Apple Denies It Built NSA a Backdoor for 600 Million Devices
Access points 'may have been used' by NSA, researcher suggests, though maker of computer giant adamantly denies working 'with any government agency' while creating any product or service
After Jonathan Zdziarski, a computer security researcher, presented an academic paper last week revealing previously-unknown backdoors in Apple's iOS software running on hundreds of millions of iPhone an iPad devices, Apple has gone on the defensive by publicly stating it did not wittingly create a portal for government spying and reaffirmed previous claims by saying they have "never worked with any government agency from any country to create a backdoor in any of our products or services."
Subsequently, responding to Apple's statement, Zdziarski said the computer maker may have "inadvertently" admitted that "they do indeed have back doors in iOS" even as they denied working with government agencies to create them.
In his original presentation presented last Friday at the Hackers On Planet Earth (HOPE/X) conference in New York--called Identifying Backdoors, Attack Points, and Surveillance Mechanisms in iOS Devices--Zdziarsk highlighted three specific backdoor capabilities in the iOS software running on over 600 million iPads and iPhones, all of which had never been known publicly before Zdziarski found them. In a blog post written the same day Zdziarski stated his concern that "some of these services may have been used by the NSA to collect data."
Apple's response to Zdziarski's claims arrived on Monday in a statement to iMore, saying that the backdoors are"diagnostic functions" and "do not compromise user privacy and security."
After Apple's response, Zdziarski made a cogent and pointed response on his blog, noting that "these services break the promise that Apple makes with the consumer when they enter a backup password; that the data on their device will only come off the phone encrypted."
"I don't buy for a minute that these services are intended solely for diagnostics," he wrote. "The data they leak is of an extreme personal nature. There is no notification to the user. A real diagnostic tool would have been engineered to respect the user, prompt them like applications do for access to data, and respect backup encryption."
The security issues stem from the "pairing" process that occurs when a user decides a certain computer or device is trustworthy and connects their device to it. Once the trusted connection is set up, a huge amount of personal data can be accessed.
"Pairing records can be stolen a number of different ways, ranging from a shared coffee shop computer to an ex-lover whose computer you used to trust," Zdziarski explains. The only way to disable access to data via a previously-made pairing seems to be a complete erase of the device. Users are not notified of the services, are not asked to consent to them in any way, and have no ability to turn them off, even when the "Send Diagnostics to Apple" setting is disabled.
Zdziarski has made it a point to be clear that he is "not suggesting some grand conspiracy," but still believes that there are "services running in iOS that shouldn't be there, that were intentionally added by Apple as part of the firmware and that bypass backup encryption while copying more of your personal data than ever should come off the phone for the average consumer."
As Rene Ritchie noted on iMore--given that "the NSA surveillance controversy is still fresh in many people's minds"--Zdziarksi added a "don't panic" statement on his blog in order to emphasize "that he wasn't accusing Apple of working with the NSA, but does suspect that the NSA might be using the techniques he outlined to collect data."
"We know, from the Snowden leaks via Der Spiegel, that NSA has penetrated target desktop machines to later access iPhone features," Zdiarski explained. "We also know that desktop machines are often seized by law enforcement and with that pairing record data, can access the data on the device using these services - even if backup encryption is turned on."
While some have speculated that the backdoors are there to conform with America's 1994 Communications Assistance for Law Enforcement Act, Zdziarski pointed out that the level of access provided to such sensitive data "exceeds anything that law requires."
Urgent. It's never been this bad.
Dear Common Dreams reader, It’s been nearly 30 years since I co-founded Common Dreams with my late wife, Lina Newhouser. We had the radical notion that journalism should serve the public good, not corporate profits. It was clear to us from the outset what it would take to build such a project. No paid advertisements. No corporate sponsors. No millionaire publisher telling us what to think or do. Many people said we wouldn't last a year, but we proved those doubters wrong. Together with a tremendous team of journalists and dedicated staff, we built an independent media outlet free from the constraints of profits and corporate control. Our mission from the outset was simple. To inform. To inspire. To ignite change for the common good. Building Common Dreams was not easy. Our survival was never guaranteed. When you take on the most powerful forces—Wall Street greed, fossil fuel industry destruction, Big Tech lobbyists, and uber-rich oligarchs who have spent billions upon billions rigging the economy and democracy in their favor—the only bulwark you have is supporters who believe in your work. But here’s the urgent message from me today. It’s never been this bad out there. And it’s never been this hard to keep us going. At the very moment Common Dreams is most needed and doing some of its best and most important work, the threats we face are intensifying. Right now, with just four days to go in our Spring Campaign, we are not even halfway to our goal. When everyone does the little they can afford, we are strong. But if that support retreats or dries up, so do we. Can you make a gift right now to make sure Common Dreams not only survives but thrives? There is no backup plan or rainy day fund. There is only you. —Craig Brown, Co-founder |
After Jonathan Zdziarski, a computer security researcher, presented an academic paper last week revealing previously-unknown backdoors in Apple's iOS software running on hundreds of millions of iPhone an iPad devices, Apple has gone on the defensive by publicly stating it did not wittingly create a portal for government spying and reaffirmed previous claims by saying they have "never worked with any government agency from any country to create a backdoor in any of our products or services."
Subsequently, responding to Apple's statement, Zdziarski said the computer maker may have "inadvertently" admitted that "they do indeed have back doors in iOS" even as they denied working with government agencies to create them.
In his original presentation presented last Friday at the Hackers On Planet Earth (HOPE/X) conference in New York--called Identifying Backdoors, Attack Points, and Surveillance Mechanisms in iOS Devices--Zdziarsk highlighted three specific backdoor capabilities in the iOS software running on over 600 million iPads and iPhones, all of which had never been known publicly before Zdziarski found them. In a blog post written the same day Zdziarski stated his concern that "some of these services may have been used by the NSA to collect data."
