Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
I just want to know how much these back doors allow hackers to get... Can they see every single thing I do? Who I call, text, email? The contents of those things? Can they access my banking info from my banking apps? My current and past location data? Can they change settings without my knowledge?

The government sponsered Clipper chip for encrypted voice communication in the 90s had a backdoor that was available to hackers as well as law enforcement. The Greek government discovered in 2004-2005 that their conversations were being eavesdropped via a government wiretapping capability that Ericsson built into Vodafone products.

Nobody really knows. The dangerous bad guys won't broadcast to the world that they can do so.
 
The only reason it came to light was because of Snowden's leaked documents. No leaks and we would be happily using backdoored algorithms with no way of verifying it.

Open source provides no guarantees of trust. Closed source provides a guarantee of distrust. It's a choice between "Nobody has found a backdoor yet" and "Nobody can even audit the code to look for a backdooor and the company would be compelled to lie if there is one". It's pretty obvious which is more trustworthy.

The NSA leak reveals flaws in BOTH closed source and open source software. It doesn't say anything about one being better than the other.

A well maintained closed source or open source software should/will be better than a badly maintained one.

----------

yawn. Im not scared dude :D I guess by your educative reasoning every news gatherer/reporter is scared :roll eyes: haha ;)

That's great ! We are both brave souls.

Not every news gatherer is scared by the same reasoning. Not all of them will come up with random conspiracy theories to scare themselves. Sometimes, things happen for the better because people want to do better.

ps... tell your mum she can be tracked by wifi.

Not in any way worse than everyone else. In iOS8, she is even less trackable. Then again, I suspect she'd still turn Wifi off when not in used.
 
While detailing these backdoors, Zdziarski makes it clear he is not a conspiracy theorist,

I thought that was our duty as citizens.

Has Apple fixed the FileVault error yet where FileVault accidentally forgets to forget an encryption password unless the media is physically removed? (Remount of an encrypted drive without a saved keychain password is allowed without a password if not disconnected.)

Apple has given me replies to bug reports that they do not discuss security issues.

These stories make my tin foil hat start to heat up.
 
This story just cost you an iPhone 6 sale Apple.

I've had a gut full.

Now is anyone else making a truly secure handset that's fully encrypted with no backdoors? How about an OS too?
 
This guy just wants his 5 minutes in the limelight, show someone being able to access the backdoor thats when I get angry.
 
  • Like
Reactions: powers74
Does Edward Snowden have proof of this?

He's not the only one that's come forward with that information. The NSA has a history of it.

ABC News said:
Faulk says he and others in his section of the NSA facility at Fort Gordon routinely shared salacious or tantalizing phone calls that had been intercepted, alerting office mates to certain time codes of "cuts" that were available on each operator's computer.

"Hey, check this out," Faulk says he would be told, "there's good phone sex or there's some pillow talk, pull up this call, it's really funny, go check it out. It would be some colonel making pillow talk and we would say, 'Wow, this was crazy'," Faulk told ABC News.

Faulk said he joined in to listen, and talk about it during breaks in Back Hall's "smoke pit," but ended up feeling badly about his actions.

Source:http://abcnews.go.com/Blotter/exclusive-inside-account-us-eavesdropping-americans/story?id=5987804
 
Last edited:
The government sponsered Clipper chip for encrypted voice communication in the 90s had a backdoor that was available to hackers as well as law enforcement. The Greek government discovered in 2004-2005 that their conversations were being eavesdropped via a government wiretapping capability that Ericsson built into Vodafone products.

Nobody really knows. The dangerous bad guys won't broadcast to the world that they can do so.

Yeah, I think its safe to assume that with the right knowledge a capable person could access anything and everything you do or say using a computer (be it a PC, Mac, Cell phone, tablet, or just about anything connected to the internet). It is probably good to practice using these devices knowing that there is a good chance someone is watching, that way you never do anything you may regret.
 
I googled around. com.apple.mobile.file_relay is just a service to sync your data to iTunes, and other connected device. You can google it yourself too.

Of course this has to happen above the backup layer. Otherwise how would iTunes understand the data it synced ? >_<

At this point, I think the presenter is full of *****.

And pcapd is "Packet CAPture", a tool available on Linux and Windows and Mac. Install Wireshark, and you have it on your PC. Who even says that pcapd is actively doing anything all the time. Just because a packet capture utility is available, doesn't mean it's being used all the time. Where would all this information be stored?

There used to be WiFi discovery apps available until Apple banned them; I'm pretty sure they used a pcapd-type service to do their bidding.
 
Not in any way worse than everyone else. In iOS8, she is even less trackable. Then again, I suspect she'd still turn Wifi off when not in used.

