Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Private Data On iOS Devices Not So Private After All

timothy posted about 2 months ago | from the it's-totally-intuitive dept.

IOS 101

theshowmecanuck (703852) writes with this excerpt from Reuters summarizing the upshot of a talk that Jonathan Zdziarski gave at last weekend's HOPE conference: Personal data including text messages, contact lists and photos can be extracted from iPhones through previously unpublicized techniques by Apple Inc employees, the company acknowledged this week. The same techniques to circumvent backup encryption could be used by law enforcement or others with access to the 'trusted' computers to which the devices have been connected, according to the security expert who prompted Apple's admission. Users are not notified that the services are running and cannot disable them, Zdziarski said. There is no way for iPhone users to know what computers have previously been granted trusted status via the backup process or block future connections. If you'd rather watch and listen, Zdziarski has posted a video showing how it's done.

cancel ×

101 comments

Sorry! There are no comments related to the filter you selected.

Yeah (-1)

Anonymous Coward | about 2 months ago | (#47538215)

What did you expect from a hipster marketing company? Privacy? Respect? Decency? HAH!

Re:Yeah (-1)

Anonymous Coward | about 2 months ago | (#47538233)

Apple are no more hipster than Toyota.

An iPhone is a safe, dull choice for safe, dull people,

Re:Yeah (1)

dreamchaser (49529) | about 2 months ago | (#47538339)

Apparently not so safe.

Re:Yeah (3, Insightful)

Anonymous Coward | about 2 months ago | (#47538367)

These *attacks* require the attacker to have the keys from a trusted computer. Is your linux secure if you give somebody the root pass? Is your house safe if you give a friend the keys? These "security" headlines are just clickbait.

Re:Yeah (0)

Anonymous Coward | about 2 months ago | (#47538411)

Think before you post. That's not even close to bein the same thing.

Re:Yeah (0)

Anonymous Coward | about 2 months ago | (#47538453)

The "trusted" computer creds are sitting in one's home directory. It would be trivial for malware to slurp those, then any other computer can be flagged as "trusted".

At least Android is forthright about what keys it has used for ADB access, and offers you the ability to delete the keys, singly, or dump them all. In iOS, once trusted... it stays trusted until you erase and set up as new. Same with trusting SSL/TLS keys. You can add trusted root keys, but there is no way to remove them from the device or backups.

Re:Yeah (0, Insightful)

Anonymous Coward | about 2 months ago | (#47538653)

The "trusted" computer creds are sitting in one's home directory. It would be trivial for malware to slurp those, then any other computer can be flagged as "trusted".

Sure man, trivial. It happens to everybody every day of the week. Seriously, do you guys have a bit of common sense? If you have malware slurping the keys, the malware can already be slurping the synced data of the phone, which is the point of this attack. Why go roundaway to something you already have access to on the machine? For the lulz? And don't tell me there might be data on the phone that is not on the machine, because then I claim you wouldn't be syncing in the first place the phone, neither to Apple iCloud, neither to your own machine.

All the case scenarios you guys are painting are the equivalent of xkcd 538.

Re:Yeah (1)

Belial6 (794905) | about 2 months ago | (#47539335)

One might do this if they want to gain access to your phone next year instead of just today. If I compromise your computer today, you may find out about it and wipe your drive. As I understand it, this attack would allow me to continue accessing your phone's data even after the computer you sync to has been secured.

Re:Yeah (2)

dos1 (2950945) | about 2 months ago | (#47540379)

It's enough to have a friend PC compromised, where you connected your iPhone once, a year ago, to recharge your battery and you don't even remember that now. When his computer is compromised, your phone becomes compromised as well and vulnerable to remote attacks.

That's a bit different story than what you described above.

Re:Yeah (1)

Anonymous Coward | about 2 months ago | (#47540485)

The "trusted" computer creds are sitting in one's home directory. It would be trivial for malware to slurp those, then any other computer can be flagged as "trusted".

Sure man, trivial. It happens to everybody every day of the week. Seriously, do you guys have a bit of common sense? If you have malware slurping the keys, the malware can already be slurping the synced data of the phone, which is the point of this attack. Why go roundaway to something you already have access to on the machine? For the lulz? And don't tell me there might be data on the phone that is not on the machine, because then I claim you wouldn't be syncing in the first place the phone, neither to Apple iCloud, neither to your own machine.

All the case scenarios you guys are painting are the equivalent of xkcd 538.

Um... hello there? XKCD 538 is important here. Just look at the Slashdot stories, and you will see abuses left and right, and this is by every single government out there.

Take the UK, a judge can ask a person 30-50 times for their password, each no is 3-4 years in Her Majesty's prison system, due to RIPA. Other places like Syria and most of the Middle East will answer a "no" with 240VAC to the regions of the body normally used for reproduction... and likely to family members too.

