Personal information including text messages, contact lists and photos can be extracted from extra popular iPhones through previously secret techniques by Apple Inc employees, the Cupertino-based firm admitted earlier this week.
The same techniques to circumvent backup encryption could be taken into use by law enforcement and other governmental and non-governmental bodies with access to the “trusted” computers to which the devices have been connected, according to the security expert who prompted Apple’s admission.
In a conference presentation this week, researcher Jonathan Zdziarski demonstrated how the previously hidden techniques had extracted a surprising amount of data for what Apple now says are diagnostic services meant to help engineers.
Users are not notified that the services are running and cannot disable them, Zdziarski revealed. There is no way for the highly popular users to know what computers have previously been granted trusted status via the backup process or block future connections.
“There’s no way to `unpair’ except to wipe your phone,” he said in a video demonstration he posted Friday showing what he could extract from an unlocked phone through a trusted computer.
As word spread about Zdziarski’s initial presentation at the Hackers on Planet Earth conference, some cited it as evidence of Apple collaboration with the National Security Agency.
Apple denied creating any “back doors” for intelligence agencies.
“We have designed iOS so that its diagnostic functions do not compromise user privacy and security, but still provides needed information to enterprise IT departments, developers and Apple for troubleshooting technical issues,” Apple said.
“A user must have unlocked their device and agreed to trust another computer before that computer is able to access this limited diagnostic data.”
However, the researcher admitted that there’re few evidence that the services were aimed at spies. He also revealed that they extracted much more information than was needed, with too little disclosure.
Security industry analyst Rich Mogull said Zdziarski’s work was overhyped but technically accurate.
“They are collecting more than they should be, and the only way to get it is to compromise security,” said Mogull, chief executive officer of Securosis.
Mogull also agreed with his colleague that since the tools exist, law enforcement will use them in cases when the desktop computers of targeted individuals can be confiscated, hacked or reached via their employers.
“They’ll take advantage of every legal tool that they have and maybe more,” Mogull said of government investigators.
Asked whether the Californian company had already used the tools to fulfill law enforcement requests, Apple did not immediately respond.
“For all the attention to the previously unknown tools and other occasional bugs, Apple’s phones are widely considered more secure than those using Google Inc’s rival Android operating system, in part because Google does not have the power to send software fixes directly to those devices,” Reuters writes.