About Jonathan Zdziarski

Respected in his community as an iOS forensics expert, Jonathan is a noted security researcher, penetration tester, and hacker. Author of many books ranging from machine learning to iPhone hacking and software development, Jonathan frequently trains many federal and state law enforcement agencies in digital forensic techniques and assists law enforcement and the military in high profile cases. Jonathan is also inventor on several US patent applications, father of DSPAM and other language classification technology, and an App Store developer. All opinions expressed on this website are the author's own. Follow Jonathan on Twitter: @JZdziarski

Split Toning: When People Appreciate Fine Processing Over Fine Photography

I appreciate straight forward photography with minimal processing (you know, real photography), but most online photography communities ironically prefer over-processed imagery that borders more on the side of “art”, rather than photography (and hey, lets keep calling it photography so people think we’re gods). In such cases, nothing is quite as useful for making fauxtography that everyone will drool over as split toning. If you want to impress the boogers out of social network photographers, you need split toning in your toolbox. Both DxO and Photoshop support this technique, and many photographers have made a living creating fake works of art with it. To give an example, I took my two favorite Kirkjufell photos (which you can find in my blog) and applied the following split-toning techniques:

Step #1 (DxO): Sepia Gold / Sepia Terra Split-Tone, apply Agfa Precise film from Film Pack. Load into Photoshop.
Step #2 (Photoshop): Split tone in Camera Raw, 261 @ 22 Saturation, 360 @ 15 Saturation. Low-Key mask with Nik, adjust brightness.

Voila, you now have amazing looking photos that don’t really exist, and never really happened… but people on the Internet will drool over. It’s better than Instagram! You’ll find many fauxtographers lean toward a magenta split-tone, but personally if I’m going to wreck a perfectly good photo, I prefer to do it with golden overtones. Magenta is over-done in my opinion. For that “classic” look, it’s much better to puke gold tones all over your photos.

Golden SM

Continue reading

Norway’s Lofoten Islands

Day one, we stretched a four hour trip through the Lofoten Islands into about seven hours, stopping everywhere to take photos. We had a few good hours of sunlight, as the sunrise and sunset are very close together. After sunset, a nice long twilight gave us some fantastic dark light to work with. The fog perfectly textured nearly every photo we took. My 70-200mm f/2.8 came in extremely handy, and is what I used for almost every photo below. If you’re going to drive through Lofoten, I strongly recommend using this focal length. After a long, five hour party with about a dozen friends from Reine, Moskenes, and Sørvågen, we made it back to the cabin to await the northern lights. If they don’t show up tonight, we’ll keep watching.

Getaway SM

Continue reading

Iceland Adventure and Aurora Chase

Ever since visiting Norway last year, it’s been in my heart to visit Iceland. I’ve spent the past year looking at photos of Kirkjufell mountain and the Aurora Borealis, in anticipation for this year’s trip through Scandinavia. Day one of a two-week expedition through Iceland and Norway was well spent. With no sleep for 36 hours, my wife and I somehow managed to find some of the most beautiful parts of Grundarfjörður (pronounced just as it looks – like a jumble of letters that don’t make any sense), a small fishing village in western Iceland. Over the next few days, we’ll be exploring and branching out, as well as meeting a local professional photographer for a photo tour of some of his favorite spots. There’s really no word other than magical to describe Iceland, and its beauty. Waterfalls everywhere you look, old lava fields now growing moss, giant towering mountains – it’s intimidating in a way that makes you feel small to nature; it’s an amazing feeling. Dinner tonight? Fish soup, lamb filet, and Skyr.

Many of these photos were taken during a very long sunrise, on a day accompanied by high winds, freak hail storms, and a number of other threats from nature. We had to fight hard to get crisp photos today. This involved numerous shots, tripod spikes, and a lot of patience. It was worth it.

(Most of the photos have been moved to my photography site)

Tranquil SM

Continue reading

What You Need to Know About WireLurker

Mobile Security company Palo Alto Networks has released a new white paper titled WireLurker: A New Era in iOS and OS X Malware. I’ve gone through their findings, and also managed to get a hold of the WireLurker malware to examine it first-hand (thanks to Claud Xiao from Palo Alto Networks, who sent them to me). Here’s the quick and dirty about WireLurker; what you need to know, what it does, what it doesn’t do, and how to protect yourself.

