|
 Apple
iPhones allow extraction of deep personal data, researcher finds
Send a link to a friend
[July 26, 2014]
By Joseph Menn
SAN FRANCISCO (Reuters) - Personal
data including text messages, contact lists and photos can be
extracted from iPhones through previously unpublicized techniques by
Apple Inc employees, the company acknowledged this week. |
|
 The same techniques to circumvent backup encryption could be used by
law enforcement or others with access to the "trusted" computers to
which the devices have been connected, according to the security
expert who prompted Apple's admission.
In a conference presentation this week, researcher Jonathan
Zdziarski showed how the services take a surprising amount of data
for what Apple now says are diagnostic services meant to help
engineers.
Users are not notified that the services are running and cannot
disable them, Zdziarski said. There is no way for iPhone users to
know what computers have previously been granted trusted status via
the backup process or block future connections.
“There’s no way to `unpair' except to wipe your phone,” he said in a
video demonstration he posted Friday showing what he could extract
from an unlocked phone through a trusted computer.
As word spread about Zdziarski’s initial presentation at the Hackers
on Planet Earth conference, some cited it as evidence of Apple
collaboration with the National Security Agency.
Apple denied creating any “back doors” for intelligence agencies.
“We have designed iOS so that its diagnostic functions do not
compromise user privacy and security, but still provides needed
information to enterprise IT departments, developers and Apple for
troubleshooting technical issues,” Apple said. “A user must have
unlocked their device and agreed to trust another computer before
that computer is able to access this limited diagnostic data.”
But Apple also posted its first descriptions of the tools on its own
website, and Zdziarski and others who spoke with the company said
they expected it to make at least some changes to the programs in
the future.
Zdziarski said he did not believe that the services were aimed at
spies. But he said that they extracted much more information than
was needed, with too little disclosure.
[to top of second column] |
Security industry analyst Rich Mogull said Zdziarski’s work was
overhyped but technically accurate.
“They are collecting more than they should be, and the only way to
get it is to compromise security,” said Mogull, chief executive
officer of Securosis.
Mogull also agreed with Zdziarski that since the tools exist, law
enforcement will use them in cases where the desktop computers of
targeted individuals can be confiscated, hacked or reached via their
employers.
“They’ll take advantage of every legal tool that they have and maybe
more,” Mogull said of government investigators.
Asked if Apple had used the tools to fulfill law enforcement
requests, Apple did not immediately respond.
For all the attention to the previously unknown tools and other
occasional bugs, Apple’s phones are widely considered more secure
than those using Google Inc's rival Android operating system, in
part because Google does not have the power to send software fixes
directly to those devices.
(Reporting by Joseph Menn; Editing by Lisa Shumaker)
[© 2014 Thomson Reuters. All rights
reserved.] Copyright
2014 Reuters. All rights reserved. This material may not be
published, broadcast, rewritten or redistributed.
 |