Less trackable more hackable :p

----------

This story just cost you an iPhone 6 sale Apple.

I've had a gut full.

Now is anyone else making a truly secure handset that's fully encrypted with no backdoors? How about an OS too?

https://www.blackphone.ch
 
I don't understand why people get so worked up about this sort of thing.

Those backdoors are there for your protection. They are put there for the exclusive use of the governments who we democratically elected. i.e.: the good guys.

We should all stop being so suspicious, and learn to fully trust the NSA and GCHQ. These guys are serious, trained professionals - not spotty nerds who are out to steal credit card numbers or pictures of your girlfriend!

As long as these backdoors are secure (and surely they are!), then we have nothing to fear.

I surely missed the joke
 
We've been happily exploiting the iPhone since iOS for forensic analysis. We pull everything. The Keychain, text messages (including every message you've ever deleted), email, locations you've been, phone logs, pictures, contacts, and all the fun data that apps collect.

Back in 2008, we sat down with Apple's iOS Security team along with the guys we work with in Apple's government sales. We simply told them, we're going to exploit your devices. We can do it with your blessing or without. They basically told us that iOS is totally secure and to **** off.

Since then we've sold our product to hundreds of government agencies across the world. It's a great tool for gathering the info needed to put bad guys away but also shows that the masses shouldn't think that iOS is secure just because Apple tells them it is (we do the same on Android which is even less secure).
 
This is mentioned in the article too, but it sounds like a shotgun solution, and it still won't prevent someone with physical access from stealing the data. A Cydia tweak might be able to close the hole without any side effects by deleting the services or something.

It actually seems like a easy way to restrict access to the device without damaging anything else (at least it doesn't look like it will). I think this would only be a "shotgun solution" if you plan to have your device paired with more than one computer (note that it is a reversible change provided you have access to that computer). I just need to make sure that I can easily restore my jailbreak before I give it a try.

There is apparently a Cydia tweak called "PairLock" that already does this, but I haven't tested it. I'm also not entirely sure how it manages pairings or how well it patches the hole, but it might be worth looking into.

Edit: Somehow I missed it, but it looks like Zdziarski himself actually wrote the tweak.

Edit 2: It looks like you can't use Apple Configurator with a jailbroken device as it erases and reinstalls iOS (you cannot restore from non-supervised devices).
 
Last edited:
Wow, great report by this guy. I definitely want to see serious answers from Apple on this - my guess is, this is for real, based on what we've learned over the last year, and the govt. has "encouraged" it. This is terribly disappointing to learn, if its real and I have every expectation that it probably is.

While I figured the NSA/govt. could get into iOS devices on a targeted basis, I didn't think Apple would have the skirt spread wide open for them by default. I know Google was considered a very good partner with the NSA (quite different than their post Snowden reveal public stance) - so I'm quite sure Android is wide open as well. Microsoft redesigned Skype to provide NSA access (video, audio, messaging) as well as pre encryption access to Outlook.com/Hotmail.com so I'm sure WP is absolutely wide open to the NSA etc.. (Can't imagine how happy the NSA was with the Xbox One, camera by default - and originally required for operation - with always on audio input...)

Doesn't leave much for smartphone choices. I detest having my privacy violated in such a way. The only phone platform designed from the getgo with security in mind is BlackBerry (a Canadian company, not a U.S. company like Apple, Google and Microsoft) - which (at the time of the Snowden docs) required effort on the NSA's part to access (apparently different compared to iOS, Android and WP).

I'm seriously considering going to Blackberry with its monthly BES service for the family, just to encrypt everything intra-family and giving the govt. the finger for non-targeted/casual scraping of my messages, data, and family photo's that we've found out they're grabbing.
 
Last edited:
I didnt read this thread because its too damn long, but what kind of "backdoor service" are we talking about? :)
 
Nah... the presentation is misleading because it only presents a partial view of the iOS security. It is much more secure than Android. Look at the number of malware and botnets on Android today.

Trying to grasp what has to do malware with the operating system being more or less secure at the level presented on the article
 
We've been happily exploiting the iPhone since iOS for forensic analysis. We pull everything. The Keychain, text messages (including every message you've ever deleted), email, locations you've been, phone logs, pictures, contacts, and all the fun data that apps collect.

Back in 2008, we sat down with Apple's iOS Security team along with the guys we work with in Apple's government sales. We simply told them, we're going to exploit your devices. We can do it with your blessing or without. They basically told us that iOS is totally secure and to **** off.

Since then we've sold our product to hundreds of government agencies across the world. It's a great tool for gathering the info needed to put bad guys away but also shows that the masses shouldn't think that iOS is secure just because Apple tells them it is (we do the same on Android which is even less secure).