How it Works

WireLurker is a trojan that has reportedly been circulated in a number of Chinese pirated software (warez) distributions. It targets 64-bit Mac OS X machines, as there doesn’t appear to be a 32-bit slice. When the user installs or runs the pirated software, WireLurker waits until it has root, and then gets installed into the operating system as a system daemon. The daemon uses libimobiledevice. It sits and waits for an iOS device to be connected to the desktop, and then abuses the trusted pairing relationship your desktop has with it to read its serial number, phone number, iTunes store identifier, and other identifying information, which it then sends to a remote server. It also attempts to install malicious copies of otherwise benign looking apps onto the device itself. If the device is jailbroken and has afc2 enabled, a much more malicious piece of software gets installed onto the device, which reads and extracts identifying information from your iMessage history, address book, and other files on the device.

WireLurker appears to be most concerned with identifying the device owners, rather than stealing a significant amount of content or performing destructive actions on the device. In other words, WireLurker seems to be targeting the identities of Chinese software pirates.

Continue reading

Yosemite Could Easily Support LTE-Enabled MacBooks in the Future

With Yosemite’s release comes a lot of brand new code from Apple, and much to be explored. As you would expect, much of Yosemite’s codebase is shared with iOS 8. With this includes cellular capabilities, which could make it very easy for Apple to support cellular data on the desktop platform. Yosemite does currently support hotspot tethering, but the overlap in codebase could also support something else in the future: MacBooks with integrated LTE functionality.

Apple’s recent announcement of an “Apple SIM” went largely unnoticed, and while convenient for new iPad owners, is quite an undertaking for a product that has already saturated the market. On the other hand, you don’t buy your laptops from Verizon or AT&T, nor would anyone want to buy a laptop that was tied to a particular cellular carrier. The Apple SIM makes much more sense if Apple’s ultimate game is to release a MacBook Air with the ability to subscribe to any cellular network.

This morning, I decided to have a look into Apple’s new download continuity manager (nsurlsessiond),which led me to also look at networkdfindmydeviced and other daemons, on both Yosemite and iOS 8. Both codebases are virtually identical, with the cellular components simply compiled out of Yosemite’s build. Here are some examples.

Continue reading

Damage Warning on C-SLIDE Webcam Covers for Laptops

About a year ago, I installed some of those little C-SLIDE plastic sliding webcam covers (from @WebcamCovers) on all of our laptops in the house (the kind that are now ubiquitous and private branded by everybody). This week, I had to take one of the laptops in for repair at Apple due to problems with the LCD. There were about a dozen horizontal lines at the top, and a small cone shaped black spot in the middle of the LCD directly underneath the iSight camera. The total repair was over $600 (talk about a markup).

In chatting with the Apple tech (I refuse to call them geniuses), he felt the most likely cause was a pressure crack inside the LCD. Given the machine was only a couple years old, and treated with care, we determined the most likely cause was the added pressure created by the little stick on sliding cov when you close the notebook. Even if you close it gently, the magnets create a pull on the top of the notebook screen. Additionally, even after it’s closed, all of the pressure on the LCD, thanks to the camera cover, is now concentrated on the small area in the center of the notebook, instead of distributed across the entire panel. This means that even while its in your laptop case, any pressure on the lid is focused on one small area of the LCD. The plastic sliding camera covers are very convenient, however it looks as though over the long term, they have the potential to cause severe damage to your laptop screen, even if you care for your machines. I would advise avoiding them and look into solutions that do not interfere with the amount of pressure distributed across the LCD.

As it happens, @WebcamCovers admits that their own products cause damage “when pressure is applied”, however what they don’t tell you is that, even if you don’t abuse your notebook, the “pressure” applied from normal use alone over a prolonged period of time, can cause damage to your notebook’s LCD. In comparison, the little $5 piece of plastic is not worth the risk IMO for a $600 screen. EFF has some good alternatives on their website: stickers that can easily be peeled back and forth, and will re-adhere with no problems. If you care about causing damage to your laptop, I’d recommend looking at this alternative, or others, instead.

NOTE: @WebcamCovers has ignored my request to have the damage caused by their product reimbursed.

Preliminary Findings on Whisper

At the suggestion of @kashhill, I did a brief analysis of the Whisper iOS application, which appears to be at the height of controversy with respect to user privacy. My preliminary observations follow. Note, I am only looking at the technical aspects of the application, and make no political conclusions about the motivations of the company. I do not see any horribly underhanded malicious code in the application, although it is a large application and my analysis was brief. In spite of this, the Whisper app does not appear to be a social networking application with analytics; it appears to be an analytics and user acquisition application that also happens to have a social networking component. With this come a few concerns about privacy and anonymity.