So, it is a big concern, and in iOS (which some people on Slashdot call "100% secure"), once a machine is "introduced"... it is mated for life. Want a divorce? Pair as new and don't restore from a backup as those keys will be back if you get your old data on the device.

As for Android... if really concerned about it, delete the keys and call it done. Some Android devices/ROMs by default tend to ask for permission each and every time when connected anyway.

In this case, Android wins this security issue. ADB, MTP, and PTP are known protocols. It isn't like iTunes where iOS's transfer protocol is a closed source mystery.

Re:Yeah (0)

Anonymous Coward | about 2 months ago | (#47538485)

Is your house safe if you let your old friend in once somewhere in the past?
This alegory would be better.

Re:Yeah (0)

Anonymous Coward | about 2 months ago | (#47538587)

Does it change the fact that your old friend only needs to make a copy of the keys once? Granted iOS doesn't allow you to change the keys short of buying new hardware, but adding this "feature" to some settings screen like wiping all data is very simple, and continuing the alegory, you can't morph your locks either, you need to buy new ones and replace them in your house.

Re:Yeah (1)

Anonymous Coward | about 2 months ago | (#47538677)

It's hardly "copying the keys". It's simply connecting the device to some PC and then finding yourself vurnerable for remote attacks. After you are aware that something like that is possible, it of course makes sense to be careful, but otherwise - how would you even expect it to be possible? Especially if you're not tech-savvy? No sane security design should allow something like that, especially on things like mobile phones or tablets that are often connected to various other devices at various places.

Re:Yeah (2)

Belial6 (794905) | about 2 months ago | (#47539347)

Correct me if I am wrong, but this attack sounds like it would let your friend make a copy of the key, and even if you changed the locks on your house, his copy would still work.

Re:Yeah (1)

TyFoN (12980) | about 2 months ago | (#47538581)

No, you can't retrieve anything from my computers in that way even with my root password.
The encryption keys are my own and I have full control over them.
In the TFA case, apple has control over your keys.

Re:Yeah (0)

Anonymous Coward | about 2 months ago | (#47538629)

No, you can't retrieve anything from my computers in that way even with my root password.

Seriously? Can't I log in as root and install RAT to monitor and send all the data over? Because that's what TFA tools do. You don't have "full control" over anything if somebody else has the root pass to your machines and can log in them.

In the TFA case, apple has control over your keys.

You are wrong. Apple doesn't have so much control over the keys (they are not being sent anywere) as much as Apple controls your OS in first place. Plus TFA says that you can wipe your device to reset the keys. So what control does Apple have over that?

Re:Yeah (1)

viperidaenz (2515578) | about 2 months ago | (#47541745)

Except any sane person doesn't allow remote root logins.

Re:Yeah (1, Informative)

BasilBrush (643681) | about 2 months ago | (#47538787)

In the TFA case, apple has control over your keys.

False. The private keys are unique to the phone and the paired device. The public keys are shared between the two when they are paired. Apple doesn't have have the private keys (or the public keys for that matter), and thus cannot read either side of the communication.

Re:Yeah (1)

dk20 (914954) | about 2 months ago | (#47540311)

Answering your linux question, yes my linux computer is safe if i give someone my root password because many linux distro's dont allow direct root login.

"By default, the Root account password is locked in Ubuntu. This means that you cannot login as Root directly or use the su command to become the Root user. "

Perhaps you can define exactly what it means to "jailbreak" an iDevice? Seems you do something to gain "root" access? Remember when simply going to a website would root your phone?

Re:Yeah (1)

dryeo (100693) | about 2 months ago | (#47540997)

sudo xterm or sudo mc is how I get a root prompt under Ubuntu

Re:Yeah (-1, Troll)

BasilBrush (643681) | about 2 months ago | (#47538845)

What did you expect from a hipster marketing company?

I know! Look at this sad sack showing off his iPhone:

http://i.kinja-img.com/gawker-... [kinja-img.com]

Wait a sec... that's an Android, and that's Google's VP of design, responsible for Android's latest makeover. My mistake.

Re:Yeah (0)

Anonymous Coward | about 2 months ago | (#47540777)

Nice to see the fanboy glossing over the issue...

Stallman was right (5, Insightful)

jabberw0k (62554) | about 2 months ago | (#47538223)

These so-called "smart telephones" aren't telephones at all; they are computers. Computers that you cannot control. And if you aren't, who is?

Some folks thought Richard Stallman was crazy for saying no-one should run software or use hardware that is based on clandestine (proprietary, hidden) knowledge. This latest revelation is just one reason he was right all along.

