There are a lot of terrible news articles out there, and a lot of terrible “journalists” who have either over-hyped my research, or dismissed it entirely. After ZDNet’s utterly horrible diatribe about my research, I posted a proof-of-concept to help further clarify that was and wasn’t possible. Unfortunately, the FUD has continued, and so I thought it would make sense to help provide readers with some middle-of-the-road, and easy-to-understand technical links that would help make sense of everything.
End users rely on backup encryption to protect the data on their phone in the event that someone either obtains physical access to an unlocked phone, or access to their computer. Enterprises rely heavily on the “force encrypted backups” MDM policy Apple provides to protect corporate trade secrets and other confidential information stored on employee phones. Having a backdoor to bypass this encryption can be very dangerous for both individuals and businesses. Additionally, the wireless component of this allows for remote and persistent monitoring, making this a potentially long term and stealth threat.
Here’s a list of the technology articles I’ve found useful at explaining my talk and slides. While there may be a few slight technical inaccuracies here or there, these are all “good reads” that overall do a good job.
New Backdoors Discovered in iOS? An Interview With iOS Developet and Digital Forensics Expert Jonathan Zdziarski
Kim Crawley, InfoSec Institute
iOS Lockdown Diagnostic Services (TL;DR)
Dino Dai Zovi, Co-Author “iOS Hacker’s Handbook”
Surveillance Mechanisms in iOS Devices – Don’t Panic but… Do Read This
Elissa Shevinsky, CEO of Glimpse
Apple iPhones allow extraction of deep personal data, researcher finds
Reuters / Joseph Menn
Is Apple’s iOS Backdoor Not a Backdoor
Wall Street Cheat Sheet / Nathaniel Arnold
iOS slurp ware brouhaha: It’s for diagnostics, honest, says Apple
The Register / Iain Thomson
Apple Snuck Backdoor Surveillance Tools Into Their (i.e. Your) iOS*
Matthew Phelan, Gawker
* The headline is sensational, as per usual, but the article itself is quite balanced
I’ve also recently posted a pastebin dump of all the personal data I was able to wirelessly retrieve off of my personal iPhone running 7.1.2 using this service to bypass backup encryption, and with “iTunes Sync” turned off.