SUBSCRIBE TO OUR FREE NEWSLETTER
Daily news & progressive opinion—funded by the people, not the corporations—delivered straight to your inbox.
5
#000000
#FFFFFF
5
#000000
#FFFFFF
(Image: Mashable composite. Getty Creative, neyro2008)
Apple Denies It Built NSA a Backdoor for 600 Million Devices
Access points 'may have been used' by NSA, researcher suggests, though maker of computer giant adamantly denies working 'with any government agency' while creating any product or service
Jul 23, 2014
After Jonathan Zdziarski, a computer security researcher, presented an academic paper last week revealing previously-unknown backdoors in Apple's iOS software running on hundreds of millions of iPhone an iPad devices, Apple has gone on the defensive by publicly stating it did not wittingly create a portal for government spying and reaffirmed previous claims by saying they have "never worked with any government agency from any country to create a backdoor in any of our products or services."
Subsequently, responding to Apple's statement, Zdziarski said the computer maker may have "inadvertently" admitted that "they do indeed have back doors in iOS" even as they denied working with government agencies to create them.
In his original presentation presented last Friday at the Hackers On Planet Earth (HOPE/X) conference in New York--called Identifying Backdoors, Attack Points, and Surveillance Mechanisms in iOS Devices--Zdziarsk highlighted three specific backdoor capabilities in the iOS software running on over 600 million iPads and iPhones, all of which had never been known publicly before Zdziarski found them. In a blog post written the same day Zdziarski stated his concern that "some of these services may have been used by the NSA to collect data."
Apple's response to Zdziarski's claims arrived on Monday in a statement to iMore, saying that the backdoors are"diagnostic functions" and "do not compromise user privacy and security."
After Apple's response, Zdziarski made a cogent and pointed response on his blog, noting that "these services break the promise that Apple makes with the consumer when they enter a backup password; that the data on their device will only come off the phone encrypted."
"I don't buy for a minute that these services are intended solely for diagnostics," he wrote. "The data they leak is of an extreme personal nature. There is no notification to the user. A real diagnostic tool would have been engineered to respect the user, prompt them like applications do for access to data, and respect backup encryption."
The security issues stem from the "pairing" process that occurs when a user decides a certain computer or device is trustworthy and connects their device to it. Once the trusted connection is set up, a huge amount of personal data can be accessed.
"Pairing records can be stolen a number of different ways, ranging from a shared coffee shop computer to an ex-lover whose computer you used to trust," Zdziarski explains. The only way to disable access to data via a previously-made pairing seems to be a complete erase of the device. Users are not notified of the services, are not asked to consent to them in any way, and have no ability to turn them off, even when the "Send Diagnostics to Apple" setting is disabled.
Zdziarski has made it a point to be clear that he is "not suggesting some grand conspiracy," but still believes that there are "services running in iOS that shouldn't be there, that were intentionally added by Apple as part of the firmware and that bypass backup encryption while copying more of your personal data than ever should come off the phone for the average consumer."
As Rene Ritchie noted on iMore--given that "the NSA surveillance controversy is still fresh in many people's minds"--Zdziarksi added a "don't panic" statement on his blog in order to emphasize "that he wasn't accusing Apple of working with the NSA, but does suspect that the NSA might be using the techniques he outlined to collect data."
"We know, from the Snowden leaks via Der Spiegel, that NSA has penetrated target desktop machines to later access iPhone features," Zdiarski explained. "We also know that desktop machines are often seized by law enforcement and with that pairing record data, can access the data on the device using these services - even if backup encryption is turned on."
While some have speculated that the backdoors are there to conform with America's 1994 Communications Assistance for Law Enforcement Act, Zdziarski pointed out that the level of access provided to such sensitive data "exceeds anything that law requires."
