When you connect your iPhone or iPad to iTunes on Mac or Windows, and choose to trust that computer, a pairing record is created that maintains that trust for future connections. There's a report going around that claims that if someone takes physical possession of your device and your computer, they can steal those pairing records and use them to retrieve your personal information and/or enable remote logging. If they don't have your computer, it's also claimed they can try and generate a pairing record by tricking you into connecting to a compromised accessory (juice jacking), like a dock, and/or by using mobile device management (MDM) tools intended for enterprise to get around safeguards like Apple's Trusted Device requestor. So, how can you protect yourself?
Important note: Security is at perpetual odds with convenience. This process will make your iPhone and iPad more secure but less convenient. It should only be used if a) even the potential for a privacy breach is untenable for you, and b) you really, absolutely can function without connecting your iPhone or iPad to other devices.
If someone has physical access to your devices, there are all sorts of things that can be done depending on their skill level, resources, and the value of your data to them. The information here is not meant to make anyone stressed or paranoid, simply to provide a specific option for a specific vulnerability in a vacuum.
Apple Configurator is a free tool from Apple meant to help schools, businesses, and institutions set up and manage large amounts of iPhones and iPads. With it, you can prevent your device from pairing with other computers or accessories, which prevents it generating pairing records, which prevents those records from being used to access your iPhone or iPad without your consent.
- Free - Download now (opens in new tab) app, available for free from Apple on the Mac App Store.
How to use the Apple Configurator to secure your iPhone or iPad against unauthorized pairing
- Launch Apple Configurator
- Click on Prepare at the top
- Name the settings anything you like (e.g. Supervised Device)
- Click on Supervision to toggle it to on.
- Uncheck the box next to Allow devices to connect to other Macs
- Click on the + sign at the bottom
- Select Create New Profile from the popup
- Name the new profile anything you like (e.g. Pairing Profile)
- Click on Restrictions
- Click on Configure
- Scroll down to Allow pairing with non-Configurator hosts and uncheck its box.
- Click Save
- Check the box next to the new profile
- Click Prepare at the bottom
- Fill in the information you want displayed in the profile. (It doesn't have to be accurate, you can use 555-555-5555 for a phone number if you want to.)
- Click Apply
- Connect your iPhone, iPod touch, and/or iPad to apply the new settings
Additional security and privacy precautions
It should be noted that all the Apple Configurator does is prevent new pairing records from being generated, it does not delete existing records, nor does it protect against other types of hacking.
Apple doesn't currently provide a front end for deleting old or existing pairing records, either on OS X or iOS, which means you'll need to manually search for and try to remove them on your own (/var/db/lockdown or ~/Library/Lockdown on Mac or C:\Program Data\Apple\iTunes\Lockdown on Windows).
Someone else having physical access to your device or devices is in and of itself a massive security problem. However, there are some things you do to make it more difficult or time consuming for someone with your device to try and get to your data, including using a long, strong alphanumeric password instead of a passcode or Touch ID, and turning off Lock screen access for Control Center, Notification Center, Siri, Passbook, etc,. To prevent other types of remote access, you can enable two-step verification on your accounts and use unique passwords in conjunction with a password manager.
Get the best of iMore in in your inbox, every day!
Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.
This is good advise, but this "bug" is just another backdoor that Apple provided to the NSA.
That's certainly an opinion you can choose to argue, but it can't be stated as a fact. To quote Zdziarski on Twitter (https://twitter.com/JZdziarski/status/490550444721045506)
Just to clarify, I never said these interfaces existed for NSA. Just that NSA has likely used them, and there's no reason for some to exist.
So, why do they exist then? And how did the NSA find out about then before anybody else?
Why do they exist is an excellent questions. The second part is still supposition and assumption. Zdziarski doesn't say this is what the NSA used, he says this matches what they seem to be using. Also, do we know they found out about them first? It seems to say in the journal article that this stuff is found, used, but not reported. Zdziarski is the first to report on it. How many have been using it and for how long is another question that needs answering. (Assuming the information is correct, there are forensic tools using exploits like this, that have been sold to law enforcement for a while now. Those vendors are likely inclined not to share their information with the public, sadly.) Another assumption is that the NSA has the resources to find and make use of these things faster than most.
Well at the very least, it shows Apple has not been very forthcoming when it comes to security and privacy. Some of these discoveries are downright frightening (a packet sniffer on every iOS device, encryption only when the device is turned off? yuck). I wouldn't mind seeing a similar investigation for Android, Microsoft and Blackberry devices. It would be curious to see how they all compare when it comes to security backdoors.
I will be very curious to see if these now-known vulnerabilities will be patched from day1 official release of ios8. If they are not, then to me, it would seem that it might be the best "proof" that Apple is complicit or compelled to leave them in.
Hi Rene. Thanks for this useful tutorial. I wanted to let you know that when I followed it just now, Configurator complained that it could not prepare my iPhone because I had the "Find my iPhone" feature enabled on my phone. I switched the feature off, am continuing the preparation and will then switch the "Find my iPhone" option back on afterward. I only pair my iphone with my one mac and I use iCloud for the "Find my iPhone" feature only (not for any personal data). Thanks again.
One downside that I wasn't aware of...this wiped out my iPhone completely (installed the OS again despite it being up-to-date and removed all apps/data/settings etc.). I'm doing my first "restore from itunes" now and hoping that it works. I'm trying to reverse everything because I was worried that the iphone being wiped clean might mean that I can't pair with my mac (the only device I want to be able to pair with) since that would have been the only way to get everything back. I think I'll skip on the security for now...and forget I ever heard of Configurator.
There no longer seems to be a Mac ~/Library/Lockdown on newer macOS (like Sierra). How would one un pair a phone (rather than prevent the phone from being paired at all with the Configuration tool).
Thank you for signing up to iMore. You will receive a verification email shortly.
There was a problem. Please refresh the page and try again.