
Identifying backdoors, attack points, and surveillance mechanisms in iOS devices - rjzzleep
http://www.zdziarski.com/blog/wp-content/uploads/2014/07/iOS_Backdoors_Attack_Points_Surveillance_Mechanisms.pdf
======
majke
Mr Zdziarski gave this talk also at the HOPE conference yesterday. It's highly
recommended. Slides:

[http://www.zdziarski.com/blog/wp-
content/uploads/2014/07/iOS...](http://www.zdziarski.com/blog/wp-
content/uploads/2014/07/iOS_Backdoors_Attack_Points_Surveillance_Mechanisms.pdf)

For the people wanting to secure their iphone, go to the end to the slide
"Apple Configurator" and follow the described steps to disable your iphone
from paring with anything.

~~~
benguild
I'm confused. Normally one cannot "pair" a device without entering the
passcode to unlock it.

Is this not the case?

~~~
kevinchen
Yes, but one issue is that you could be pressured into pairing the device. Or
someone can brute force the passcode to access the pairing UI.

The slides mention a way to bypass pairing, but I don't think ever mentioned
how.

~~~
makomk
Apple can boot the device over USB using a custom image that doesn't require
the passcode. Other people can't because it needs to be signed with Apple's
key in order to run.

~~~
benguild
Got it. But if you say "don't allow pairing" they're SOL from a software
perspective? I find that hard to believe... but either way, who knows really.

------
wyager
>This is due to iOS' behavior of automatically joining networks whose name
(not MAC address) it recognizes, such as “linksys” or “attwifi”.

Discriminating by MAC addresses would not help at all. MAC addresses are
trivial to spoof, even though they are "in hardware".

It would be cool if we had a standardized trust-on-first-use cryptographic
authentication model for wireless APs, like we do with SSH right now. You
connect to the AP, it sends you its pubkey, your phone says "Do you want to
trust AP with key AB:CD:BE:EF...". The discriminating paranoid person can
choose to make sure this is the right key hash, and the average person gets at
least limited protection from later AP spoofing attacks.

~~~
x1798DE
Yeah, I've been shocked by how easy it is to get a brand new router and set it
up with the same SSID and password and every device I have auto-connects like
it's the same thing. If you have the AP password, it's trivial to set up a
fake second router in the same vicinity (you don't even have to touch the
original one) with a stronger signal and have everyone connect through your
gateway.

Of course, once you have the AP password there's a lot you can do to the
network traffic _anyway_ , but it'd still be nice if the computer would pop
something up and say, "The configuration of this device does not match the
known configuration - do you still want to connect?"

~~~
nwh
OSX and I assume iOS does do detection of this. If you connect to an AP that
was WPA2 encrypted in the past, and has the same name but no encryption now,
it gives you a big scary warning and bails out.

~~~
im3w1l
I guess this is to combat password stealing attempts in particular, and not AP
spoofing in general, since you could easily make the new AP WPA2?

~~~
nwh
If have to look it up, but I don't think the AP would get the plaintext
password during the WPA2 key exchange.

------
simscitizen
The packet tracer is an interface to a tcpdump-like facility that's used for
debugging. It requires you to connect the device to a Mac host. The interface
is publicly documented:
[https://developer.apple.com/library/Mac/qa/qa1176/_index.htm...](https://developer.apple.com/library/Mac/qa/qa1176/_index.html#//apple_ref/doc/uid/DTS10001707-CH1-SECIOSPACKETTRACING)

~~~
ibisum
Come on, this is a full packet dump of whatever you want. So .. why is it
enabled by default, why isn't it in the developer image (only) if its so
vital, and so on.

This was intentionally architected for exploit.

------
jwr
The key takeaway for me here is that it is _much_ more difficult to access
data on iOS devices if they are switched off.

So, if you are in a situation where you can expect that your device will be
accessed (e.g. crossing the US border), switch it off ahead of time.

