Forensic Scientist Identifies Suspicious 'Back Doors' Running On Every iOS Device

Jason D. O'Grady | ZD Net | July 21, 2014

During his talk at HOPE/X Jonathan Zdziarski detailed several undocumented services (with names like 'lockdownd,' 'pcapd,' 'mobile.file_relay,' and 'house_arrest') that run in the background on over 600 million iOS devices.

Forensic scientist and author Jonathan Zdziarski has posted the slides (PDF) from his talk at the Hackers On Planet Earth (HOPE/X) conference in New York called Identifying Backdoors, Attack Points, and Surveillance Mechanisms in iOS Devices.  The HOPE conference started in 1994 and bills itself as "one of the most creative and diverse hacker events in the world."  Zdziarski, better known as the hacker "NerveGas" in the iPhone development community, worked as dev-team member on many of the early iOS jailbreaks and is the author of five iOS-related O’Reilly books including "Hacking and Securing iOS Applications."

In December 2013, an NSA program dubbed DROPOUTJEEP was reveled by security researcher Jacob Appelbaum that reportedly gave the agency almost complete access to the iPhone.  The leaked document, dated 2008, noted that the malware required "implant via close access methods" (presumably physical access to the iPhone) but ominously noted that "a remote installation capability will be pursued for a future release."  In his talk, Zdziarski demonstrates "a number of undocumented high-value forensic services running on every iOS device" and "suspicious design omissions in iOS that make collection easier." He also provides examples of forensic artifacts acquired that "should never come off the device" without user consent.

According to one slide the iPhone is "reasonably secure" to a typical attacker and the iPhone 5 and iOS 7 are more secure from everybody except Apple and the government. But he notes that Apple has "worked hard to ensure that it can access data on end-user devices on behalf of law enforcement" and links to Apple's Law Enforcement Process Guidelines, which clearly spell this out.  Zdziarski also notes that simply screen-locking an iPhone doesn't encrypt the data; the only true way to encrypt data is to shut down/power off the iPhone. "Your device is almost always at risk of spilling all data, since it’s almost always authenticated, even while locked."...