Continue reading

Disk Analyzer: Zero Free Space on Your iOS Device

Screen Shot 2014-10-16 at 11.44.05 AM

Interested in the low level statistics of your iOS device’s disk, such as inode consumption and other file system metrics? Disk Analyzer allows you to view and work with your device’s used and free space and partition statistics. This simple little tool provides all the information about your device’s disk in simple, user friendly display. An ideal tool for businesses and enterprises.

In addition to analyzing your disk space, Disk Analyzer provides an advanced tool that can overwrite the free space on your device. Turn on Advanced Options in Settings to activate this feature, and a “Zero Free Space” button will appear in the application.

Now Available! Click Here to view in iTunes

How App Store Apps are Hacked on Non-Jailbroken Phones

(And Why Self-Expiring Messaging Apps Aren’t Trustworthy)

This brief post will show you how hackers are able to download an App Store application, patch the binary, and upload it to a non-jailbroken device using its original App ID, without the device being aware that anything is amiss – this can be done with a $99 developer certificate from Apple and [optionally] an $89 disassembler. Also, with a $299 enterprise enrollment, a modified application can be loaded onto any iOS device, without first registering its UDID (great for black bag jobs and the intelligence community).

Now, it’s been known for quite sometime in the iPhone development community that you can sign application binaries using your own dev certificate. Nobody’s taken the time to write up exactly how people are doing this, so I thought I would explain it. This isn’t considered a security vulnerability, although it could certainly be used to load a malicious copycat application onto someone’s iPhone (with physical access). This is more a byproduct of developer signing rights on a device, after it’s been enabled with a custom developer profile. What this should be is a lesson to developers (such as Snapchat, and others who rely on client-side logic) that the client application cannot be trusted for critical program logic. What does this mean for non-technical readers? In plain English, it means that Snapchat, as well as any other self-expiring messaging app in the App Store, can be hacked (by the recipient) to not expire the photos and messages you send them. This should be a no-brainer, but it seems there is a lot of confusion about this, hence the technical explanation.

As a developer, putting your access control on the client side is taboo. Most developers understand that applications can be “hacked” on jailbroken devices to manipulate the program, but very few realize it can be done on non-jailbroken devices too. There are numerous jailbreak tweaks for unlimited skips in Pandora, to prevent Snapchat messages from expiring, and even to add favorites in your mentions on TweetBot. The ability to hack applications is why (the good) applications do it all server-side. Certain types of apps, however, are designed in such a way that they depend on client logic to enforce access controls. Take Snapchat, for example, whose expiring messages require that the client make photos inaccessible after a certain period of time. These types of applications put the end-user at risk in the sense that they are more likely to send compromising content to a party that they don’t necessarily trust – thinking, at least, that the message has to expire.

Continue reading

Why the D810 Was Worth the Upgrade from a D800/D800E

I recently upgraded my D800 to a D810, with my other camera being a D800E. I am thoroughly satisfied with my decision, not only because of the improvement in image quality from not having an OLP filter, but also for a number of other reasons, that are also leading me to consider upgrading my D800E as well. There are a lot of obvious new features that you can read about on other sites, but it’s the small details that have gone unnoticed that I am particularly thrilled about.

Continue reading

A Warning to the Tech Community on Abusive Journalists

Below is a letter I’ve sent to Royal Media today regarding a journalist who has gone far beyond his ethical and professional boundaries to harass and attack me. Why you ask? Because I didn’t think a particular subject I was researching was credible enough yet to warrant a story. I wanted to bring this to the attention of the tech community as a lesson to be very careful about which journalists you choose to speak with. When you have new findings to share, the choice of which journalists you discuss them with can be harmful if you choose unethical or unprofessional reporters, who are not willing or able to come to an understanding of the details surrounding your work.

Unfortunately, this is not the first time I have had to deal with less than ethical journalists. If you recall, I’ve recently had to deal with a smear campaign from a ZDNet writer, who seemingly used her position in journalism to launch a libelous attack against me, motivated by my religious beliefs (or what she thinks they are), with the full support of the ZDNet staff, who never took any action. Sadly, today, any hack can become a “reporter”, in today’s sense of the word, regardless of what kind of journalism training, or even ethical training, they’ve had. News agencies rarely hold their own writers accountable, especially in tech, where misogyny / misandry thrive, and where personal attacks generate headlines.

Continue reading

Private Photo Vault: Not So Private

One of the most popular App Store applications, Private Photo Vault (Ultimate Photo+Video Manager) claims over 3 million users, and that your photos are “100% private”. The application, however, stores its data files without using any additional protection or encryption than any other files stored on the iPhone. With access to an unlocked device, a pair record from a seized desktop machine, or possibly even just a copy of a desktop or iCloud backup, all of the user’s stored images and video can be recovered and read in cleartext.

