Skip to content
  • About Me
  • Books
  • Photography
  • Papers
  • Security
  • Forensics
  • Essays
  • Christianity

Calendar

March 2023
M T W T F S S
 12345
6789101112
13141516171819
20212223242526
2728293031  
« Feb    

Archives

  • February 2023
  • December 2022
  • November 2022
  • July 2022
  • March 2022
  • January 2022
  • December 2021
  • November 2021
  • September 2021
  • July 2021
  • December 2020
  • November 2020
  • March 2020
  • September 2019
  • August 2019
  • November 2018
  • August 2018
  • March 2018
  • March 2017
  • February 2017
  • January 2017
  • November 2016
  • October 2016
  • July 2016
  • May 2016
  • April 2016
  • March 2016
  • February 2016
  • June 2015
  • March 2015
  • February 2015
  • December 2014
  • November 2014
  • October 2014
  • September 2014
  • August 2014
  • July 2014
  • June 2014
  • May 2014
  • April 2014
  • March 2014
  • January 2014
  • October 2013
  • September 2013
  • June 2013
  • May 2013
  • April 2013
  • December 2012
  • May 2012
  • September 2011
  • June 2011
  • August 2010
  • July 2010
  • May 2010
  • April 2010
  • March 2010
  • February 2010
  • July 2009
  • May 2008
  • March 2008
  • January 2008
  • June 2007
  • August 2006
  • February 2006

Categories

  • Apple
  • Christianity
  • Essays
  • Forensics
  • General
  • Machine Learning
  • Music
  • Opinion
  • Photography
  • Politics
  • Security











ZdziarskiDFIR, security, reverse engineering, photography, theology, funky bass guitar. All opinions are my own.
  • About Me
  • Books
  • Photography
  • Papers
  • Security
  • Forensics
  • Essays
  • Christianity
Apple . Security

An Open Letter to Tim Cook and Apple’s Security Team

On September 17, 2014 by Jonathan Zdziarski

Greetings!

You may not know me, but you probably know my research over the years. I’ve been researching security on Apple devices since 2007, when iPhone first came out, and even helped put together the very first jailbreaks. I’ve assisted law enforcement and military with forensics tools and support on iDevices, and had already started helping to make our world a much better place before Apple even had a law enforcement process. Additionally, I’ve written several books on iPhone ranging from development, to security, to forensics. Throughout my time researching Apple, I’ve found many vulnerabilities that affect the privacy of your customers (including me!), and have presented findings at numerous security and forensics conferences, including Black Hat, Hackers on Planet Earth (HOPE), Mobile Forensics World, Techno Security, HTCIA, and others. Never asked you to feature my books in your store (even when mine were the only iPhone books), never asked for free products, invites to anything, or felt entitled to anything. I love Apple products, and that’s why it’s been a fun experience to tinker with them, and it feels good to know that I’ve played a small, but consistent role in seeing their security improve over time.

You know what’s not fun? When I work very hard on a research paper, go to the trouble of submitting it to a scientific journal, and pay out of my own pocket to travel to a conference to present my findings only to have Apple silently sweep the vulnerabilities I’ve discovered under the rug without ever disclosing their existence, the patches you’ve made, or giving the researcher proper credit in your security release notes. Today, you released your security notes for iOS 8, and guess what wasn’t in them? Almost all of the things you fixed in Beta 5, that came directly from my research paper. Shortly after my research made national news, Apple fixed a number of these serious vulnerabilities that – at best – were the product of horribly sloppy engineering. Not small issues, either, mind you – issues that allowed for persistent, wireless surveillance of iOS devices, wirelessly intercepting packet data, and bypassing the consumer’s backup encryption password to scrape highly sensitive consumer data (including SMS, photo album, geolocation database, and more) from the device using a number of undisclosed services Apple had never told the public even existed and were running on all 600 million consumer devices, in spite of the fact that numerous commercial law enforcement forensics tools were actively exploiting these services to dump highly sensitive content from consumers’ mobile devices.

I am very glad to see that Apple has taken security seriously enough lately to address vulnerabilities quickly, and – from what I’ve seen – elegantly. I’ve even written up a paper praising Apple for their quick and thorough response to these issues. That’s the end-game of any security researcher’s work, is to see a safer product on the market for consumers. What I’m not glad about at all is that Apple has seemingly swept these issues under the rug, to the degree that they’re not even acknowledged in your security notes. Apple’s code fixes can be clearly observed right in the iOS 8 firmware, and yet there is not a single mention of them in the release notes, nor any acknowledgments for the researcher. If there is any ethical practice to be expected in information security – or science of any kind for that matter – it is to properly acknowledge those who’s research you’ve consumed. In many settings, failure to do so is considered plagiarism. My name somehow made it into the iOS 8 notes for some obscure address book encryption issue that I don’t recall even reporting… yet there has been no mention of the more serious issues being fixed, or ever existing. I do see a number of jailbreak teams mentioned, and a number of others who’s exploits you’ve no doubt incorporated into patches for iOS 8. Yet not one mention of file relay, wireless lockdown vulnerabilities, packet sniffer access control vulnerabilities, or backup encryption bypass vulnerabilities.

