Papers

Fixing Poor Journalism: iPhone "Kill Switch" Myths and Rumors

So I post one little comment to a geek blog site about an "unauthorized apps" list downloaded by the iPhone, and every wanna-be-watergate journalist in the northern hemisphere emails me with conspiracy theories. Within just a few hundred small news articles, journalists have managed to regurgitate and paraphrase erroneous information to come up with some outrageous claims:

False The iPhone spies on its owner, reporting illegal applications back to Apple
False The "kill switch" was used to ban NetShare, I am Rich, and PhoneSaber
False The "kill switch" can delete applications from the iPhone
False The owner's GPS position is reported back to Apple
Confirmed? The iPhone's "kill switch" will kill any application Apple wants.

Allow me to set the record straight.

The locationd cache, stored in /var/root/Library/Caches/locationd/, includes a cached list of unauthorized applications fetched from a URL on Apple's servers during GPS fix. Only a list is downloaded; it doesn't "tell Apple" what applications you are running. We do not know just how active this mechanism will be in the future. It could vaporize applications, but so far we can only make it kill the ones using the GPS. We don't know what else it might do. For all we know, it might trigger world war three, or it might cause some computer somewhere to spit out recipes for buttermilk pancakes. Journalists took certain creative liberties to blow this find way out of proportion. This definitely warrants some questions to Apple, and merits further research to determine what else, if anything, this means for iPhone users. Personally, I'm rooting for the pancakes theory.

Update 8/7: With a little DNS spoofing, I fed my own list into the iPhone and effectively killed (by name) applications that attempt to use the GPS. It looks like that's all it's set to do right now, but I may just not have found the "vaporize" switch. Think about it: if you know about a malicious piece of software that invades your privacy, how irresponsible would it be (in Steve's eyes) to let the application continue to run, even without GPS? It indeed would still have access to the microphone, camera, screenshots - not to mention a worldwide mobile network to transmit data on. This leaves only two viable possibilities: either it is an anti-malware solution, and has a switch somewhere to vaporize any app, or it's not an anti-malware solution and is really designed to kill applications that interfere with Apple's business model, such as unsanctioned traffic navigation software (which is apparently restricted from the AppStore). Either way, the idea that Apple can choose what functionality my applications should have frightens me.

Update 8/8 To disable this functionality entirely, jailbreak with Pwnage Tool, then add the following entry into /etc/hosts:

127.0.0.1 iphone-services.apple.com

I would also recommend using Pwnage to disable the "paranoid wipe" option in the iPhoneOS kernel.

Update 8/11 Unless the media is misreporting Steve Jobs, he apparently has confirmed the existence of a kill switch that can disable any application. So unless, for some reason, they decided to build two separate mechanisms into the iPhone to do this (of which, the other one is invisible), this one likely feeds a "master" kill switch. Perhaps there is a special setting in the configuration file which can vaporize the app all together. Of course, this is just speculation, but as I said before, it would be irresponsible to have a blacklist, but only use it to kill GPS applications.

NOTE: Don't take this to mean that I support the existence of any blacklist. Would you support the same mechanism on your desktop computer? No. The inherent problem with all of this is that it takes away the requirement for the device's owner to act responsibily in what they do with their electronic device. My view on this is that it's the political equivalent of a totalitarian government, replacing personal responsibility with central control. I strongly recommend you disable the mechanism using the technique above.

"Hopefully we never have to pull that lever, but we would be irresponsible not to have a lever like that to pull"

So exactly how many other things has Apple applied the above philosophy to? A back-door to all File Vault accounts? A mechanism on your laptop to disable decrypted iTunes music? Where exactly does the software manufacturer become irresponsible in controlling the user's equipment for them, and what authority does the manufacturer assume to take control of a user's device without their permission?

The technical failure implied by the need for a kill switch could be compared to the social failure a country would need to incur to justify integrating kill switches into human beings - namely, all other facilities to keep and maintain a secure environment are believed to be failing, leading some to justify their own need to interfere with others' privacy.

The truth is that Apple does much more than other manufacturers do in monitoring what software is installed on a device - they've given themselves the ability to interfere with it, and this while it's active on the user's device. More troubling is that this was done without disclosing such functionality to the consumer, making it more suspect than Apple is usually considered to be. Many argue that Apple would never use such a mechanism; if that's the case then it doesn't need to exist in the first place. I doubt it will be used now that it's out in the open, but I am equally certain that Apple would have had no problems using it while it remained a secret.

This functionality may have a place in the enterprise, but at an enterprise level, and not the manufacturer level. Companies seeking to control what software is allowed on employees iPhones might have justification in using a tool like this. The manufacturer is never justified in using it, especially without full disclosure of the tool's existence.

Such a mechanism would never fly in a desktop device, and yet the two are virtually equal. Most desktops are connected to the network 24 hours a day, and many cellular carriers sell a laptop card allowing computers to connect up to the same network as the iPhone. Yet desktops are far more subject to viruses and other malware than a mobile phone.

The point is, the simple need for a switch like this means that the system has already failed. If Apple's heavy DRM, lengthy approval process, and "secure sandbox" is not capable of preventing malicious software from running on the iPhone, the need for a remote "kill switch" should be proof enough of this, just as the need for a kill switch in humans is a sign that a society has already failed. Fortunately, the kill swith can be disabled with a hack. Users who jailbreak their iPhone can install a tool called BossPrefs and easily disable the kill switch with a few taps. It would have been nice if Apple had provided that abilty.

Bottom line: the iPhone kill switch is counterintuitive to security - not beneficial to it.

Reproduction prohibited without permission