Screen Shot 2014-09-29 at 9.08.33 PM


Continue reading

Counter-Forensics: Pair-Lock Your Device with Apple’s Configurator

Last updated for iOS 8 on September 28, 2014

As it turns out, the same mechanism that provided iOS 7 with a potential back door can also be used to help secure your iOS 7 or 8 devices should it ever fall into the wrong hands. This article is a brief how-to on using Apple’s Configurator utility to lock your device down so that no other devices can pair with it, even if you leave your device unlocked, or are compelled into unlocking it yourself with a passcode or a fingerprint. By pair-locking your device, you’re effectively disabling every logical forensics tool on the market by preventing it from talking to your iOS device, at least without first being able to undo this lock with pairing records from your desktop machine. This is a great technique for protecting your device from nosy coworkers, or cops in some states that have started grabbing your call history at traffic stops.

With iOS 8’s new encryption changes, Apple will no longer service law enforcement warrants, meaning these forensics techniques are one of just a few reliable ways to dump forensic data from your device (which often contains deleted records and much more than you see on the screen). Whatever the reason, pair locking will likely leave the person dumbfounded as to why their program doesn’t work, and you can easily just play dumb while trying not to snicker. This is an important step if you are a journalists, diplomat, security researcher, or other type of individual that may be targeted by a hostile foreign government. It also helps protect you legally, so that you don’t have to be put in contempt of court for refusing to turn over your PIN. The best thing about this technique is, unlike my previous technique using pairlock, this one doesn’t require jailbreaking your phone. You can do it right now with that shiny new device.

Continue reading

How to Help Secure Your iPhone From Government Intrusions

There’s been a lot of confusion about Apple’s recent statements in protecting iOS 8 data, supposedly stifling law enforcement’s ability to do their job. FBI boss James Comey has publicly criticized Apple, and essentially blamed them for the next hundred children who get kidnapped. While Apple’s new security improvements have made it a lot harder to get to certain types of data, it’s important to note that there are still a number of techniques that can be employed against iOS 8, with varying levels of success. Most of these are techniques that law enforcement is already doing. Some are part of commercial forensics tools such as Oxygen and Cellebrite. The FBI is undoubtedly aware of them. I’ll outline some of the most common ones here.

I’ve included some tips for those of us who are concerned about data security. Security researchers, journalists, law abiding activists, diplomats, and many other types of high profile individuals should all be practicing good data security, especially when abroad. Foreign governments are just as capable of performing the same forensics techniques that our own government is capable of, and there is an overwhelming amount of information suggesting that all of these classes of individuals have been targeted by foreign governments.

Continue reading

Shellshock OpenSSH restricted shell RCE/PE Proof of Concept


The sshd daemon used in OpenSSH supports a ForceCommand directive, allowing shell logins to be restricted to specific commands. This is often used in configuring sshd for cvs/git accounts, restricted shells, or management scripts. The ForceCommand directive can be employed system wide, or just for specific users.


By default, sshd is configured to allow the LANG environment variable to be pass through prior to execution of the restricted shell. On systems vulnerable to the bash/shellshock vulnerability, LANG can be set in such a way that spawns a remote shell or executes other code on the server, effectively bypassing the forced command and allowing full account access. This can be taken advantage of after the user has authenticated via ssh, and so such systems are only at risk from abuse by their own authorized users, however such users are normally restricted from being able to execute arbitrary commands, and so this is more of a privilege escalation in such cases. This vulnerability can be even more dangerous on systems with open restricted accounts, in which case it becomes an RCE risk.

Continue reading

The Politics Behind iPhone Encryption and the FBI

Apple’s new policy about law enforcement is ruffling some feathers with FBI, and has been a point of debate among the rest of us. It has become such because it’s been viewed as just that – a policy – rather than what it really is, which is a design change. With iOS 8, Apple has finally brought their operating system up to what most experts would consider “acceptable security”. My tone here suggests that I’m saying all prior versions of iOS had substandard security – that’s exactly what I’m saying. I’ve been hacking on the phone since they first came out in 2007. Since the iPhone first came out, Apple’s data security has had a dismal track record. Even as recent as iOS 7, Apple’s file system left almost all user data inadequately encrypted (or protected), and often riddled with holes – or even services that dished up your data to anyone who knew how to ask. Today, what you see happening with iOS 8 is a major improvement in security, by employing proper encryption to protect data at rest. Encryption, unlike people, knows no politics. It knows no policy. It doesn’t care if you’re law enforcement, or a criminal. Encryption, when implemented properly, is indiscriminate about who it’s protecting your data from. It just protects it. That is key to security.

