Apple . Forensics . Security

Oxygen Forensics: Latest Forensics Tool to Exploit Apple’s “Diagnostic Service” to Bypass Encryption

On July 31, 2014 by

While Apple’s claims may be that a key subject of my talk, “Identifying Backdoors, Attack Points, and Surveillance Mechanisms in iOS Devices” (com.apple.mobile.file_relay) is for diagnostics, a recent announcement from the makers of the fantastic Oxygen Forensics suite shows strong evidence that law enforcement forensics is continuing to take every legal technical option available to them to acquire data. Whether Apple really does use file relay for diagnostics or not, we may never know, but the service is most definitely being used for other purposes, many of which raise some serious privacy concerns.

To give you an idea of how this “diagnostic service” is being used to bypass security in iOS devices, have a look at their latest press release. At the very top, you will a see a service not unlike that of many other commercial forensics tools that have similar functionality:

Screen Shot 2014-07-31 at 3.42.43 PM

It’s very clear from reading this description that they’re describing the file_relay service here, which serves no end-user purpose, and was not disclosed by Apple in any way until after my talk. This key service, as I’ve explained, bypasses the backup encryption that end-users and large enterprises (via MDM’s “force encrypted backups” mechanism) can set to protect data from being dumped in clear text from their device. You can read my research for actual threat models and caveats to this, so as not to rush to panic.

Oxygen, just like many other forensics tools, is widely used by government, law enforcement, military, and intelligence communities. Certainly, nobody can fault any of these software manufacturers for taking advantage of such services to bypass security features in mobile devices like the iPhone. They’re not the only ones either; a number of other commercial vendors do the same thing, and will continue to until Apple closes off the hole.

If Apple was not aware that their self-dubbed “diagnostics service” was being exploited in this fashion, they are now. It is my hope that they will close their service off completely, or cause it to respect backup encryption in future versions of iOS.