Re:Stallman was right (5, Informative)

Anonymous Coward | about 2 months ago | (#47538291)

Fortunately, if someone wants a "smartphone" that is under full control of the user, there are a few choices: Openmoko Neo Freerunner, OpenPhoenux GTA04 or latest device in development - Neo900 ( http://neo900.org/ )

The last one even goes further and implements monitoring over some unavoidably closed parts, like GSM modem (and all of them have proper modem isolation, so the modem cannot access the main RAM, possibly rendering any software encryption moot like on most of recent mainstream smartphones)

Re:Stallman was right (0)

Anonymous Coward | about 2 months ago | (#47538329)

Now for a phone that is mainly a phone --and a lot smaller-- with the same firmware properties. Perhaps with something suitably lighter for an OS, too.

Re:Stallman was right (0)

Anonymous Coward | about 2 months ago | (#47539465)

The last one even goes further and implements monitoring over some unavoidably closed parts

Why is that unavoidable? Every part should be 100% open, regardless of any unjust laws.

Re:Stallman was right (3, Informative)

HiThere (15173) | about 2 months ago | (#47539603)

Not sure about that particular case, but there are some legal requirements that, I believe, entail controls that are not user controlable. Things like frequency, signal encoding, etc. Those seem liike reasonable constraints, so long as we aren't using spread spectrum, which, IIUC, is illegal.

Given that, modem isolation is probably the just and reasonable approach to take.

Re:Stallman was right (1)

Rich0 (548339) | about 2 months ago | (#47541287)

That is just obfuscation. Not making the baseband firmware open-source certainly makes it more annoying to mess with that stuff, but it certainly doesn't make it impossible. It is misguided in any case, as anybody can build a cell phone jammer/spoofer/cloner/whateverer out of their own parts running whatever code they want to.

But, I have no doubt that the clowns at the FCC would give any company that wanted to implement an open-source baseband a hard time, so even though it really doesn't make the device any more secure companies will do it so that they can sell their products.

Re:Stallman was right (0)

Anonymous Coward | about 2 months ago | (#47540399)

Feel free to work on your own, fully 100% free mobile phone project, regardless of any unjust laws.

But I'm a coward. Let me work on my "as free as legally possible" one to make other people like me, without as big balls as yours, happy.

Re:Stallman was right (1)

antdude (79039) | about 2 months ago | (#47540637)

Sure, but what about the service part. How do we know what happens to the data that goes in and out of these phones? Can we encrypt from our phones to the other end like voice communications, textings, etc.?

Re:Stallman was right (0)

Anonymous Coward | about 2 months ago | (#47540727)

Why not? VoIP over SSL (or VPN) should do. SMS are easily encryptable, given that you have compatible software on both ends.

The only limitation is that voice channel doesn't really work for transfering data - that's why it's better idea to use VoIP service.

Re:Stallman was right (1)

Wovel (964431) | about 2 months ago | (#47547215)

Let's not go off the deep end. Stallman is a lunatic...

Re:Stallman was right (1)

cant_get_a_good_nick (172131) | about 2 months ago | (#47549785)

Stallman is crazy. Even crazy people can be right about a few things here and there, but overall he's a zealot. The jokes goes "even a stopped watch is right a couple times a day - though you need a second working watch to see when."

The Hurd has been under development since 1983. Three decades, and still not a stable version [gnu.org] ? When he started the HURD we didn't have the web, nor the Internet. If we waited for Stallman to actually ship, we would have lost out on a lot (both good and bad, but mostly good).

The issue with Stallman is where do you stop? OK, so now you have an OS totally under your control (well maybe, but lets pretend yes). Now, the hardware! OK, rewrite the BIOS/OpenFirmware. Now you're under control! No, there may be stuff in the chips.... lets go grab some sand.

Soon enough, you either have to say you write everything (and this is the mess you get from making your own toaster [ted.com] ) or just realize you need to have faith in some companies you may or may not want to trust.

There's only one OS you can trust: OpenBSD (0, Insightful)

Anonymous Coward | about 2 months ago | (#47538225)

There's only one operating system in existence today that is worthy of even a small degree of trust: OpenBSD.

OpenBSD is the only operating system I know of that is open source, continually undergoes rigorous review, and has developers who put security above all else.

Since OpenBSD is the only operating system that is anywhere close to being secure, the only type of secure mobile device would be one running OpenBSD. I'm not aware of any of those, so it's obvious that any device not running OpenBSD should be considered insecure to begin with.

Re:Fanboy rant (0)

Anonymous Coward | about 2 months ago | (#47538245)

It's good that you have that much faith in an OS. Just don't install anything on it.

Re:There's only one OS you can trust: OpenBSD (-1)

Anonymous Coward | about 2 months ago | (#47538493)

Oh look, a masturbating monkey.

Re: There's only one OS you can trust: OpenBSD (0)

Anonymous Coward | about 2 months ago | (#47540927)

Only one in existence? You have audited EVERY ONE in existence and that was the only one?

