Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Forensic Expert Questions Covert 'Backdoor' Services Included in iOS by Apple
- Thread starter MacRumors
- Start date
- Sort by reaction score
The government sponsered Clipper chip for encrypted voice communication in the 90s had a backdoor that was available to hackers as well as law enforcement. The Greek government discovered in 2004-2005 that their conversations were being eavesdropped via a government wiretapping capability that Ericsson built into Vodafone products.
Nobody really knows. The dangerous bad guys won't broadcast to the world that they can do so.
The NSA leak reveals flaws in BOTH closed source and open source software. It doesn't say anything about one being better than the other.
A well maintained closed source or open source software should/will be better than a badly maintained one.
----------
yawn. Im not scared dudeI guess by your educative reasoning every news gatherer/reporter is scared :roll eyes: haha
That's great ! We are both brave souls.
Not every news gatherer is scared by the same reasoning. Not all of them will come up with random conspiracy theories to scare themselves. Sometimes, things happen for the better because people want to do better.
Not in any way worse than everyone else. In iOS8, she is even less trackable. Then again, I suspect she'd still turn Wifi off when not in used.
I thought that was our duty as citizens.
Has Apple fixed the FileVault error yet where FileVault accidentally forgets to forget an encryption password unless the media is physically removed? (Remount of an encrypted drive without a saved keychain password is allowed without a password if not disconnected.)
Apple has given me replies to bug reports that they do not discuss security issues.
These stories make my tin foil hat start to heat up.
He's not the only one that's come forward with that information. The NSA has a history of it.
ABC News said:
Last edited:
Yeah, I think its safe to assume that with the right knowledge a capable person could access anything and everything you do or say using a computer (be it a PC, Mac, Cell phone, tablet, or just about anything connected to the internet). It is probably good to practice using these devices knowing that there is a good chance someone is watching, that way you never do anything you may regret.
And pcapd is "Packet CAPture", a tool available on Linux and Windows and Mac. Install Wireshark, and you have it on your PC. Who even says that pcapd is actively doing anything all the time. Just because a packet capture utility is available, doesn't mean it's being used all the time. Where would all this information be stored?
There used to be WiFi discovery apps available until Apple banned them; I'm pretty sure they used a pcapd-type service to do their bidding.
We've been happily exploiting the iPhone since iOS for forensic analysis. We pull everything. The Keychain, text messages (including every message you've ever deleted), email, locations you've been, phone logs, pictures, contacts, and all the fun data that apps collect.
Back in 2008, we sat down with Apple's iOS Security team along with the guys we work with in Apple's government sales. We simply told them, we're going to exploit your devices. We can do it with your blessing or without. They basically told us that iOS is totally secure and to **** off.
Since then we've sold our product to hundreds of government agencies across the world. It's a great tool for gathering the info needed to put bad guys away but also shows that the masses shouldn't think that iOS is secure just because Apple tells them it is (we do the same on Android which is even less secure).
Back in 2008, we sat down with Apple's iOS Security team along with the guys we work with in Apple's government sales. We simply told them, we're going to exploit your devices. We can do it with your blessing or without. They basically told us that iOS is totally secure and to **** off.
Since then we've sold our product to hundreds of government agencies across the world. It's a great tool for gathering the info needed to put bad guys away but also shows that the masses shouldn't think that iOS is secure just because Apple tells them it is (we do the same on Android which is even less secure).
It actually seems like a easy way to restrict access to the device without damaging anything else (at least it doesn't look like it will). I think this would only be a "shotgun solution" if you plan to have your device paired with more than one computer (note that it is a reversible change provided you have access to that computer). I just need to make sure that I can easily restore my jailbreak before I give it a try.
There is apparently a Cydia tweak called "PairLock" that already does this, but I haven't tested it. I'm also not entirely sure how it manages pairings or how well it patches the hole, but it might be worth looking into.
Edit: Somehow I missed it, but it looks like Zdziarski himself actually wrote the tweak.
Edit 2: It looks like you can't use Apple Configurator with a jailbroken device as it erases and reinstalls iOS (you cannot restore from non-supervised devices).
Last edited:
Wow, great report by this guy. I definitely want to see serious answers from Apple on this - my guess is, this is for real, based on what we've learned over the last year, and the govt. has "encouraged" it. This is terribly disappointing to learn, if its real and I have every expectation that it probably is.
While I figured the NSA/govt. could get into iOS devices on a targeted basis, I didn't think Apple would have the skirt spread wide open for them by default. I know Google was considered a very good partner with the NSA (quite different than their post Snowden reveal public stance) - so I'm quite sure Android is wide open as well. Microsoft redesigned Skype to provide NSA access (video, audio, messaging) as well as pre encryption access to Outlook.com/Hotmail.com so I'm sure WP is absolutely wide open to the NSA etc.. (Can't imagine how happy the NSA was with the Xbox One, camera by default - and originally required for operation - with always on audio input...)
Doesn't leave much for smartphone choices. I detest having my privacy violated in such a way. The only phone platform designed from the getgo with security in mind is BlackBerry (a Canadian company, not a U.S. company like Apple, Google and Microsoft) - which (at the time of the Snowden docs) required effort on the NSA's part to access (apparently different compared to iOS, Android and WP).