~~~
iamshs
And according to new diktat, you will have to turn your phone on while
crossing borders (I guess only restricted to TSA yet) [1]. So once it is on,
it will let you have all the packet sniffer log dump. And on US borders, non-
US citizens will be made to enter their PINs [2]. Key takeaway for me is why
is phone logging so much data without there being a need for it, and even
eating into data capacity.

[1]- [http://www.theguardian.com/world/2014/jul/06/tsa-
cellphones-...](http://www.theguardian.com/world/2014/jul/06/tsa-cellphones-
explosives-security-flights-us-bound) [2] -
[http://www.forbes.com/sites/kashmirhill/2013/02/21/the-
priva...](http://www.forbes.com/sites/kashmirhill/2013/02/21/the-privacy-
price-to-cross-the-border/)

------
chippy
What are "close access methods"?

Would bluetooth or iBeacon or Wifi be used with that, or does it need a cable,
or actual button pressing, for example?

~~~
comex
You would have to attach a cable and, on recent iOS versions, press a button
to trust the device (and I think enter the passcode - not sure - but not if
the device gets shipped to Apple).

------
dm2
Why does Apple re-enable Bluetooth everytime you update iOS?

"STOP RESISTING, WE WANT TO TRACK YOU" (iBeacon)

~~~
astrange
iBeacon is purely passive and cannot track you.

~~~
mcintyre1994
You could in theory set up a Bluetooth surveillance network though couldn't
you? I really doubt that's remotely the goal for Apple but Bluetooth always on
would make it possible I think.

~~~
rsynnott
It'd be quite a lot easier to do this with wifi, and indeed such systems
exist, for monitoring people in shops etc. iOS 8 makes it substantially harder
for these to work effectively (through randomised MAC addresses when looking
for networks), which seems like an indication that Apple isn't interested in
facilitating this sort of thing.

------
jug5
Full text:
[https://pdf.yt/d/1dKWAxs03AvnYqkt](https://pdf.yt/d/1dKWAxs03AvnYqkt)

~~~
ejr
Mods, please change the article URL to this.

~~~
chmars
The URL should IMHO be
[http://www.zdziarski.com/blog/?p=3441](http://www.zdziarski.com/blog/?p=3441)
(primary source) or even directly [http://www.zdziarski.com/blog/wp-
content/uploads/2014/07/iOS...](http://www.zdziarski.com/blog/wp-
content/uploads/2014/07/iOS_Backdoors_Attack_Points_Surveillance_Mechanisms.pdf).

~~~
dang
I agree. We changed the url to that second link from
[http://www.sciencedirect.com/science/article/pii/S1742287614...](http://www.sciencedirect.com/science/article/pii/S1742287614000036).

Linking directly to the pdf would go against what the author says he wants
there.

------
thejosh
For only $31.50 you can find this out.

~~~
wyager
I was able to log in with my university credentials and get free access.

~~~
67726e
Even better. For a measly 10.000 in tuition I can access the article!

~~~
wyager
I wasn't suggesting that, obviously. I was trying to be helpful and point out
that students have free access.

~~~
chmars
OT: Technically, it is not free access. You (or at public institutions, the
general public) paid for your access … in discussions on open access, I often
learn that many researchers, scientists etc. are under the impression that
they already have open access although the simply get routed around paywalls
because they use IP addresses of their paying institutions.

~~~
wyager
Really? Universities don't have a bulk subscription plan or something?

------
newaccountfool
I know each publisher is different, but is there a guideline amount of how
much each researcher gets when they are published in such journals?

~~~
ac29
-$2000 is fairly common.

As mentioned below, authors have to pay publication fees. Most journals are
for profit and closed-access, though this is starting to change somewhat.
Somewhat ironically, being published in these journals is a prerequisite for
how researchers actually do get paid: by grants, usually taxpayer funded.

~~~
newaccountfool
Is it also true that some organisations also pay their employees if they
publish papers, I've heard this happens in the security field.

~~~
mseri
It doesn't happen in physics and mathematics. On the other hand you will
probably be fired if you don't publish...