There must be a lot of developers wasting their time.

Re:There's only one OS you can trust: OpenBSD (1)

Anonymous Coward | about 2 months ago | (#47541245)

There's only one operating system in existence today that is worthy of even a small degree of trust: OpenBSD.

OpenBSD is the only operating system I know of that is open source, continually undergoes rigorous review, and has developers who put security above all else.

Since OpenBSD is the only operating system that is anywhere close to being secure, the only type of secure mobile device would be one running OpenBSD. I'm not aware of any of those, so it's obvious that any device not running OpenBSD should be considered insecure to begin with.

I'm an OpenBSD user, but just remember that the software a computer runs isn't the only thing that can be doing evil things. Realistically, you're never completely safe, even if I might decide to completely trust the OpenBSD developers, my nic card could be siphoning my data. I don't blindly trust them of course, not that I have evidence they do evil things, but it's the best OS I can figure for me since I'm not a programmer and I can't write my own. That and it's so simple to configure compared the the other monstrosities out there.

WTF (-1)

Anonymous Coward | about 2 months ago | (#47538227)

I posted this last night. Old news now.

it's the future (3, Insightful)

Anonymous Coward | about 2 months ago | (#47538235)

The more we buy devices whose master is someone else, the more things of this very nature will become a problem.

Do not buy devices that you do not control after you buy them. You must be able to run any kernel and any userspace you want, you must be able to control the machine top to bottom. If you give this up in exchange for convenience, then you will be taken advantage of by companies that don't have your interests at heart.

Re:it's the future (2, Interesting)

Anonymous Coward | about 2 months ago | (#47538513)

You got modded down by Apple fans for telling the truth.

Re:it's the future (-1)

Anonymous Coward | about 2 months ago | (#47538657)

No, he got modded down by normal people for being a faggot.

Re:it's the future (1)

dos1 (2950945) | about 2 months ago | (#47538713)

True words. Sadly, people consider things that are trendy or have more raw power as more valuable, even if they don't really need that. When someone actually comes up with the device that you can control (instead of it controlling you), all he hears is "meh, too slow", "too expensive", "no capacitive screen? are you joking?"

You would expect people to be more sensible than that, especially in the post-Snowden era.

Re:it's the future (2)

HiThere (15173) | about 2 months ago | (#47539627)

Unfortunately, no, I wouldn't "expect people to be more sensible than that, especially in the post-Snowden era", even though this actually isn't the post-Snowden era. He's still around, and still occasionally releasing new tid-bits.

I normally expect people to be short-sighted, and to have little memory of history. I regret that I'm rarely disappointed.

So... (4, Insightful)

Sqr(twg) (2126054) | about 2 months ago | (#47538263)

If you store sensitive stuff on your iPhone, don't make backups from it onto an insecure/unencrypted computer.

And if you were making backups from anything secure onto anything insecure, it is time to revise your security policy.

Re:So... (0)

Anonymous Coward | about 2 months ago | (#47538461)

It's not about "making backups". If only you ever connected your iDevice to some PC you didn't have full control over, your current data may be remotely compromised, even if back then you didn't have anything "sensitive" on the device.

That's definitely *not* something one would reasonably expect.

Re:So... (1)

John Bokma (834313) | about 2 months ago | (#47539281)

That's a choice that has been made. AFAIK the iOS device asks if the computer can be trusted....

Re:So... (0)

Anonymous Coward | about 2 months ago | (#47540461)

Prior to insecurely storing the keys the computer could be trusted. It was the iOS device that ultimately made it untrustworthy

Re:So... (0)

Anonymous Coward | about 2 months ago | (#47540749)

It didn't before iOS 7, so if you connected your device anywhere before upgrade to iOS 7, the key is already there.

Plus "trusting" the computer over USB cable is a one thing, and remote access is another.

Re:So... (0)

Anonymous Coward | about 2 months ago | (#47539947)

No, it's not about connecting your iDevice to some PC you don't have full control over. It's about connecting it to such a PC, and then explicitly tapping the "Trust this computer" button that pops up when you're explicitly told "this computer could compromise your device if you trust it".

Re:So... (0)

Anonymous Coward | about 2 months ago | (#47540791)

Compromising the device while it's connected to the PC is one thing, and compromising it remotely based on data stored on said PC is another.

The computer could be trusted when the device was connected, but become compromised later - effectively compromising the device as well without the need of connecting it again.

Plus pre-iOS 7 there was no "trust this computer" dialog, so if you connected your iOS device anywhere before upgrading to iOS 7, your keys are already there without any explicit "trust", so your phone may be vulnerable to remote attacks.

