Does every iPhone spy on its owner, after all?

Your iPhone runs hidden monitoring services. Who uses them, and for what purpose?

A recent publication by famous iOS security researcher Jonathan Zdziarski, dedicated to background monitoring services in iOS, caused the wave of variously toned articles, some of them accusing Apple in working for NSA, while others completely dismiss the issue. The truth is, however, somewhere in between.  Some functions, which exist and are active in every iOS device, may be used for connecting to the device and siphoning its content despite activated security measures like a PIN code, backup encryption, and so on.  However, there are serious limitations, thus why the problem is not a global emergency requiring immediate action from each user.

The existence of aforementioned services does not necessarily imply Apple’s bad intentions. Actually, the company responded to some journalists’ enquiries  and published the tech support article, describing each “diagnostic” service, and insisting that those services are used for tech support and enterprise iOS deployment.  However, the possibility of the services misuse must not be overlooked.

Attack scenario

First, an attacker must be able to physically connect the device to his computer via USB.  An iPhone/iPad must be unlocked at this point. In this case, iOS tries to establish a “pairing” with the computer, which is actually a trusted connection to sync data. The set of required keys and certificates is stored on the computer and might then be used for communicating with iPhone via wired or wireless connection. An attacker can also steal the pairing keys from a Computer by using a malware. In this case, physical access to the iOS device is not required.

An attacker can steal pairing keys from a computer using malware.

At this stage, a special  set of services running on each iPhone comes into play.

These services are able to capture all network traffic on the device, leak photos, messages, contacts, and other types of content.  Services are active regardless of security and sync settings and perform no user interaction or notification. Thus, a hypothetical  attacker in possession of pairing keys  can connect to an iOS device and remotely monitor it  (presumably, by using the same Wi-Fi network, as Zdziarski was unable to perform this trick via cellular network operators).

Is it widespread?

No. An attacker must be able either to obtain victim’s unlocked device or to hack his/her computer. After this,  a stable connection to the  victim’s iPhone is required. Such combination of factors is possible when a government agency or other  powerful entity targets a specific person, but for “mass-market” hacks it is little bit complicated and not economically efficient. The important exceptions are people close to a victim: co-workers, family members, etc. They can utilize these hidden services with ease, but, luckily, required forensic software is not that easy to obtain.  However, to make sure that you are on the safe side,  you can follow…

Our advice

To avoid illegal pairings, never use other’s chargers, which may happen to be sync devices. Use only your own wall charger. A good traveller’s option are various USB protectors.

Never give your unlocked phone to strangers, or at least make sure you closely monitor their actions. To avoid stealing of the pairing keys from your own computer, use the strongest malware protection you can find. Once paired, your iPhone/iPad keeps the list of paired devices and associated keys indefinitely. The only way to get rid of unwanted pairings is factory reset. Luckily, recent improvements in iCloud services allows you to perform this cleaning task without major effort. Just make sure that photos and documents are backed up properly.