from the how-secure-do-you-think-you-really-are dept.
Ars Technica published an article on Monday Undocumented iOS functions allow monitoring of personal data, expert says that should give pause to any owner of an iOS device.
Apple has endowed iPhones with undocumented functions that allow unauthorized people in privileged positions to wirelessly connect and harvest pictures, text messages, and other sensitive data without entering a password or PIN, a forensic scientist warned over the weekend.
Jonathan Zdziarski, an iOS jailbreaker and forensic expert, told attendees of the Hope X conference that he can't be sure Apple engineers enabled the mechanisms with the intention of accommodating surveillance by the National Security Agency and law enforcement groups.
Slides of Zdziarski's talk, titled Identifying Back Doors, Attack Points, and Surveillance Mechanisms in iOS Devices are here. (pdf)
"Its sole purposes is to dish out data, bypass backup encryption, and give you almost the same amount of personal data you get from a backup on the phone, in some cases even more," he said. "We really need someone at Apple to step up and explain why this is here. There's no logical reason why it should be there on 600 million devices"
(Score: 3, Interesting) by aristarchus on Tuesday July 22 2014, @09:13AM
Well this is just Great! What is an iOS? Do I have one? No? So why should I care about persons idiotic enough to pay EXTRA to be spied upon? Think different, 1984, all that. My gosh, irony is truly dead. Killed, run over, backed over, tazed, and defenestrated.
(Score: 4, Informative) by migz on Tuesday July 22 2014, @10:42AM
You should care because now you are not just a paranoid hater. You now have evidence.
Do you guys realize how big a deal this is?
(Score: 0) by Anonymous Coward on Tuesday July 22 2014, @09:18AM
iYou imean ieverything ithat istarts iwith ian "i" iisn't iperfect in ievery ipossible iway?
(Score: 2) by nightsky30 on Tuesday July 22 2014, @05:45PM
Reading that caused physical pain behind my left eye. Thank you for that.
(Score: 3, Interesting) by cafebabe on Tuesday July 22 2014, @10:17AM
"We shall prevail!"
1702845791×2
(Score: 3, Interesting) by Popeidol on Tuesday July 22 2014, @10:57AM
So to access these services, you need to have a copy of the digital keys generated which can be obtained from a device or computer that's been paired with the phone. That barrier makes it less likely it's an NSA free-for-all-data-dump, and more likely that it's a useful feature implemented with fewer privacy controls than it needed. Being able to remotely pull files from your device is pretty handy, and correctly executed it's more secure than having all your data synced up to the cloud.
Example: you've synced your iWatch up with your iPhone and iPad, and it talks to your phone over bluetooth. You leave your phone on the desk and go wandering around the office. Maybe you go out to lunch. But your iWatch is still in communication with your phone and can even pull local files from it as required, like that song you were just trying to remember the name of.
I also wouldn't be surprised if it was linked into their recent enterprise push. A MDM server that allows you to pull devices and records from individual phones? That's a feature some big business would love: You could have a web interface that pulled call records from all phones in the company in near-real time, and check against a known phone number blacklist, or the gps log from each device to see if anybody ever went near the house of the reporter who managed to get a copy of your latest prototype.
tl;dr: possible legitimate uses, but insecure execution of the idea. The fact that these services exist but no examples of it being used legitimately have come to light makes me suspicious though.
(Score: 3, Interesting) by MrGuy on Tuesday July 22 2014, @12:04PM
Maybe I missed it, but where exactly are these stated to be "new" iOS features? I don't see anything in TFA that suggests these features were recently added.
The only reference I see that talks to the age of this vulnerability to any specific version of iOS is the diagram at the top of TFA, which refers to iOS 4. iOS 4 was introduced in 2010.
If anything, recent versions are stated to be slightly better, in that iOS 7 won't pair with a device (and thus unlock the vulnerability) without specific action.
I don't know whether it would be more upsetting to learn these features are longstanding or that they're recently introduced. But I do know TFH definitely implies the latter, without (to my eye) any evidence.
(Score: 1, Interesting) by Anonymous Coward on Tuesday July 22 2014, @05:12PM
iBeacon is the biggest offender. It's entire stated purpose is to make Apple the middle man for monitoring iPhone cattle.
(Score: 1) by ThG on Tuesday July 22 2014, @04:20PM
I'm surprised they didn't implement it before, or if they have, that nobody found it until now.
(Score: 0) by Anonymous Coward on Thursday July 24 2014, @08:56AM
According to a comment above it's not new. Why was it not found out before is because people who buy this shiny crap are dumb and non-technical. They're also more likely to assert that only criminals have something to hide...