I'm seriously considering going to Blackberry with its monthly BES service for the family, just to encrypt everything intra-family and giving the govt. the finger for non-targeted/casual scraping of my messages, data, and family photo's that we've found out they're grabbing.
While I figured the NSA/govt. could get into iOS devices on a targeted basis, I didn't think Apple would have the skirt spread wide open for them by default. I know Google was considered a very good partner with the NSA (quite different than their post Snowden reveal public stance) - so I'm quite sure Android is wide open as well. Microsoft redesigned Skype to provide NSA access (video, audio, messaging) as well as pre encryption access to Outlook.com/Hotmail.com so I'm sure WP is absolutely wide open to the NSA etc.. (Can't imagine how happy the NSA was with the Xbox One, camera by default - and originally required for operation - with always on audio input...)
Doesn't leave much for smartphone choices. I detest having my privacy violated in such a way. The only phone platform designed from the getgo with security in mind is BlackBerry (a Canadian company, not a U.S. company like Apple, Google and Microsoft) - which (at the time of the Snowden docs) required effort on the NSA's part to access (apparently different compared to iOS, Android and WP).
I'm seriously considering going to Blackberry with its monthly BES service for the family, just to encrypt everything intra-family and giving the govt. the finger for non-targeted/casual scraping of my messages, data, and family photo's that we've found out they're grabbing.
Last edited:
Trying to grasp what has to do malware with the operating system being more or less secure at the level presented on the article
If you're capable, go for it! But ....
it strikes me as VERY odd that we don't seem to have a *single* security/encryption product we can use for a home computer today that isn't subject to question/doubt about its effectiveness.
I mean, TrueCrypt appeared to be about the closest thing to it, and then we found out the developer(s) mysteriously dropped all official support for updating it -- and the latest revisions are all suspect as to who updated them and what security compromises might be in them.
Practically all of the other encryption/security products are believed to be back-doored by our government, if not other entities.
I have to think that reality is, if you build a truly secure solution, you'll receive a visit, eventually, from people in "high places" who will make it very clear that you best add a back door for them, or else.....
it strikes me as VERY odd that we don't seem to have a *single* security/encryption product we can use for a home computer today that isn't subject to question/doubt about its effectiveness.
I mean, TrueCrypt appeared to be about the closest thing to it, and then we found out the developer(s) mysteriously dropped all official support for updating it -- and the latest revisions are all suspect as to who updated them and what security compromises might be in them.
Practically all of the other encryption/security products are believed to be back-doored by our government, if not other entities.
I have to think that reality is, if you build a truly secure solution, you'll receive a visit, eventually, from people in "high places" who will make it very clear that you best add a back door for them, or else.....
I could only hope to someday be considered alongside those great men and women. But the thing about changing the world is it's hard. Really hard. There are sacrificesespecially involving familythat I'm not sure I'm able to make. When I look at my baby daughter, however, I consider the ramifications of not taking action. Which is worse? Putting a mark on my family, our risking future liberty? Given the growing stance of governments worldwide against privacy and freedom, a lot of people should be asking themselves that very question. Take what you do best, and use it to create a better tomorrow. That is the goal.
BTW, this was the Xbox One - it originally came with always on audio input (listening) and a Camera that was originally required to be connected for the machine to operate (and after its release we found out Microsoft was doing alot of stuff for the NSA - rewrote Skype after purchase and provided designed in NSA access for video, audio and messaging, pre-encryption access to Outlook.com and Hotmail.com for the NSA and was commended as a "enthusiastic" partner in one of the Snowden documents by the NSA itself, Google was highlighted as a partner as well). To think the Xbox One wasn't designed with NSA access in mind after what we learned Microsoft was doing with its other products...
You can still find copies of TrueCrypt with the appropriate file hash sizes so you can make sure they haven't been tampered with...but your right - most things are provided by U.S. businesses and we can be quite sure the NSA and Co. have compromised all of them.
I saw where one security focused software firm moved to switzerland - just because no U.S. based firm could be trusted - because the govt. here couldn't be trusted (based on what we've found out).
The 2nd part (encryption code part) of TrueCrypt's security audit is going on this summer and it'll be interesting to see the result. If it passes then the prior version of TrueCrypt will still be fine - and since its open sourced, the fork's open source updates will get looked over very carefully for any suspicious code.
We need a new secure e-mail standard and smart phone OS's need to be redesigned with privacy as a primary design goal (whether that could be trusted from a U.S. vendor based on what we know of recent U.S. government behavior is a very good question - probably only by completely open sourcing the OS and auditing it).
Last edited:
I leafed through the PDF version of the presentation Zdziarski created.
Am I reading this right that these services concern physical access or Wi-fi access to the device?
And not cellular / mobile data access?
I make the assumption that if someone else has physical access to my device, the game's pretty much over.
Am I reading this right that these services concern physical access or Wi-fi access to the device?
And not cellular / mobile data access?
I make the assumption that if someone else has physical access to my device, the game's pretty much over.
Can you provide a link? I've been trying to find the video and any documentation on it but I've come up short.