You might remember that security researcher Jonathan Zdziarski caused the planet to freak out because he found “backdoors” in iOS that could allow anyone to snoop on unsuspecting users. He then release a proof of concept video showing how easy they were to exploit and Apple’s response left most unimpressed.
Fast forward to today. Zdziarski has had a chance to look at iOS 8 and here’s what he had to say:
After some preliminary testing, it appears that a number of vulnerabilities reported in my recent research paper and subsequent talk at HOPE/X have been addressed by Apple in iOS 8. The research outlined a number of risks for wireless remote surveillance, deep logical forensics, and other types of potential privacy intrusions fitting certain threat models such as high profile diplomats or celebrities, targeted surveillance, or similar threats.
But before you celebrate, read this:
While closing off the file_relay service greatly improves the data security of the device, one mechanism that hasn’t been addressed adequately is the ability to obtain a handle to application sandboxes across a USB connection, even while the device is locked. This capability is used by iTunes to access application data, but also presents a vulnerability: commercial forensics tools can (and presently do) take advantage of this mechanism to dump the third party application data from a seized device, if they have access to (or can generate) a valid pairing record with the device. For example, if you are detained at an airport or arrested and both your laptop and your phone is seized, or if your phone is seized unlocked (without a laptop present), a number of forensics tools including those from Oxygen, Cellebrite, AccessData, Elcomsoft and others are capable of dumping third party application data across USB. It is not designed to be protected with a backup password either, putting the data at risk of being intercepted in cleartext. Because a pair record can unlock the data-protection encryption using the EscrowBag included in the record, this data can be dumped if the device has not been shut down or rebooted since it was last used. Still, because this information is only accessible with physical possession of the device (and no longer wirelessly), the risk is less than in prior versions of iOS.
If you’re an iOS user, you should read his entire post. It’s very enlightening. In the meantime, I wonder if Apple will have any comment on if and how they plan to address what he found.