As a result of Apple’s silence on these patches to iOS, your own consumers are left in the dark, being unaware that such vulnerabilities ever existed, except by third party accounts. This could potentially put many diplomats, government officials, even world leaders, CEOs, and other high-profile individuals (likely targets of the types of attacks I outline in my research) at risk, by being unable to assess whether or not any potential information breach may have occurred. Additionally, by not acknowledging the hard work of “some” select security researchers, you’re insulting them and continuing to create a hostile environment for them to work in, making the idea of reaching out to Apple with findings even more remote. Apple has no open communication with security researchers, no bounty program, no legal disclosure policies or legal protections for researchers to come forward with findings, and now by snubbing some of them, can add insult onto that list.

I have been the repeated target of hostility from certain factions at Apple over the years. Apple continually interfered with my employment several years ago when I worked for a federally funded research and development center on defense related projects. Another time, Apple threatened to sue Gartner if I gave a talk highlighting weaknesses in the encryption of the iPhone 3G[s]. Many employees at Apple have also made very personal and rude remarks about me to a number of law enforcement personnel that we’ve mutually assisted. I am not sure what sparked all of this hostility toward me, but I assure you that it didn’t start with me. I had really hoped that the culture at Apple has started to change with the new management, and with Apple’s swift response to my findings (even though you initially ignored my email about them). I had hoped that at some point, I could begin to connect with Apple on some level on future vulnerabilities research, however the message that Apple is sending to me is that you have no desire to work with researchers like myself – for reasons left unknown.

I continue to love Apple products and the ingenuity behind them. There must be some fantastic developers at Apple with great minds, and I’ve come to appreciate that. Tim’s even starting to grow on me, from what I’ve seen in interviews. If Apple still wants nothing to do with me, I can accept this. But I do expect the largest company in the world to have the ethical gumption to at least acknowledge serious vulnerabilities and give due credit to all security researchers, whether you like them or not. Personally, I don’t care whether or not Apple acknowledges me… but this is already a big problem in the scientific community, and an issue that Apple should be setting a good example for, rather than aggravating. It is also doing a disservice to your consumers by sweeping serious vulnerabilities (that you have addressed) quietly under the rug.

Sincerely,

Jonathan Zdziarski

 

Update:

Apple has since added a small knowledge base “note” at the bottom of their iOS Security Release notes vaguely explaining changes to “diagnostic services”, however still does not explain the vulnerabilities that were addressed (or cite any credit for the changes). This small note appears to have been added as an afterthought, as it doesn’t even show up in some copies of the page due to caching. Please refer to my own blog entry for an outline of what Apple has addressed.

Archives

  • February 2023
  • December 2022
  • November 2022
  • July 2022
  • March 2022
  • January 2022
  • December 2021
  • November 2021
  • September 2021
  • July 2021
  • December 2020
  • November 2020
  • March 2020
  • September 2019
  • August 2019
  • November 2018
  • August 2018
  • March 2018
  • March 2017
  • February 2017
  • January 2017
  • November 2016
  • October 2016
  • July 2016
  • May 2016
  • April 2016
  • March 2016
  • February 2016
  • June 2015
  • March 2015
  • February 2015
  • December 2014
  • November 2014
  • October 2014
  • September 2014
  • August 2014
  • July 2014
  • June 2014
  • May 2014
  • April 2014
  • March 2014
  • January 2014
  • October 2013
  • September 2013
  • June 2013
  • May 2013
  • April 2013
  • December 2012
  • May 2012
  • September 2011
  • June 2011
  • August 2010
  • July 2010
  • May 2010
  • April 2010
  • March 2010
  • February 2010
  • July 2009
  • May 2008
  • March 2008
  • January 2008
  • June 2007
  • August 2006
  • February 2006

Calendar

March 2023
M T W T F S S
 12345
6789101112
13141516171819
20212223242526
2728293031  
« Feb    

Categories

  • Apple
  • Christianity
  • Essays
  • Forensics
  • General
  • Machine Learning
  • Music
  • Opinion
  • Photography
  • Politics
  • Security

All Content Copyright (c) 2000-2022 by Jonathan Zdziarski, All Rights Reserved