintained until such time that the iOS device is wiped clean and/or the associated computer undergoes a factory reset.

The controversy lays in the possibility that an iOS device could be surreptitiously paired with a rogue computer without the owner's knowledge, and although there are several caveats that would make this difficult for the average hacker, concerns over whether government agencies who have nearly unlimited resources to undertake such operations against select (or non-select) targets is of concern to many.

The point of Zdziarski's talk was that these processes are in place on iOS devices, and Apple perhaps should first explain why the processes were not designed to be more secure and then should take steps to ensure the processes cannot be abused.

"Its sole purposes is to dish out data, bypass backup encryption, and give you almost the same amount of personal data you get from a backup on the phone, in some cases even more. We really need someone at Apple to step up and explain why this is here. There's no logical reason why it should be there on 600 million devices," Zdziarski told ArsTechnica

Apple stepped up and did that to an extent, but still has a long way to go to satisfy Zdziarski's concerns as he outlined in a response article posted Wednesday of this week, where he stresses the point that his original talk was in no way an attempt to implicate Apple in some nefarious conspiracy to backdoor user's devices, but that there are exploitable elements in the way Apple has designed these processes that need to be addressed.

"Please remember my talk was titled "iOS Back Doors, Attack Points, and Surveillance Mechanisms", NOT "iOS Back Doors Written for NSA". I have outlined some services I believe are back doors (such as file relay), and Apple has all but confirmed this by stating that their purpose is for Apple to access your data (thank you, Apple, for acknowledging that)," Zdziarski wrote.

"I have also outlined many things in my talk that are not back doors, but are attack points and (enterprise) surveillance mechanisms that could be taken advantage of."

In addition to Zdziarski's take on Apple's disclosures, Norse's DarkWolf Labs analysts have offered the following on what should and should not be of concern:

  • The engineering, design, and development of products and devices must take privacy and security implications into consideration from the design phase, and not merely left for Ops to handle. Wherein these might be great capabilities to include, not having any notifications or information for the end user (or the owning company for corporate devices) could have the appearance of dishonesty in the worst case scenario, or that development teams are not communicating with the product teams in the best case
  • It brings up issues as to who really "owns" the device and the included processes - are we just renting the technology while the vendor has a complete lock in to what the 'owner' can view, see or do on the device? The owner must be able to see what is happening on their device if they wish to do so. Vendor lock in may be a desired business tactic, but it limits functionality and openness for the end user
  • Nothing in the above mentioned analysis or research gives the impression that the added functionality was included for illicit activities or exploitation by outside organizations. Nonetheless, the functionality discovered could be used for good or bad intents, which increases the privacy and security risks for the end users and companies employing these devices. We should expect and should be granted full disclosure regarding all capabilities any technology provides, and then be able to opt in when desired - not opt out

And don't forget to come by the Norse booth (#465) at the upcoming BlackHat conference in Las Vegas, and be sure to register for both of our parties at Mandalay Bay - details and RSVP forms here:

Blackhat Wednesday NorsePunk Party Wed Aug 6th RX BOILER ROOM

Blackhat Thursday Norse Cocktail Attack Party Thurs Aug 7th EYECANDY LOUNGE

Security News

Here's a sampling of some of this past week's most interesting security stories:

Be sure to check back next week for our next Threat Thursday blog update!

Norse Twitter
Norse LinkedIn
Norse Facebook
Norse YouTube Channel
Norse Blog
Norse Google+