Re:So... (1)

cant_get_a_good_nick (172131) | about 2 months ago | (#47552829)

Also, turning off this behavior - plugging a phone into a computer, pressing "OK" without any authentication allows siphoning - is pretty hard to do. You need to download a wonky piece of software called Apple Configurator to do this. It's usually for corporate/educational bulk deployments, and the UI shows this.

Re:So... (0)

Anonymous Coward | about 2 months ago | (#47540141)

it is time to revise your security policy.

Or, it might be time to consider to have a security policy.

How many times do we have to learn this lesson? (0)

Anonymous Coward | about 2 months ago | (#47538267)

Large corporations cannot be trusted to protect our secrets -- particularly when under the thumb of big-brother government!

Article got it wrong (5, Informative)

strredwolf (532) | about 2 months ago | (#47538297)

Almost all the reports are getting the gist of the paper wrong -- any press summation that doesn't go into the paper to understand it will get it wrong. The paper goes into deep detail that Apple has several services that, while protected by several layers of security that could be bypassed, can transfer data in the clear. There are also several services that don't have any obvious connecting software.

It's a rather deep hacker-style dive into iOS.

A good video about this is by TWiT Network. At http://twit.tv/sn465 [twit.tv] Security Now ep 465 has expert Steve Gibson explain the actual paper.

Re:Article got it wrong (0)

Anonymous Coward | about 2 months ago | (#47538433)

YES. This. Please, before repeating and commenting on any article referring to Zdziarski's work, read the goddamned paper and then watch Steve Gibson's explanation. The coverage this "issue" has been getting is complete bullshit.

Re:Article got it wrong (1)

Anonymous Coward | about 2 months ago | (#47538729)

You lost me when you said "expert Steve Gibson". If by "expert" you mean "shameless selfpromoting security wannabe", then OK.

Re:Article got it wrong (2)

c0d3g33k (102699) | about 2 months ago | (#47539103)

You lost me when you said "expert Steve Gibson". If by "expert" you mean "shameless selfpromoting security wannabe", then OK.

No. These are examples of shameless, self-promoting wannabes:

https://en.wikipedia.org/wiki/... [wikipedia.org]
https://en.wikipedia.org/wiki/... [wikipedia.org]

Steve Gibson at least provides genuinely useful information most of the time and from what I can see does a decent job of teaching non-technical folks to understand and implement good security practices. He's a little hard to take in large doses when I've seen him on This Week in Tech and his website hurts my eyes, but I wouldn't paint him with such a broad brush. He doesn't seem to be a charlatan as much as a well-meaning but occasionally bumbling 'little guy' trying to build a business in the technology/security realm.

Re:Article got it wrong (0)

Anonymous Coward | about 2 months ago | (#47542003)

Quoting Attrition:

Steve Gibson is somewhat of a "fringe" charlatan. In some professional security circles, he is not considered a reputable security professional, rather more of a snake oil salesman peddling third-rate software with bold claims. While many of his claims are a bit outlandish or bold, few, if any, are demonstrably false. However, when asked to speak on security topics, Gibson is getting adept at putting his foot in his mouth. A single amusing quote may be laughable, but a series of them begin to paint a picture of someone who doesn't really understand security. Rather, he seems to know enough buzzwords and ideas to be dangerous to his clients.

In the land of the blind, the one-eyed man is King.

Re:Article got it wrong (1)

cant_get_a_good_nick (172131) | about 2 months ago | (#47549969)

Hmm, like the AC joke below, I'm a bit torn when you said "Security Expert" for Steve Gibson. Aside from prodigious self promotion, as far as actual security talent, Steve's both good and bad. I may listen to this one, because this one is more in his wheelhouse - specifically describe in easier terms a complicated subject previously researched and digested by someone else.

He's much less useful when making declarations of what to do - he's too enamored of assembly (which can lead to more security holes - there are no checks or restrictions in Assembly as in say, C#, Java, or even C++), he keeps on talking about that he won't move off of XP (and implies that it's safe for others to do so).

thi_s FP foR GNAA (-1)

Anonymous Coward | about 2 months ago | (#47538313)

a4nd mortify1ng [goat.cx]

Smart Phones (-1)

Anonymous Coward | about 2 months ago | (#47538337)

I completely agree with jabberw0k, the only phones that actually exist are our 'home phones'.

We think these 'smart phones' are safer and better - [prime-ticket.com] yes they are easier and much better to use for everyday usage, but overall they are not safe!

Horribly Inaccurate (1)

Anonymous Coward | about 2 months ago | (#47538345)

The "researcher" and Reuters forgot to clearly call out that for the information to be extracted with the developer tools an iOS device must be trusted. Trust is established by plugging the device into a computer and the device MUST be unlocked.

This is akin to giving someone you don't trust a key to your house.