An Urgent Message From Our Co-Founder
Dear Common Dreams reader, The U.S. is on a fast track to authoritarianism like nothing I've ever seen. Meanwhile, corporate news outlets are utterly capitulating to Trump, twisting their coverage to avoid drawing his ire while lining up to stuff cash in his pockets. That's why I believe that Common Dreams is doing the best and most consequential reporting that we've ever done. Our small but mighty team is a progressive reporting powerhouse, covering the news every day that the corporate media never will. Our mission has always been simple: To inform. To inspire. And to ignite change for the common good. Now here's the key piece that I want all our readers to understand: None of this would be possible without your financial support. That's not just some fundraising cliche. It's the absolute and literal truth. We don't accept corporate advertising and never will. We don't have a paywall because we don't think people should be blocked from critical news based on their ability to pay. Everything we do is funded by the donations of readers like you. Will you donate now to help power the nonprofit, independent reporting of Common Dreams? Thank you for being a vital member of our community. Together, we can keep independent journalism alive when it’s needed most. - Craig Brown, Co-founder |
Our work is licensed under Creative Commons (CC BY-NC-ND 3.0). Feel free to republish and share widely.
Max Ocean, Editorial Intern
Max Ocean was an editorial intern at Common Dreams in 2014. He now is Vice President at Subversive Malting & Brewing in Ithaca, NY.
After Jonathan Zdziarski, a computer security researcher, presented an academic paper last week revealing previously-unknown backdoors in Apple's iOS software running on hundreds of millions of iPhone an iPad devices, Apple has gone on the defensive by publicly stating it did not wittingly create a portal for government spying and reaffirmed previous claims by saying they have "never worked with any government agency from any country to create a backdoor in any of our products or services."
Subsequently, responding to Apple's statement, Zdziarski said the computer maker may have "inadvertently" admitted that "they do indeed have back doors in iOS" even as they denied working with government agencies to create them.
In his original presentation presented last Friday at the Hackers On Planet Earth (HOPE/X) conference in New York--called Identifying Backdoors, Attack Points, and Surveillance Mechanisms in iOS Devices--Zdziarsk highlighted three specific backdoor capabilities in the iOS software running on over 600 million iPads and iPhones, all of which had never been known publicly before Zdziarski found them. In a blog post written the same day Zdziarski stated his concern that "some of these services may have been used by the NSA to collect data."
Apple's response to Zdziarski's claims arrived on Monday in a statement to iMore, saying that the backdoors are"diagnostic functions" and "do not compromise user privacy and security."
After Apple's response, Zdziarski made a cogent and pointed response on his blog, noting that "these services break the promise that Apple makes with the consumer when they enter a backup password; that the data on their device will only come off the phone encrypted."
"I don't buy for a minute that these services are intended solely for diagnostics," he wrote. "The data they leak is of an extreme personal nature. There is no notification to the user. A real diagnostic tool would have been engineered to respect the user, prompt them like applications do for access to data, and respect backup encryption."
The security issues stem from the "pairing" process that occurs when a user decides a certain computer or device is trustworthy and connects their device to it. Once the trusted connection is set up, a huge amount of personal data can be accessed.
"Pairing records can be stolen a number of different ways, ranging from a shared coffee shop computer to an ex-lover whose computer you used to trust," Zdziarski explains. The only way to disable access to data via a previously-made pairing seems to be a complete erase of the device. Users are not notified of the services, are not asked to consent to them in any way, and have no ability to turn them off, even when the "Send Diagnostics to Apple" setting is disabled.
Zdziarski has made it a point to be clear that he is "not suggesting some grand conspiracy," but still believes that there are "services running in iOS that shouldn't be there, that were intentionally added by Apple as part of the firmware and that bypass backup encryption while copying more of your personal data than ever should come off the phone for the average consumer."
As Rene Ritchie noted on iMore--given that "the NSA surveillance controversy is still fresh in many people's minds"--Zdziarksi added a "don't panic" statement on his blog in order to emphasize "that he wasn't accusing Apple of working with the NSA, but does suspect that the NSA might be using the techniques he outlined to collect data."
"We know, from the Snowden leaks via Der Spiegel, that NSA has penetrated target desktop machines to later access iPhone features," Zdiarski explained. "We also know that desktop machines are often seized by law enforcement and with that pairing record data, can access the data on the device using these services - even if backup encryption is turned on."
