Forgot your password?
typodupeerror
IOS Security Communications Encryption Iphone Privacy Apple

Private Data On iOS Devices Not So Private After All 101

Posted by timothy
from the it's-totally-intuitive dept.
theshowmecanuck (703852) writes with this excerpt from Reuters summarizing the upshot of a talk that Jonathan Zdziarski gave at last weekend's HOPE conference: Personal data including text messages, contact lists and photos can be extracted from iPhones through previously unpublicized techniques by Apple Inc employees, the company acknowledged this week. The same techniques to circumvent backup encryption could be used by law enforcement or others with access to the 'trusted' computers to which the devices have been connected, according to the security expert who prompted Apple's admission. Users are not notified that the services are running and cannot disable them, Zdziarski said. There is no way for iPhone users to know what computers have previously been granted trusted status via the backup process or block future connections. If you'd rather watch and listen, Zdziarski has posted a video showing how it's done.
This discussion has been archived. No new comments can be posted.

Private Data On iOS Devices Not So Private After All

Comments Filter:
  • Stallman was right (Score:5, Insightful)

    by jabberw0k (62554) on Saturday July 26, 2014 @09:29AM (#47538223) Homepage Journal

    These so-called "smart telephones" aren't telephones at all; they are computers. Computers that you cannot control. And if you aren't, who is?

    Some folks thought Richard Stallman was crazy for saying no-one should run software or use hardware that is based on clandestine (proprietary, hidden) knowledge. This latest revelation is just one reason he was right all along.

  • by Anonymous Coward on Saturday July 26, 2014 @09:30AM (#47538225)

    There's only one operating system in existence today that is worthy of even a small degree of trust: OpenBSD.

    OpenBSD is the only operating system I know of that is open source, continually undergoes rigorous review, and has developers who put security above all else.

    Since OpenBSD is the only operating system that is anywhere close to being secure, the only type of secure mobile device would be one running OpenBSD. I'm not aware of any of those, so it's obvious that any device not running OpenBSD should be considered insecure to begin with.

  • it's the future (Score:3, Insightful)

    by Anonymous Coward on Saturday July 26, 2014 @09:32AM (#47538235)

    The more we buy devices whose master is someone else, the more things of this very nature will become a problem.

    Do not buy devices that you do not control after you buy them. You must be able to run any kernel and any userspace you want, you must be able to control the machine top to bottom. If you give this up in exchange for convenience, then you will be taken advantage of by companies that don't have your interests at heart.

  • So... (Score:5, Insightful)

    by Sqr(twg) (2126054) on Saturday July 26, 2014 @09:38AM (#47538263)

    If you store sensitive stuff on your iPhone, don't make backups from it onto an insecure/unencrypted computer.

    And if you were making backups from anything secure onto anything insecure, it is time to revise your security policy.

  • Re:Yeah (Score:3, Insightful)

    by Anonymous Coward on Saturday July 26, 2014 @10:02AM (#47538367)

    These *attacks* require the attacker to have the keys from a trusted computer. Is your linux secure if you give somebody the root pass? Is your house safe if you give a friend the keys? These "security" headlines are just clickbait.

  • Re:Yeah (Score:0, Insightful)

    by Anonymous Coward on Saturday July 26, 2014 @11:17AM (#47538653)

    The "trusted" computer creds are sitting in one's home directory. It would be trivial for malware to slurp those, then any other computer can be flagged as "trusted".

    Sure man, trivial. It happens to everybody every day of the week. Seriously, do you guys have a bit of common sense? If you have malware slurping the keys, the malware can already be slurping the synced data of the phone, which is the point of this attack. Why go roundaway to something you already have access to on the machine? For the lulz? And don't tell me there might be data on the phone that is not on the machine, because then I claim you wouldn't be syncing in the first place the phone, neither to Apple iCloud, neither to your own machine.

    All the case scenarios you guys are painting are the equivalent of xkcd 538.

  • by gnasher719 (869701) on Saturday July 26, 2014 @04:42PM (#47540147)

    Trusted by whom? I don't think there's any requirement that the purchaser of the device trust the "trusted" data extractor. IIUC it could become trusted before the customer ever received the device, or anytime it's in for service.

    Step 1: Plug iOS device into a Mac.
    Step 2: Unlock iOS device.
    Step 3: Click on YES when the iOS device asks if it should trust the computer.

    The critical part is Step 2, which you can only perform if you know how to unlock the device. In other words, if you know the passcode. But if you know the passcode, then you can do _anything_ with the phone. That's what the passcode is there for.

    So basically, this security "expert" found a way for a thief to enter my home through the backdoor, as long as the thief has the keys for my front door.

If builders built buildings the way programmers wrote programs, then the first woodpecker to come along would destroy civilization.

Working...