Re:Horribly Inaccurate (1)

HiThere (15173) | about 2 months ago | (#47539645)

Trusted by whom? I don't think there's any requirement that the purchaser of the device trust the "trusted" data extractor. IIUC it could become trusted before the customer ever received the device, or anytime it's in for service.

So this *probably* means that J. Random Hacker can't access the information. If the assertion is true. It doesn't say anything about Apple, their employees, or anyone they share information with...transitivly.

Re:Horribly Inaccurate (0)

Anonymous Coward | about 2 months ago | (#47539953)

There absolutely is the requirement you refer to. When you plug the device into the host, you will be presented with a dialog literally asking if you trust it, and warning that it will have access to private data. If and only if you tap trust at that stage will the host be able to do so.

Re:Horribly Inaccurate (4, Insightful)

gnasher719 (869701) | about 2 months ago | (#47540147)

Trusted by whom? I don't think there's any requirement that the purchaser of the device trust the "trusted" data extractor. IIUC it could become trusted before the customer ever received the device, or anytime it's in for service.

Step 1: Plug iOS device into a Mac.
Step 2: Unlock iOS device.
Step 3: Click on YES when the iOS device asks if it should trust the computer.

The critical part is Step 2, which you can only perform if you know how to unlock the device. In other words, if you know the passcode. But if you know the passcode, then you can do _anything_ with the phone. That's what the passcode is there for.

So basically, this security "expert" found a way for a thief to enter my home through the backdoor, as long as the thief has the keys for my front door.

Re:Horribly Inaccurate (1)

Fnord666 (889225) | about 2 months ago | (#47540561)

So basically, this security "expert" found a way for a thief to enter my home through the backdoor, as long as the thief has the keys for my front door.

This security "expert" [zdziarski.com] has a very solid background and street cred in the field of iOS forensics so I would not dismiss him so lightly.

Re:Horribly Inaccurate (1)

Wovel (964431) | about 2 months ago | (#47547227)

I am not sure he was really dismissing him, just clarifying what he actually did with a useful analogy. I would not dismiss the GP so easily. He may not have the same background, but he is right. Right trumps background every time....

FUD (3, Informative)

Anonymous Coward | about 2 months ago | (#47538371)

The it only works with a trusted device AND the device being unlocked.

If you gave your device PIN to someone, they already have your data and don't need to do this.

Re:FUD (1)

kthreadd (1558445) | about 2 months ago | (#47539131)

It's still a problem if users don't know about it and has no way to disable it.

FUD (0)

Anonymous Coward | about 2 months ago | (#47539589)

WRONG! I have the keys and yes the iPhone/iDevice can be accessed via remote tools. HOWEVER the device does not need to be unlocked!!! You need to use the force (google) my friend.

Re:FUD (1)

Wovel (964431) | about 2 months ago | (#47547231)

Not sure why I am responding to an AC that is just clearly making crap up, but what he hell. So in summary, you just made that crap up.

Expectation of privacy (2)

markwillison (3764611) | about 2 months ago | (#47538373)

Due to the great advances in technology and the continuing reduction in cost of these technologies, what were previously "dumb" devices are now extremely sophisticated computers doing specialized tasks but they are not limited to these specialized task or to being used in the manner they were conceived for. As such almost all modern device from cameras to mp3 players can be re-purposed as digital "snitches". This is often true even if the device was not design or envisioned to so from the beginning or had countermeasures to inhibit the use of the device in that way. Such sophisticated devices can be reprogrammed or "hacked". Just accept this as true and if you can't due the research and enlighten yourself. So the only practical recourse is accept it and be careful if you have a good reason to believe your data is incriminating to you. Assume all devices have vulnerabilities or use paper instead and hope everyone has forgotten how to read that way.

Re:Expectation of privacy (2)

NicBenjamin (2124018) | about 2 months ago | (#47538603)

If you're doing something incriminating don't use paper either. Governments have spent literally centuries figuring out how to make a piece of paper spill it's secrets.

At this point expecting the government not to be able to get it's hands on your data if it really wants to is pretty damn naive. Folks who think that are like the mid-17th century folks who tried to skimp on telling the King their last names. They could make it work for the first few decades, but eventually the bureaucracy figured out the technique and it got to be really hard to tell the authorities in Lincoln you'd paid your taxes back home in Lancaster using the name Alan Smith, while telling the guys in Lancaster "Oh I took care of that in Lincoln, just ask them about Alan Jones and his taxes."

Your devices leave fingerprints everywhere. It isn't physically possible to force the wi-fi network on the Wendy's you just drove past to destroy the record it has of your cell phone trying to connect. Your phone probably left some evidence linking back to you, unless you bought a burner and you're just gonna throw the damn thing out. But a) that doesn't work very well for large groups because if everyone's always changing their number there are massive co-ordination issues ensuring everyone can still talk to everyone else, and b) since you're using your phone exactly like a drug lord does the local police need to have some record of you in their files. Even if it doesn't say anything beyond "this dude is fanatical about his privacy, so he should be a low-priority suspect when the system points out that he a) lives in the same apartment complex the known drug smuggler lives in, b) makes extensive use of burner cell phones, and c) takes a couple foreign trips a year for which he pays cash on the day of the flight;" it has to exist.