While some have speculated that the backdoors are there to conform with America's 1994 Communications Assistance for Law Enforcement Act, Zdziarski pointed out that the level of access provided to such sensitive data "exceeds anything that law requires."
Max Ocean, Editorial Intern
Max Ocean was an editorial intern at Common Dreams in 2014. He now is Vice President at Subversive Malting & Brewing in Ithaca, NY.
After Jonathan Zdziarski, a computer security researcher, presented an academic paper last week revealing previously-unknown backdoors in Apple's iOS software running on hundreds of millions of iPhone an iPad devices, Apple has gone on the defensive by publicly stating it did not wittingly create a portal for government spying and reaffirmed previous claims by saying they have "never worked with any government agency from any country to create a backdoor in any of our products or services."
Subsequently, responding to Apple's statement, Zdziarski said the computer maker may have "inadvertently" admitted that "they do indeed have back doors in iOS" even as they denied working with government agencies to create them.
In his original presentation presented last Friday at the Hackers On Planet Earth (HOPE/X) conference in New York--called Identifying Backdoors, Attack Points, and Surveillance Mechanisms in iOS Devices--Zdziarsk highlighted three specific backdoor capabilities in the iOS software running on over 600 million iPads and iPhones, all of which had never been known publicly before Zdziarski found them. In a blog post written the same day Zdziarski stated his concern that "some of these services may have been used by the NSA to collect data."
Apple's response to Zdziarski's claims arrived on Monday in a statement to iMore, saying that the backdoors are"diagnostic functions" and "do not compromise user privacy and security."
After Apple's response, Zdziarski made a cogent and pointed response on his blog, noting that "these services break the promise that Apple makes with the consumer when they enter a backup password; that the data on their device will only come off the phone encrypted."
"I don't buy for a minute that these services are intended solely for diagnostics," he wrote. "The data they leak is of an extreme personal nature. There is no notification to the user. A real diagnostic tool would have been engineered to respect the user, prompt them like applications do for access to data, and respect backup encryption."
The security issues stem from the "pairing" process that occurs when a user decides a certain computer or device is trustworthy and connects their device to it. Once the trusted connection is set up, a huge amount of personal data can be accessed.
"Pairing records can be stolen a number of different ways, ranging from a shared coffee shop computer to an ex-lover whose computer you used to trust," Zdziarski explains. The only way to disable access to data via a previously-made pairing seems to be a complete erase of the device. Users are not notified of the services, are not asked to consent to them in any way, and have no ability to turn them off, even when the "Send Diagnostics to Apple" setting is disabled.
Zdziarski has made it a point to be clear that he is "not suggesting some grand conspiracy," but still believes that there are "services running in iOS that shouldn't be there, that were intentionally added by Apple as part of the firmware and that bypass backup encryption while copying more of your personal data than ever should come off the phone for the average consumer."
As Rene Ritchie noted on iMore--given that "the NSA surveillance controversy is still fresh in many people's minds"--Zdziarksi added a "don't panic" statement on his blog in order to emphasize "that he wasn't accusing Apple of working with the NSA, but does suspect that the NSA might be using the techniques he outlined to collect data."
"We know, from the Snowden leaks via Der Spiegel, that NSA has penetrated target desktop machines to later access iPhone features," Zdiarski explained. "We also know that desktop machines are often seized by law enforcement and with that pairing record data, can access the data on the device using these services - even if backup encryption is turned on."
While some have speculated that the backdoors are there to conform with America's 1994 Communications Assistance for Law Enforcement Act, Zdziarski pointed out that the level of access provided to such sensitive data "exceeds anything that law requires."
We've had enough. The 1% own and operate the corporate media. They are doing everything they can to defend the status quo, squash dissent and protect the wealthy and the powerful. The Common Dreams media model is different. We cover the news that matters to the 99%. Our mission? To inform. To inspire. To ignite change for the common good. How? Nonprofit. Independent. Reader-supported. Free to read. Free to republish. Free to share. With no advertising. No paywalls. No selling of your data. Thousands of small donations fund our newsroom and allow us to continue publishing. Can you chip in? We can't do it without you. Thank you.