An Open Letter to Tim Cook and Apple’s Security Team

Greetings!

You may not know me, but you probably know my research over the years. I’ve been researching security on Apple devices since 2007, when iPhone first came out, and even helped put together the very first jailbreaks. I’ve assisted law enforcement and military with forensics tools and support on iDevices, and had already started helping to make our world a much better place before Apple even had a law enforcement process. Additionally, I’ve written several books on iPhone ranging from development, to security, to forensics. Throughout my time researching Apple, I’ve found many vulnerabilities that affect the privacy of your customers (including me!), and have presented findings at numerous security and forensics conferences, including Black Hat, Hackers on Planet Earth (HOPE), Mobile Forensics World, Techno Security, HTCIA, and others. Never asked you to feature my books in your store (even when mine were the only iPhone books), never asked for free products, invites to anything, or felt entitled to anything. I love Apple products, and that’s why it’s been a fun experience to tinker with them, and it feels good to know that I’ve played a small, but consistent role in seeing their security improve over time.

You know what’s not fun? When I work very hard on a research paper, go to the trouble of submitting it to a scientific journal, and pay out of my own pocket to travel to a conference to present my findings only to have Apple silently sweep the vulnerabilities I’ve discovered under the rug without ever disclosing their existence, the patches you’ve made, or giving the researcher proper credit in your security release notes. Today, you released your security notes for iOS 8, and guess what wasn’t in them? Almost all of the things you fixed in Beta 5, that came directly from my research paper. Shortly after my research made national news, Apple fixed a number of these serious vulnerabilities that – at best – were the product of horribly sloppy engineering. Not small issues, either, mind you – issues that allowed for persistent, wireless surveillance of iOS devices, wirelessly intercepting packet data, and bypassing the consumer’s backup encryption password to scrape highly sensitive consumer data (including SMS, photo album, geolocation database, and more) from the device using a number of undisclosed services Apple had never told the public even existed and were running on all 600 million consumer devices, in spite of the fact that numerous commercial law enforcement forensics tools were actively exploiting these services to dump highly sensitive content from consumers’ mobile devices.

I am very glad to see that Apple has taken security seriously enough lately to address vulnerabilities quickly, and – from what I’ve seen – elegantly. I’ve even written up a paper praising Apple for their quick and thorough response to these issues. That’s the end-game of any security researcher’s work, is to see a safer product on the market for consumers. What I’m not glad about at all is that Apple has seemingly swept these issues under the rug, to the degree that they’re not even acknowledged in your security notes. Apple’s code fixes can be clearly observed right in the iOS 8 firmware, and yet there is not a single mention of them in the release notes, nor any acknowledgments for the researcher. If there is any ethical practice to be expected in information security – or science of any kind for that matter – it is to properly acknowledge those who’s research you’ve consumed. In many settings, failure to do so is considered plagiarism. My name somehow made it into the iOS 8 notes for some obscure address book encryption issue that I don’t recall even reporting… yet there has been no mention of the more serious issues being fixed, or ever existing. I do see a number of jailbreak teams mentioned, and a number of others who’s exploits you’ve no doubt incorporated into patches for iOS 8. Yet not one mention of file relay, wireless lockdown vulnerabilities, packet sniffer access control vulnerabilities, or backup encryption bypass vulnerabilities.

As a result of Apple’s silence on these patches to iOS, your own consumers are left in the dark, being unaware that such vulnerabilities ever existed, except by third party accounts. This could potentially put many diplomats, government officials, even world leaders, CEOs, and other high-profile individuals (likely targets of the types of attacks I outline in my research) at risk, by being unable to assess whether or not any potential information breach may have occurred. Additionally, by not acknowledging the hard work of “some” select security researchers, you’re insulting them and continuing to create a hostile environment for them to work in, making the idea of reaching out to Apple with findings even more remote. Apple has no open communication with security researchers, no bounty program, no legal disclosure policies or legal protections for researchers to come forward with findings, and now by snubbing some of them, can add insult onto that list.

I have been the repeated target of hostility from certain factions at Apple over the years. Apple continually interfered with my employment several years ago when I worked for a federally funded research and development center on defense related projects. Another time, Apple threatened to sue Gartner if I gave a talk highlighting weaknesses in the encryption of the iPhone 3G[s]. Many employees at Apple have also made very personal and rude remarks about me to a number of law enforcement personnel that we’ve mutually assisted. I am not sure what sparked all of this hostility toward me, but I assure you that it didn’t start with me. I had really hoped that the culture at Apple has started to change with the new management, and with Apple’s swift response to my findings (even though you initially ignored my email about them). I had hoped that at some point, I could begin to connect with Apple on some level on future vulnerabilities research, however the message that Apple is sending to me is that you have no desire to work with researchers like myself – for reasons left unknown.

I continue to love Apple products and the ingenuity behind them. There must be some fantastic developers at Apple with great minds, and I’ve come to appreciate that. Tim’s even starting to grow on me, from what I’ve seen in interviews. If Apple still wants nothing to do with me, I can accept this. But I do expect the largest company in the world to have the ethical gumption to at least acknowledge serious vulnerabilities and give due credit to all security researchers, whether you like them or not. Personally, I don’t care whether or not Apple acknowledges me… but this is already a big problem in the scientific community, and an issue that Apple should be setting a good example for, rather than aggravating. It is also doing a disservice to your consumers by sweeping serious vulnerabilities (that you have addressed) quietly under the rug.

Sincerely,

Jonathan Zdziarski

Update:

Apple has since added a small knowledge base “note” at the bottom of their iOS Security Release notes vaguely explaining changes to “diagnostic services”, however still does not explain the vulnerabilities that were addressed (or cite any credit for the changes). This small note appears to have been added as an afterthought, as it doesn’t even show up in some copies of the page due to caching. Please refer to my own blog entry for an outline of what Apple has addressed.