Apple's response to Zdziarski's claims arrived on Monday in a statement to iMore, saying that the backdoors are"diagnostic functions" and "do not compromise user privacy and security."
After Apple's response, Zdziarski made a cogent and pointed response on his blog, noting that "these services break the promise that Apple makes with the consumer when they enter a backup password; that the data on their device will only come off the phone encrypted."
"I don't buy for a minute that these services are intended solely for diagnostics," he wrote. "The data they leak is of an extreme personal nature. There is no notification to the user. A real diagnostic tool would have been engineered to respect the user, prompt them like applications do for access to data, and respect backup encryption."
The security issues stem from the "pairing" process that occurs when a user decides a certain computer or device is trustworthy and connects their device to it. Once the trusted connection is set up, a huge amount of personal data can be accessed.
"Pairing records can be stolen a number of different ways, ranging from a shared coffee shop computer to an ex-lover whose computer you used to trust," Zdziarski explains. The only way to disable access to data via a previously-made pairing seems to be a complete erase of the device. Users are not notified of the services, are not asked to consent to them in any way, and have no ability to turn them off, even when the "Send Diagnostics to Apple" setting is disabled.
Zdziarski has made it a point to be clear that he is "not suggesting some grand conspiracy," but still believes that there are "services running in iOS that shouldn't be there, that were intentionally added by Apple as part of the firmware and that bypass backup encryption while copying more of your personal data than ever should come off the phone for the average consumer."
As Rene Ritchie noted on iMore--given that "the NSA surveillance controversy is still fresh in many people's minds"--Zdziarksi added a "don't panic" statement on his blog in order to emphasize "that he wasn't accusing Apple of working with the NSA, but does suspect that the NSA might be using the techniques he outlined to collect data."
"We know, from the Snowden leaks via Der Spiegel, that NSA has penetrated target desktop machines to later access iPhone features," Zdiarski explained. "We also know that desktop machines are often seized by law enforcement and with that pairing record data, can access the data on the device using these services - even if backup encryption is turned on."
While some have speculated that the backdoors are there to conform with America's 1994 Communications Assistance for Law Enforcement Act, Zdziarski pointed out that the level of access provided to such sensitive data "exceeds anything that law requires."
After Jonathan Zdziarski, a computer security researcher, presented an academic paper last week revealing previously-unknown backdoors in Apple's iOS software running on hundreds of millions of iPhone an iPad devices, Apple has gone on the defensive by publicly stating it did not wittingly create a portal for government spying and reaffirmed previous claims by saying they have "never worked with any government agency from any country to create a backdoor in any of our products or services."
Subsequently, responding to Apple's statement, Zdziarski said the computer maker may have "inadvertently" admitted that "they do indeed have back doors in iOS" even as they denied working with government agencies to create them.
In his original presentation presented last Friday at the Hackers On Planet Earth (HOPE/X) conference in New York--called Identifying Backdoors, Attack Points, and Surveillance Mechanisms in iOS Devices--Zdziarsk highlighted three specific backdoor capabilities in the iOS software running on over 600 million iPads and iPhones, all of which had never been known publicly before Zdziarski found them. In a blog post written the same day Zdziarski stated his concern that "some of these services may have been used by the NSA to collect data."
Apple's response to Zdziarski's claims arrived on Monday in a statement to iMore, saying that the backdoors are"diagnostic functions" and "do not compromise user privacy and security."
After Apple's response, Zdziarski made a cogent and pointed response on his blog, noting that "these services break the promise that Apple makes with the consumer when they enter a backup password; that the data on their device will only come off the phone encrypted."
"I don't buy for a minute that these services are intended solely for diagnostics," he wrote. "The data they leak is of an extreme personal nature. There is no notification to the user. A real diagnostic tool would have been engineered to respect the user, prompt them like applications do for access to data, and respect backup encryption."
The security issues stem from the "pairing" process that occurs when a user decides a certain computer or device is trustworthy and connects their device to it. Once the trusted connection is set up, a huge amount of personal data can be accessed.
"Pairing records can be stolen a number of different ways, ranging from a shared coffee shop computer to an ex-lover whose computer you used to trust," Zdziarski explains. The only way to disable access to data via a previously-made pairing seems to be a complete erase of the device. Users are not notified of the services, are not asked to consent to them in any way, and have no ability to turn them off, even when the "Send Diagnostics to Apple" setting is disabled.
Zdziarski has made it a point to be clear that he is "not suggesting some grand conspiracy," but still believes that there are "services running in iOS that shouldn't be there, that were intentionally added by Apple as part of the firmware and that bypass backup encryption while copying more of your personal data than ever should come off the phone for the average consumer."
As Rene Ritchie noted on iMore--given that "the NSA surveillance controversy is still fresh in many people's minds"--Zdziarksi added a "don't panic" statement on his blog in order to emphasize "that he wasn't accusing Apple of working with the NSA, but does suspect that the NSA might be using the techniques he outlined to collect data."
"We know, from the Snowden leaks via Der Spiegel, that NSA has penetrated target desktop machines to later access iPhone features," Zdiarski explained. "We also know that desktop machines are often seized by law enforcement and with that pairing record data, can access the data on the device using these services - even if backup encryption is turned on."
While some have speculated that the backdoors are there to conform with America's 1994 Communications Assistance for Law Enforcement Act, Zdziarski pointed out that the level of access provided to such sensitive data "exceeds anything that law requires."