Researcher says Apple can nab texts, contacts
An Apple logo is seen during Black Friday in San Francisco, California in this file photo from November 29, 2013. [Photo/Agencies]
Personal data including text messages, contact lists and photos can be extracted from iPhones through previously unpublicized techniques by Apple employees, the company acknowledged this week.
The same techniques to circumvent backup encryption could be used by law enforcement or others with access to the "trusted" computers to which the devices have been connected, according to the security expert who prompted Apple's admission.
In a conference presentation this week, researcher Jonathan Zdziarski showed how the services take a surprising amount of data for what Apple now says are diagnostic services meant to help engineers.
Users are not notified that the services are running and cannot disable them, Zdziarski said. There is no way for iPhone users to know what computers have previously been granted trusted status via the backup process or to block future connections.
"There's no way to 'unpair' except to wipe your phone," he said in a video demonstration he posted on Friday showing what he could extract from an unlocked phone through a trusted computer.
word spread about Zdziarski's initial presentation at the Hackers on Planet Earth conference, some cited it as evidence of Apple collaboration with the National Security Agency.
Apple denied creating any "back doors" for intelligence agencies.
"We have designed iOS so that its diagnostic functions do not compromise user privacy and security, but still provides needed information to enterprise IT departments, developers and Apple for troubleshooting technical issues," Apple said. "A user must have unlocked their device and agreed to trust another computer before that computer is able to access this limited diagnostic data."
But Apple also posted its first descriptions of the tools on its own website, and Zdziarski and others who spoke with the company said they expected it to make at least some changes to the programs in the future.
Zdziarski said he did not believe that the services were aimed at spies. But he said that they extracted much more information than was needed, with too little disclosure.
Security industry analyst Rich Mogull said Zdziarski's work was overhyped but technically accurate.
"They are collecting more than they should be, and the only way to get it is to compromise security," said Mogull, chief executive officer of Securosis.
Though there is no evidence that Apple has provided user information to security agencies, Zhou Qingshan, deputy director of Peking University's Institute of Information, believes it is common practice for IT companies to cooperate with national security departments.
"With the popularity of smart phones and the increasingly important role they play in people's lives, users need to always keep in mind not to download or register with apps that they are not familiar with, and meanwhile install some security software," he said.
Users of iPhones brushed off the concerns.
Pang Wenqi, manager of Beijing Zhongshi Yuanyang Automotive Sales and Service Co, said: "I pay a lot of attention to smartphone security as I set a daily cap for money transfers and our accountant receives the transfer record after every transfer.
Qiu Lin, a senior worker at a consulting company in Beijing, said: "So far, almost all the apps require you to agree to give them access to your location and information before you can use them.
"When a problem appears, solving it or reducing its harm to the lowest point is the right way to do. It won't stop my love for my iPhone, which made my life convenient and easier."
Wang Peng, a consultant at a pharmaceutical company in Shanghai, said: "I pay a lot of attention to privacy and never upload photos of my family on the Internet or other social networks. Actually, I'm not surprised at the release of the news, as there is no technology that is perfect and there must be some loopholes."
Contact the writer at firstname.lastname@example.org