Saturday, September 13, 2014

Apple Addresses iOS Surveillance and Forensics Vulnerabilities

Jonathan Zdziarski on the changes in iOS that address his reported iOS Backdoors, Attack Points, and Surveillance Mechanisms:

The file relay service is now guarded. While the service still exists, all attempts to extract data from it will fail with a permission denied error (see screenshot at the bottom of this post). Only under certain circumstances, such as beta releases and on managed devices can the file relay be activated.


Connections to a number of other services (house_arrest, afc, and others) on the device, has now finally been restricted and these mechanisms are deemed “usb only” services. Wireless clients are no longer permitted to obtain file handles to application sandboxes (only USB clients), so third party application data can no longer be dumped across WiFi. Additionally, wireless clients are not permitted to access the user’s media folder via AFC (Apple File Connection) or access certain other types of data.


Lastly, wireless access to the built-in packet sniffer ( has been disabled, and the service has been listed with a new “usb only” descriptor, so that lockdownd will refuse to attach to it over WiFi. The packet sniffer can only be accessed while the device is connected over USB, eliminating it as a surveillance risk, while retaining its use for debugging and engineering.


While closing off the file_relay service greatly improves the data security of the device, one mechanism that hasn’t been addressed adequately is the ability to obtain a handle to application sandboxes across a USB connection, even while the device is locked. This capability is used by iTunes to access application data, but also presents a vulnerability: commercial forensics tools can (and presently do) take advantage of this mechanism to dump the third party application data from a seized device, if they have access to (or can generate) a valid pairing record with the device.


While the amount of data that can be scraped from an iOS 8 device has been greatly reduced, there is still some risk, and therefore still some steps you can, and should, take to ensure the data security of your device. When traveling through airports, or if you suspect you may be detained by law enforcement, powering down the device will cause the data-protection authentication (NSFileProtectionCompleteUntilFirstUserAuthentication) to be discarded from memory, rendering this type of attack unsuccessful, even with a valid pairing record from a desktop machine. Secondly, consider pair locking your iOS device using Apple’s Configurator tool. I have outlined instructions to do this. This will prevent an unlocked device from being able to establish a pair record with any device, other than the computer you’ve initially paired with in setting it up.

Update (2014-09-18): Andreas Kurtz:

While the iOS 8 sandbox has been revised to limit the ways in which third-party apps could surveil users, such as monitoring their texting or app usage behavior, some of the issues we reported are still present (e.g., determining installed apps, permantetely monitoring pasteboard content from within background apps, observing phone call metadata).

Comments RSS · Twitter

Leave a Comment