Up until iOS 8, Apple’s encryption didn’t adequately protect users because it wasn’t designed properly (in my expert opinion). Apple relied, instead, on the operating system to protect user data, and that allowed law enforcement to force Apple to dump what amounted to almost all of the user data from any device – because it was technically feasible, and there was nobody to stop them from doing it. From iOS 7 and back, the user data stored on the iPhone was not encrypted with a key that was derived from the user’s passcode. Instead, it was protected with a key derived from the device’s hardware… which is as good as having no key at all. Once you booted up any device running iOS 7 or older, much of that user data could be immediately decrypted in memory, allowing Apple to dump it and provide a tidy disk image to the police. Incidentally, it also allowed a number of hackers (including criminals) to read it.

Continue reading

iOS 8 Protection Mode Bug: Some User Files At Risk of Exposure

Apple’s recent security announcement suggested that they no longer have the ability to dump your content from iOS 8 devices:

“On devices running iOS 8, your personal data such as photos, messages (including attachments), email, contacts, call history, iTunes content, notes, and reminders is placed under the protection of your passcode. Unlike our competitors, Apple cannot bypass your passcode and therefore cannot access this data. So it’s not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS 8.”

It looks like there are some glitches in this new encryption scheme, however, and some of the files being stored on your iOS 8 device are not getting encrypted in this way. If you copy files over to your device using iTunes’ “File Sharing” feature or sync videos that appear in the “Home Videos” section of iOS, these files are not getting placed under the protection of your passcode. Theoretically, Apple could dump these in Cupertino, if given your locked iPhone.

Continue reading

Ballistic Has Been Acquired

To my fantastic Ballistic customers,

It’s been an incredible six years watching Ballistic grow from a humble trajectory computer to top the charts as the App Store’s most popular field firing system. Ballistic has grown organically – a rarity in this industry – through word of mouth, and nothing more. Not a single penny was ever spent on advertising to grow Ballistic, and yet it’s been featured in the NRA’s rifleman magazine, reviewed in a number of online magazines and blogs, and is now used by many world class competition shoots, military, and police sharpshooters. It has become a trusted name in the industry, and for that I am deeply grateful to all of you who have told your friends about it, and helped support the product with great ideas and requests.

Many of you have been asking me when an Android version is coming, or when other platforms will be supported, or new hardware that’s just now coming out, and are eager to see Ballistic continue to grow in capabilities. There are a lot of great new things that can be done with Ballistic, and I think there’s much more in store. I can’t do all of this alone, though, and so I’ve been in talks over the past few months with a team who has the resources to take the Ballistic suite of products to the next level.

Continue reading

Your iOS 8 Data is Not Beyond Law Enforcement’s Reach… Yet.

In a recent announcement, Apple stated that they no longer unlock iOS (8) devices for law enforcement.

On devices running iOS 8, your personal data such as photos, messages (including attachments), email, contacts, call history, iTunes content, notes, and reminders is placed under the protection of your passcode. Unlike our competitors, Apple cannot bypass your passcode and therefore cannot access this data. So it’s not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS 8.”

This is a significantly pro-privacy (and courageous) posture Apple is taking with their devices, and while about seven years late, is more than welcome. In fact, I am very impressed with Apple’s latest efforts to beef up security all around, including iOS 8 and iCloud’s new 2FA. I believe Tim Cook to be genuine in his commitment to user privacy; perhaps I’m one of the few who can see just how gutsy this move with iOS 8 is.

It’s important to take a minute, however, to note that this does not mean that the police can’t get to your data. What Apple has done here is create for themselves plausible deniability in what they will do for law enforcement. If we take this statement at face value, what has likely happened in iOS 8 is that photos, messages, and other sensitive data, which was previously only encrypted with hardware-based keys, is now being encrypted with keys derived from a PIN or passcode. No doubt this does improve security for everyone, by marrying encryption to the PIN (something they ought to have been doing all along). While it’s technically possible to brute force a PIN code, that doesn’t mean it’s technically feasible, and thus lets Apple off the hook in terms of legal obligation. Add a complex passcode into the mix, and it gets even uglier, having to choose any of a number of dictionary style attacks to get into your encrypted data. By redesigning the file system in this fashion (if this is the case), Apple has afforded themselves the ability to say, “the phone’s data is encrypted with a PIN or passphrase, and so we’re not legally required to hack it for you guys, so go pound sand”. I am quite impressed, Mr. Cook! That took courage… but it does not mean that your data is beyond law enforcement’s reach.

Continue reading