Security industry beats Apple to address iOS flaw

US-based risk management firm Stroz Friedberg has backed up claims that Apple iOS devices can be wirelessly compromised if the desktop pairing files are stolen. The firm is now offering a free open-source tool to protect enterprise users and consumers.

Security industry beats Apple to address iOS flaw
Security industry beats Apple to address iOS flaw

In a whitepaper released earlier this week, the firm reiterates last month's claims from digital forensics scientist Jonathan Zdziarski that smartphones and tablets running on Apple's iOS 7 mobile operating system have a security vulnerability where outsiders can potentially access users' personal data after pairing with a ‘trusted' PC over Wi-Fi or USB.

When presenting at the HOPE/X security conference in New York City, Zdziarski said that Apple employed several previously undisclosed features in its products to collect highly personal data, with the real danger being that they all bypass the user's backup encryption password. 

One, called “file_relay” captured iPhone data including the user's photos, SMS messages, address book, contact list, voicemail, geolocation history, and other personal data, while "com.apple.pcapd" dumps network traffic and HTTP requests. Access control flaws in another service called "house_arrest" allow unencrypted access to otherwise encrypted third party application data.  

All services were found to be accessible both via USB and wirelessly, once an attacker either stole a single pairing file from a trusted desktop machine, or convinced the user to click ‘trust' when connecting to a compromised device, such as a malicious charger. The research also indicated that an attacker could quickly generate their own pair record enabling them to have persistent wireless access to the device's personal content until wiped, and also identified law enforcement forensics tools with new capabilities to perform such an extraction.

Zdziarski said at the time: “Much of this data simply should never come off the phone, even during a backup. Apple has added many conveniences for enterprises that make tasty attack points for .gov and criminals. Overall, the otherwise great security of iOS has been compromised…by Apple…by design.”

Apple, and some critics, subsequently argued that these features were purely implemented for ‘diagnostic' and enterprise IT purposes, while others suggested that this flaw, affecting some 600 million iOS devices, could be exploited by the NSA and other government agencies.

But security firm Stroz Friedberg has now validated the researcher's claims, confirming the capabilities of the com.apple.com.file.relay. com.apple.mobile.house_arrest and com.apple.mobile.pcapd services – when paired with a ‘trusted' PC – for capturing everything from photos, text messages and voice mails to network traffic and deleted messages on Twitter.

Specifically, the 11-page whitepaper – written by digital forensic experts Cheri Carr and Daniel Blank - details how the com.apple.file.relay bypasses back-up encryption for end-user security to dump data on request (including SQLite databases - meaning that deleted data could be recovered), while house_arrest is used to access personal data inside of third party applications on the device.

Pcapd, meanwhile, is described as a “packet sniffing service that dumps traffic information, including HTTP requests.”

Stroz has developed an open-source tool “UNTrust” as a result, allowing enterprise and personal users to protect their data on iOS devices. Available on desktop PCs, it helps to delete all pairing records when synced with iOS devices and to trust just one computer. It's available from gitHub repository but the firm is also advising that people disable Wi-Fi when not in use, and encrypt the operating system and data at rest. On the iPhone or iPad, the firm says it is advisable to enable complex passwords, do not store credentials in clear text and to ensure that iOS and the apps on it are up to date. It urges enterprises to use mobile device management (MDM) tools.

Seth Berman, UK executive managing director, told SC that “most people click yes” when they see the trusted sign, irrespective of where they are. He said that there is still the chance that the PC could be compromised by malware (into thinking it is the trusted machine), and added that Apple hasn't yet developed a way to revoke this ‘trust' access.

“It's different with a Wi-Fi network because you can say forget this network. There has been no way to revoke access given to the computer.”

Zdziarski added in a telephone interview with SC: “In publishing this report, it shows that the industry takes these vulnerabilities seriously,” he said, before going on to praise the report for being ‘neutral and not political'.

He admitted that there has been some ‘controversy' surrounding the semantics of what a backdoor is in his presentation but said that Apple has been more receptive to the changes privately, noting changes being made in developer beta version 5 of the forthcoming iOS 8.

He said that they were ‘reigning in wireless capabilities', such as disabling wireless access to the packet sniffer, and that application sandboxes would no longer allow for scraping of third-party data wirelessly.

Zdziarski added that this was helping to ‘mitigate the threat' from a number of avenues, including surveillance of foreign dignitaries and high-profile individuals, but said that ‘there's more to do' with too much local data on the device, and the file relay functionality still bypassing end-user encryption. He noted that Apple's steps toward addressing the vulnerabilities looked like ‘good first steps', with more fixes expected to come by the time iOS 8 is released to the public.

He said that he's not so confident they would adequately fix this considering how Apple often works with law enforcement to help catch criminals.

“It's going to be a really touchy subject for Apple. On the one hand, you have law enforcement forensics looking for ways to bypass encryption and other forms of security. On the other hand, you have the number of potential threats to privacy that these services create." 

Apple didn't respond to SC at the time of going to press.