call Byte22 on 01283 512333 to discuss your next project

Apple iOS Backdoor in 600m devices

posted in security by Phil on Thu Jul 24 2014

iOS Backdoor Network Dump

Apple have been found to have 3 backdoor programs installed for "diagnostic" purposes on 600 million devices worldwide.

Twitter user @JZdziarski, released a paper titled "Identifying Back Doors, Attack Points, and Surveillance Mechanisms in iOS Devices" last Friday at a hacker convention in New York.

The paper details 3 programs that apple have included in the core of iOS that could be used by 3rd parties to;

  • Monitor internet traffic
  • Dump presonal data
  • Dump documents

 

Here is a brief breakdown of the 3 programs identified.

1. Packet Sniffer - com.apple.pcapd

  • Dumps all network traffic and HTTP request/response data traveling into and out of the device.
  • Can be targeted via WiFi for remote monitoring.
  • No visual indication to the user that the packet sniffer is running

2. File Transfer - com.apple.mobile.file_relay

  • Found in /usr/libexec/mobile_file_relay on device.
  • Transmits large swaths of raw file data.
  • Completely bypasses Apple’s backup encryption for end-user security. 
  • Once thought benign, has evolved considerably, even in iOS 7, to expose much personal data. 
  • Very intentionally placed and intended to dump data from the device by request.

3. iTunes Copy - com.apple.mobile.house_arrest

  • Originally used to allow iTunes to copy documents to/from third party applications.
  • Even though iTunes doesn’t permit it through GUI, the service allows access to the Library, CachesCookies, Preferences folders as well .
  • These folders provide highly sensitive account storage, social/Facebook caches, photos and other data stored in “vaults”, and much more.

 

So why is it there...?

  1. iTunes...? Nope.
  2. Apple Support...? Nope.
  3. Developer Debugging...? Nope.
  4. Did they forget...?
  • Apple has been maintaining and enhancing this code, even with iOS 7; they know it’s there.
  • It’s not buried; it’s listed in Services.plist
  • While house_arrest security issues might be “bugs”, file relay and pcap most certainly aren’t

What can you do...?

  • Apple Configurator is Free in the Mac App Store.
  • Allows you to set enterprise MDM restrictions on your device.
  • Can be used to prevent pairing even when unlocked.
  • Pair once with your desktop, then never again.
  • Won’t help you if device sent to Apple; should still use a complex passphrase.
  • Removable later if you change your mind.

 

Sources:

https://twitter.com/JZdziarski

https://pentest.com/ios_backdoors_attack_points_surveillance_mechanisms.pdf