On July 18, Jonathan Zdziarski, a former iOS jailbreaker and current iOS forensic scientist and law enforcement consultant, gave a talk at the HOPE X conference in New York City. Zdziarski's talk was on backdoors, attack points and surveillance mechanisms in iOS. In the talk he alleged that there are a number of ways for government agencies, including law-enforcement, to get at the personal data you store on your iPhone, iPod touch, and/or iPad. Zdziarski posted slides from the talk, based on an earlier journal publishing, on his website a couple of days ago. They've since been shared via other websites and social networks, and a lot of confusion and concern has arisen.
When reached for comment, Apple reiterated to iMore that it has never worked with any government agency to create a backdoor in any product or service:
"We have designed iOS so that its diagnostic functions do not compromise user privacy and security, but still provides needed information to enterprise IT departments, developers and Apple for troubleshooting technical issues," Apple told iMore. "A user must have unlocked their device and agreed to trust another computer before that computer is able to access this limited diagnostic data. The user must agree to share this information, and data is never transferred without their consent."
As we have said before, Apple has never worked with any government agency from any country to create a backdoor in any of our products or services."
So, what's going on here?
When you connect your iPhone or iPad to iTunes on Mac or Windows — and choose to trust that computer — a pairing record is created that maintains that trust for future connections. Zdziarski claimed that if someone takes physical possession of that computer, they can steal those pairing records, connect to your device, and retrieve your personal information and/or enable remote logging. If they don't have your computer, Zdziarski claimed they can try and generate a pairing record by tricking you into connecting to a compromised accessory, like a dock (juice jacking), and/or by using mobile device management (MDM) tools intended for enterprise to get around safeguards like Apple's Trusted Device requestor.
Because the NSA surveillance controversy is still fresh in many people's minds, Zdziarski added a "don't panic" statement on his blog, emphasizing that he wasn't accusing Apple of working with the NSA, but does suspect that the NSA might be using the techniques he outlined to collect data.
Zdziarski also praised iOS 7 security, saying that Apple has hardened its devices against typical attacks, including making changes that have shut down a "number of privately used spyware apps." However, he'd like to see them strengthen it further with asymmetric encryption of incoming messages and media, the file system equivalent to "session keys," a boot password, and a backup password.
Apple is rolling out new security and privacy protections as part of its upcoming iOS 8 software update, scheduled for release this fall. These improved features include MAC address randomization to prevent stores from tracking you as you walk around to shop, "while-in-use" rather than "always-on" location permissions to prevent apps from tracking you when they don't need to, better privacy controls for your contacts, always-on VPN to secure your connections, and more.
Bottom line, security is constant vigilance, and companies are only ever as good as the speed and efficacy of their last patch. Following Zdziarski's presentation, there'll be a lot more attention paid to just these kinds of data leaks, and that's good for all of us. Until then, if you're concerned about privacy and security, Apple provides several tools and features you can use to further lock down your iPhone, iPod touch, and/or iPad:
- How to prevent unauthorized pairing with your iPhone or iPad using Apple Configurator
- 5 ways to increase security and privacy on iPhone and iPad
FAQ: TikTok & WeChat ban — why it’s happening and what it means for you
Are TikTok and WeChat really being banned? When does all of this take effect? Will I still be able to use these apps? All this and more answered in our FAQ regarding the latest U.S. orders.
Here's everything we know about the iPhone 12 so far
With the iPhone 12 reportedly just weeks away, here's everything we currently know about Apple's next flagship lineup!
Here's where to find all 120 Stars in Super Mario 64
There are hundreds of Stars hidden around and throughout Princess Peach's castle in Super Mario 64. Here's where you'll find them all.
These HomeKit cameras work with iOS14's Face Recognition and Activity Zones
iOS 14 brings some powerful new capabilities to HomeKit Secure Video-enabled cameras like Face Recognition and Activity Zones. Here's all of the cameras and doorbells that support the latest and greatest HomeKit features.