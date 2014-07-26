| SAN FRANCISCO, July 25
SAN FRANCISCO, July 25 Personal data including
text messages, contact lists and photos can be extracted from
iPhones through previously unpublicized techniques by Apple Inc
employees, the company acknowledged this week.
The same techniques to circumvent backup encryption could be
used by law enforcement or others with access to the "trusted"
computers to which the devices have been connected, according to
the security expert who prompted Apple's admission.
In a conference presentation this week, researcher Jonathan
Zdziarski showed how the services take a surprising amount of
data for what Apple now says are diagnostic services meant to
help engineers.
Users are not notified that the services are running and
cannot disable them, Zdziarski said. There is no way for iPhone
users to know what computers have previously been granted
trusted status via the backup process or block future
connections.
"There's no way to `unpair' except to wipe your phone," he
said in a video demonstration he posted Friday showing what he
could extract from an unlocked phone through a trusted computer.
As word spread about Zdziarski's initial presentation at the
Hackers on Planet Earth conference, some cited it as evidence of
Apple collaboration with the National Security Agency.
Apple denied creating any "back doors" for intelligence
agencies.
"We have designed iOS so that its diagnostic functions do
not compromise user privacy and security, but still provides
needed information to enterprise IT departments, developers and
Apple for troubleshooting technical issues," Apple said. "A user
must have unlocked their device and agreed to trust another
computer before that computer is able to access this limited
diagnostic data."
But Apple also posted its first descriptions of the tools on
its own website, and Zdziarski and others who spoke with the
company said they expected it to make at least some changes to
the programs in the future.
Zdziarski said he did not believe that the services were
aimed at spies. But he said that they extracted much more
information than was needed, with too little disclosure.
Security industry analyst Rich Mogull said Zdziarski's work
was overhyped but technically accurate.
"They are collecting more than they should be, and the only
way to get it is to compromise security," said Mogull, chief
executive officer of Securosis.
Mogull also agreed with Zdziarski that since the tools
exist, law enforcement will use them in cases where the desktop
computers of targeted individuals can be confiscated, hacked or
reached via their employers.
"They'll take advantage of every legal tool that they have
and maybe more," Mogull said of government investigators.
Asked if Apple had used the tools to fulfill law enforcement
requests, Apple did not immediately respond.
For all the attention to the previously unknown tools and
other occasional bugs, Apple's phones are widely considered more
secure than those using Google Inc's rival Android
operating system, in part because Google does not have the power
to send software fixes directly to those devices.
(Reporting by Joseph Menn; Editing by Lisa Shumaker)