iOS Backdoor, Zdziarski’s talk, and what it all means.

Old 1 Comment on iOS Backdoor, Zdziarski’s talk, and what it all means. 26

First this is not about Apple iPhone Backdoor DROPOUTJEEP, even though this could be how DROPOUTJEEP gets it’s info. You can thank Apple for all of these. Second these backdoors are somewhat difficult to activate and there are steps that can be taken to signifigantly reduce the access\activation of these services. Third, I am not going to show you how to activate them; figure it out yourself.

This is just going to be a brief description of what these backdoors do and provide you some links with info on how to minimize the risk that they create. This is breif, as the talk on this had over 50+ slides.

Initialization Phase

Let’s look at the process of how these backdoors are actually activated; they need a pairing record, either obtained physically from the iOS device, or from a computer that it has been paired with.

Well that sounds fairly safe right, just don’t give anyone access your phone, PIN/Password, or computer, nothing new to that right? Well not really, there are ways around this; a piece of malware could easily be written to grab the pairing keys used by iTunes to sync with your iOS device. Then the attackers could build an entire database of possible pairing keys to try and attack the devices with. The talk Zdziarski gave even hinted at police\governments being able to scan devices for pairing keys just with a thumbdrive, so a piece of malware doing the same thing on a wider scale is completly plausible.

Now with the pairing record the backdoors can be initialized using lockdownd via USB or TCP , wirelessly on the same network; NOTE: it is still not known if this can done over mobile data networks, my best guess I would think not as the routing and NATing that most carriers use would make it extermely difficult to hit the port on a specific device every time. This means that the attacker would have to be on the same subnet as the iOS device or actually have the iOS device plugged into a computer.

NOTE: I am not going over lockdownd in this post either, there is enough information available about this already online, use Google if you want to know more.

What they can do

During Zdziarski’s talk he mentioned 3 possible backdoors:

  • com.apple.house_arrest
  • com.apple.pcapd
  • com.apple.mobile.file_relay

First let’s take com.apple.house_arrest off of this list as the majority of it is used by iTunes and xCode during diagnostics and backups, but it still gives too much access to sensitive information that iTunes doesn’t even look pull for during backup backups.

Well that leaves 2, let’s look at com.apple.pcapd…… This one just doesn’t make any sense to have hidden in an iOS device, a packet capture daemon?! Apple’s reasoning for this one is it is used too troubleshooting VPN’s and applications during development. VPN’s??? Seriously I think a traceroute would make more sense for VPN diagnostics. OK troubleshooting application development makes sense, but then put it in the iOS developers image, not the release to customer image that roughly 600 million devices run.

Ok so that leaves one left; com.apple.mobile.file_relay. When Zdziarski looked at this in iOS version 2 it was mostly benign, except for the UserDatabases(address book, call history, SMS database, email metadata, and iOS SQLite database). OK so it’s not so benign, but it got worse, Apple developed this service to pull even more user data; in iOSv2 it pulled 6 types of data, in iOSv7 it pulls 43 different types of data. Ok maybe it’s for diagnostics and they just split it up to make it easier to go through, wrong. Apple doesn’t need to know Accounts(all email and social networking accounts) you use, AddressBook(which contains all of your contacts, and can recover your deleted contacts too), photos(every picture you have on the device), Voicemail(database and audiofiles in AMR format), and my personal favorite CoreLocation(GPS logs) Zdziarski’s test showed his device actually logged 60+ days of GPS info with timestamps. Really none of this type of data makes any sense from a troubleshooting perspective.

So my i(Device) is not safe?

Well, that’s up to you:
1) Do you use a pin or password, and do you change it periodically.
2) Do you leave your phone out for people to mess with.
3) Use the Apple Configurator to block pairing; read Zdziarski’s slides from my HOPE/X Talk, he gives a quick walkthrough on how to limit the pairing issues to a minimal.

In short these backdoors are not easy to activate and with some careful hardening using the Apple Configurator (which is Mac OS X only) they can be easily blocked from being exploited. Hopefully because of these services being published and brought to the publics attention Apple might actually patch these so that they are not exploited so easily, but as for now it appears they are in denial accroding to this knowledge base article.

Links
Apple’s response:iOS: About diagnostic capabilities

Zdziarski’s blog posts:
Zdziarski’s slides from my HOPE/X Talk
Zdziarski’s Apple Confirms Backdoors

Author

Aaron Babitzke

I have recently went back to university, fall of 2013, to obtain my BSc in Computer Science. Prior to this I had spent the past 12 years in various positions in the IT field; IT consultant, Network Administrator, Network Technician, PC Repair Technician, and Wireless Internet Installer for WISPs. I have experience with various technologies; networking, mobile, systems administration, security, virtualization, on a broad array of operating systems; Android, Linux, Mac, Mac IOS, UNIX, and Windows. My client base has included WISPs, SMBs, charter schools (K - Jr High), and regular consumers.

Related Articles

1 Comment

  1. Joe Lunsford August 20, 2014 at 11:29 am

    Apple can be very unsecure, I mean, everyone is all worried about viruses and Estonian hackers that they fail to see what they do to themselves.

Leave a comment

Back to Top