A well-known iPhone hacker and app developer has found a range of undocumented functions in Apple's iOS mobile operating system that make it possible to grab data off devices wirelessly or via USB connections, without entering passwords or personal identification numbers.
Jonathan "NerveGas" Zdziarski spoke at the Hackers on Planet Earth (HOPE X) conference over the weekend, presenting his research on the functions, saying most appeared to have no other purpose than providing access to user data on devices.
Others are aimed at enterprise mobile device management tools, but can be subverted and used for unauthorised data access.
Commercial forensic tools are able to take advantage of the undocumented iOS functions to access much of the data devices hold, including bypassing encrypted backups, Zdziarski said.
Beyond data access, iOS also contains a libpcap packet sniffing service that can be targeted via wi-fi for remote start-up and monitoring, without any indication to users that it is running, he said.
Testing with Twitter, Zdziarski found he was able to use the undocumented functions to retrieve information such as the private messages database. This included several deleted messages.
OAuth tokens for authentication were also retrievable, and Zdziarski said that combined with consumer key and secret, these can be used to remotely spy on all future correspondence.
Zdziarski said the backdoors and services are low-level operating system components that have been around for years.
Based on former National Security Agency (NSA) contractor Edward Snowden's leaked documents, Zdziarski concluded that the spy agency's DROPOUTJEEP set of techniques for accessing iOS data matched Apple's undocumented features.
He claimed Apple was not only "well aware of these components" but was also updating and supporting them - for unknown reasons.
"I have emailed both Tim Cook and Steve Jobs at various times to ask for an explanation about these services, citing them as “back doors”, and have received no reply," he claimed.
While Apple is able to retrieve user data for law enforcement from iOS devices, it will only do so under a strict process that includes receiving a valid search warrant.
Apple also charges authorities US$1000 per information extraction attempt, Zdziarski said.
The data that can be provided to law enforcement includes SMS texts, photos, videos, audio recordings, and the call history of the phone, Zdziarski noted. Email messages, calendar entries and third-party app data can't be handed over by Apple.
Zdziarski emphasised that the features have evolved over the past years and what he uncovered does not amount to a zero-day exploit or a widespread security emergency.
"I have not accused Apple of working with NSA, however I suspect (based on released documents) that some of these services may have been used by the NSA to collect data on potential targets," Zdziarski wrote.
Zdziarski also said that while Apple can access data on devices on behalf of law enforcement, the iPhone 5 running iOS7 is more secure against attack than competing devices and operating systems - with the exception of Apple and the United States government.
With over 600 million iOS users in the world, Zdziarski was nevertheless critical of "Apple dishing out a lot of data behind our backs" which he said is a violation of consumers' trust and privacy.
Furthermore, Zdziarski said Apple had compromised the security of iOS with the undocumented functions, adding "tasty attack points" for governments and criminals.
"I want these services off my phone. They don't belong there," he said.