Do you work on FinFisher by any chance? Or one of the similar offerings?
 
If you're capable, go for it! But ....

it strikes me as VERY odd that we don't seem to have a *single* security/encryption product we can use for a home computer today that isn't subject to question/doubt about its effectiveness.

I mean, TrueCrypt appeared to be about the closest thing to it, and then we found out the developer(s) mysteriously dropped all official support for updating it -- and the latest revisions are all suspect as to who updated them and what security compromises might be in them.

Practically all of the other encryption/security products are believed to be back-doored by our government, if not other entities.

I have to think that reality is, if you build a truly secure solution, you'll receive a visit, eventually, from people in "high places" who will make it very clear that you best add a back door for them, or else.....


If this is true, then this sucks, but what can we honestly do about it? Switch to Android? Oh sure, I bet Android is so much more secure. Yeah right. I'm starting to think it's time to make another revolution. I've got a garage, a background in design, and I'm an a**hole who is bold enough to think that I can change the world. Any hardware engineers and software developers care to join me? Nothing will change until we make it happen. If Apple turns into the new IBM then we're all screwed. It's far better to be proactive than to sit around and hope that things get better. That's what Steve did, and I'll be damned if I'll sit around while his vision gets bastardized.
 
Remember this?

https://www.youtube.com/watch?v=8rwsuXHA7RA


You are just one of the crazy ones who can change the world.

I could only hope to someday be considered alongside those great men and women. But the thing about changing the world is it's hard. Really hard. There are sacrifices—especially involving family—that I'm not sure I'm able to make. When I look at my baby daughter, however, I consider the ramifications of not taking action. Which is worse? Putting a mark on my family, our risking future liberty? Given the growing stance of governments worldwide against privacy and freedom, a lot of people should be asking themselves that very question. Take what you do best, and use it to create a better tomorrow. That is the goal.
 
  • Love
Reactions: powers74
If the information from this article is true, it's actually quite scary.
It's like selling a TV with a built-in, hidden webcam that can peer into your private life without you knowing it.

BTW, this was the Xbox One - it originally came with always on audio input (listening) and a Camera that was originally required to be connected for the machine to operate (and after its release we found out Microsoft was doing alot of stuff for the NSA - rewrote Skype after purchase and provided designed in NSA access for video, audio and messaging, pre-encryption access to Outlook.com and Hotmail.com for the NSA and was commended as a "enthusiastic" partner in one of the Snowden documents by the NSA itself, Google was highlighted as a partner as well). To think the Xbox One wasn't designed with NSA access in mind after what we learned Microsoft was doing with its other products...

it strikes me as VERY odd that we don't seem to have a *single* security/encryption product we can use for a home computer today that isn't subject to question/doubt about its effectiveness.

I mean, TrueCrypt appeared to be about the closest thing to it, and then we found out the developer(s) mysteriously dropped all official support for updating it -- and the latest revisions are all suspect as to who updated them and what security compromises might be in them.

Practically all of the other encryption/security products are believed to be back-doored by our government, if not other entities.

I have to think that reality is, if you build a truly secure solution, you'll receive a visit, eventually, from people in "high places" who will make it very clear that you best add a back door for them, or else.....

You can still find copies of TrueCrypt with the appropriate file hash sizes so you can make sure they haven't been tampered with...but your right - most things are provided by U.S. businesses and we can be quite sure the NSA and Co. have compromised all of them.

I saw where one security focused software firm moved to switzerland - just because no U.S. based firm could be trusted - because the govt. here couldn't be trusted (based on what we've found out).

The 2nd part (encryption code part) of TrueCrypt's security audit is going on this summer and it'll be interesting to see the result. If it passes then the prior version of TrueCrypt will still be fine - and since its open sourced, the fork's open source updates will get looked over very carefully for any suspicious code.

We need a new secure e-mail standard and smart phone OS's need to be redesigned with privacy as a primary design goal (whether that could be trusted from a U.S. vendor based on what we know of recent U.S. government behavior is a very good question - probably only by completely open sourcing the OS and auditing it).
 
Last edited:
I leafed through the PDF version of the presentation Zdziarski created.

Am I reading this right that these services concern physical access or Wi-fi access to the device?

And not cellular / mobile data access?

I make the assumption that if someone else has physical access to my device, the game's pretty much over.
 
I leafed through the PDF version of the presentation Zdziarski created.

Am I reading this right that these services concern physical access or Wi-fi access to the device?

And not cellular / mobile data access?

I make the assumption that if someone else has physical access to my device, the game's pretty much over.

Can you provide a link? I've been trying to find the video and any documentation on it but I've come up short.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.