Re:Expectation of privacy (0)

Anonymous Coward | about 2 months ago | (#47540191)

It isn't physically possible to force the wi-fi network on the Wendy's you just drove past to destroy the record it has of your cell phone trying to connect. Your phone probably left some evidence linking back to you, unless you bought a burner and you're just gonna throw the damn thing out.

I don't know how it is for others, but regarding wi-fi in particular my N900 has a little app that allows me to turn the wi-fi radio off. As a default practice, I usually keep the wi-fi and bluetooth radios off when I don't have a specific need for them, as this improves my battery life.

Re:Expectation of privacy (1)

NicBenjamin (2124018) | about 2 months ago | (#47544957)

That works, when you remember to do it.

Lots of these little privacy tips are like that. They work great, as long as you specifically remember to do them even when it's 3:30 AM and you've had a few too many to drink.

Wrong. (1)

Anonymous Coward | about 2 months ago | (#47538407)

Already debunked.

Irresponsible post.

Apple's Admission? (4, Informative)

Anonymous Coward | about 2 months ago | (#47538449)

When did Apple admit to anything? They said the researcher was wrong and described the settings that he found and what they are used for! I would trust Apple over Google any day! Eric Schmidt has lied so many times along with his colleagues that the whole company isn't trustful!

http://support.apple.com/kb/HT6331

http://www.macrumors.com/2014/07/22/apple-ios-backdoors-support-document/

Nothing new here (3, Informative)

maccodemonkey (1438585) | about 2 months ago | (#47538929)

iPhones have always been able to sync data out of their secure storage to the user's computer since launch. How did people think USB sync worked? Magical leprechauns that flew out of your phone carrying the data?

Heck, one of these is the developer daemon that runs on the phone to install apps from Xcode. Again, how exactly did people think Xcode did that?

These tools all require the phone be logged in, and that the right key exchange take place.

I can't tell if the "security researcher" here is just trolling, has never actually used an iPhone, it is just stupid.

Nothing new here (0)

Anonymous Coward | about 2 months ago | (#47539615)

I agree. There is nothing new here. The only way this can be exploited in my experience is with iTunes Sync and using local (sharing)...not through a LAN. The guy is full of it....just another publicity hound.

I was however able to duplicate his process via usb though...but not over a LAN or WAN link.

So not sure how NSA/Hackers/Malware/Panic fits into this....it is all FUD!

Re:Nothing new here (0)

Anonymous Coward | about 2 months ago | (#47541997)

The claim is that the government agents could force you to unlock your phone - and therefore get all your information. And that apple could ask you to unlock your phone - then they can all your information.

Basically the whole thing is stupid.

The only legitimate point he has is that its possible that if you steal the right keys from a previously trusted device, you could use those keys to login remotely to someones phone and get their data. For example it may be possible to steal someones laptop, and if it was a trusted device on the phone already, you could connect to the phone and download all data and track all network traffic.

Re:Nothing new here (1)

Wovel (964431) | about 2 months ago | (#47547241)

The funny thing is, even the most naive user in the world would understand that giving their pass code to the government agent or to Apple would give them access to the data on that device. Sure. Should iOS have a way to change the encryption key? Sure, why not.

Surprise! (1)

YoungManKlaus (2773165) | about 2 months ago | (#47539197)

NOT!

BlackBerry... (4, Interesting)

Rigel47 (2991727) | about 2 months ago | (#47539257)

and yet /. folk cheer on the demise of BlackBerry.. the one phone that has a near flawless security record.

and yes, full disclosure, I own a z10. I also find it to be the best smart phone I've ever owned with battery life that my android friends can only dream about.

Re:BlackBerry... (0)

Anonymous Coward | about 2 months ago | (#47540495)

The same program that's used to extract personal data from iOS and crack encryption also works for Blackberry.
Elcomsoft.

Re:BlackBerry... (0)

Anonymous Coward | about 2 months ago | (#47541273)

The same program that's used to extract personal data from iOS and crack encryption also works for Blackberry.
Elcomsoft.

Well, only the old OS software I believe. Also, the user had to not pick both encryption methods or it doesn't work.

Re:BlackBerry... (1)

phorm (591458) | about 2 months ago | (#47541199)

I own a Z10 as well. Not sure what you're raving about battery-wise. It will (barely) survive a weekend with basically no use, which is better than other phones but still not saying much.

