Forensic Scientist Reveals Backdoor in iOS that allows Access to Encrypted Data

image

UPDATE: Apple has responded that the processes identified by Zdziarski are there only for diagnostic purposes. Rene Ritchie at iMore has clarified that what Zdziarski has actually discussed is dependent on “Trust Relationships”. When you plug in your iPhone or iPad to a computer, you are prompted to “Trust this computer”. The information on your device is only accessible if that type of trust agreement has been created between your device and some hardware (usually your computer). Zdziarski is concerned about the ability for a third party to steal the pairing records created when you trust a computer, or spoofing your iPhone or iPad into creating a “Trust Relationship” with hardware like a public USB charger.

ZDNet has an alarming article detailing a recent security talk from Jonathan Zdziarski revealing backdoors that exist in iOS that he suggests that Apple created with the purpose of making secure data available to law enforcement. He suggests that this can be done through USB, WiFi, or possibly even cellular. Although this would allow Apple to obtain personal data off your device, he couldn’t find a way that it could be used to restore data. He concludes that the only purpose could be to pull data off for other purposes than to help the customer.

The only truly secure state for the phone, according to Jonathan Zdziarski, is password-protected and powered off.  A very interesting and eye-opening read. (PLEASE SEE UPDATE WITH APPLE RESPONSE AT BEGINNING OF POST!)

Another Good Reason to Password Protect Your iPad/iPhone

image

9 to 5 Mac details an iOS 7 bug that allows anyone to disable Find My iPhone and bypass Activation Lock without a password http://9to5mac.com/2014/04/03/ios-7-bug-allows-anyone-to-disable-find-my-iphone-and-bypass-activation-lock-without-a-password/.

The good news about this new security risk is that it only works if you do not have a password setup on your iPhone or iPad.  Even if your device is unlocked, on reboot the unauthorized user would need to enter a password. The moral of the story, Password Protect Your Device!