Re:BlackBerry... (0)

Anonymous Coward | about 2 months ago | (#47541333)

and yet /. folk cheer on the demise of BlackBerry.. the one phone that has a near flawless security record.

and yes, full disclosure, I own a z10. I also find it to be the best smart phone I've ever owned with battery life that my android friends can only dream about.

I like my Z10, but I still would like better battery life. What should I expect though from a big touch screen phone(big to me). I still switch back to my curve often because I love its small size, low power consumption and of course the keyboard. Man, I hate typing on a freakin' touch screen. I previously also had a galaxy nexus, that thing pissed me off. Stupid MTP, no SD card, randomly functioning email. The Z10 camera photos look fantastic, but other than that I prefer the 9320.

Re:BlackBerry... (2)

Wovel (964431) | about 2 months ago | (#47547249)

Blackberry, the company that routinely gives access to customer's "secure" data to governments all over the world without the customer doing anything at all. Are you high? You must be high if you purchased a z10.

breaking news! (0)

Anonymous Coward | about 2 months ago | (#47539499)

What's with all the repeat articles recently?

Both this story and the verizon/netflix story have already been posted to /. in the last week.

Who's down with O.P.E? (1)

Anonymous Coward | about 2 months ago | (#47539665)

Yeah, you know me! Why trust Other People's Encryption? If you encrypt data yourself, you control who can decrypt it - unless all crypto algorithms are compromised. When Google or Apple encrypt on your behalf, you don't really know what they're doing.

Re:Who's down with O.P.E? (0)

Anonymous Coward | about 2 months ago | (#47541249)

Google uses industry standard encryption. dm-crypt for example, for encrypting /data. There is one password.

Of course, you need root to separate the dm-crypt password for /data from the screen lock... but doing this makes offline decryption of an Android device pretty hard, assuming you use a meaningful passphrase.

iOS? All magic voodoo. It boots and gives apps full access to the SSD... and stores the SSD's encryption key in one magic chip.

So, what do I trust... a Linux standard of encrypting, or a standard that uses magic ASICs?

I'll pack my own parachute. This doesn't say that Android is secure... its permission model is way behind Apple's. For example, why should a cookie cutter fleshlight app have full ability to make and receive calls and SMS, as well as contact access, with no way to turn that off, outside of XPrivacy?

You don't own any Apple device (0)

Anonymous Coward | about 2 months ago | (#47541703)

The conditions of use of Apple produced hardware don't amount to ownership. You don't control the device - Apple does. Apple being a US company, has the same contempt for the rights of individuals as the US government. Steer clear.

Shocked and appauled (0)

Anonymous Coward | about 2 months ago | (#47541987)

Who would have thought that a trusted device would have access to your data? Why that would allow you to share your data with devices! Not to mention the technical aspects that allow them to diagnose and correct problems! HOW DARE THEY.

J.Z. has been trying to 'bust through' with some 'epic' backdoor revolation for along time. This is not it. Sadly the media have eaten it up. Seriously this is like saying that IF you unlock your truecrypt container ..... truecrypt can read ALL your data!

Re:Shocked and appauled (0)

Anonymous Coward | about 2 months ago | (#47542359)

Seems like you didn't really understand what this article is about. Go read it again.

Re:Shocked and appauled (1)

Wovel (964431) | about 2 months ago | (#47547255)

I am not sure what you mean, it is clear you are the one who did not read or comprehend either the article or the post you responded to.

Re: Shocked and appauled (0)

Anonymous Coward | about 2 months ago | (#47542889)

I, too, felt like a Paul after reading this.

Yet more corporate lies (0)

Anonymous Coward | about 2 months ago | (#47546993)

In a conference presentation this week, researcher Jonathan Zdziarski showed how the services take a surprising amount of data for what Apple now says are diagnostic services meant to help engineers.

...

Apple denied creating any “back doors” for intelligence agencies. “We have designed iOS so that its diagnostic functions do not compromise user privacy and security, but still provides needed information to enterprise IT departments, developers and Apple for troubleshooting technical issues,” Apple said. “A user must have unlocked their device and agreed to trust another computer before that computer is able to access this limited diagnostic data.”

These two paragraphs (three paragraphs apart) completely contradict each other. Off hand I will believe the security researcher over Apple. Everyone with any brains understands that ALL "smart" phones (both Android AND iOS) are designed from the ground up to spy on you.

Asked if Apple had used the tools to fulfill law enforcement requests, Apple did not immediately respond.

That is pretty much an admission that they are gagged by a national security letter and their lawyers are working on a response that won't really say anything.

Re:Yet more corporate lies (1)

Wovel (964431) | about 2 months ago | (#47547257)

Huh? You think the user unlocking their device with their pass code and then agreeing to trust a computer the device is physically connected to is the same as a backdoor?

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>