Update: Zdziarski put up a more detailed response.
Apple responded to the backdoor story.
Each of these diagnostic capabilities requires the user to have unlocked their device and agreed to trust another computer. Any data transmitted between the iOS device and trusted computer is encrypted with keys not shared with Apple. For users who have enabled iTunes Wi-Fi Sync on a trusted computer, these services may also be accessed wirelessly by that computer.
Zdziarski, the author of the article that started this all, is not impressed.
I don’t buy for a minute that these services are intended solely for diagnostics. The data they leak is of an extreme personal nature. There is no notification to the user. A real diagnostic tool would have been engineered to respect the user, prompt them like applications do for access to data, and respect backup encryption. Tell me, what is the point in promising the user encryption if there is a back door to bypass it?
Apple response doesn’t actually deny or contradict anything Zdziarski stated, so in the end, it all comes down to trust. Apple claims they only use these tools for “diagnostics” (which is a stretch considering the extensive and pervasive nature of the data they expose, but alas), and it’s up to us to decide whether we trust them or not. If you still trust Apple – or Google, or Microsoft, or any other major technology company, for that matter – at this point, then I admire your child-like innocence.
What else are you going to do? What other phone/tablet/computer/etc are you going to buy? What other manufacturer makes and sells an absolutely secure device with absolutely no possible way of getting into it and stealing your information and data? Is the best option some no-name phone manufacturer with an obscure ROM installed by means of some Brobdingnagian process that no one but the nerdiest of the nerds can accomplish? The situation is exactly the same whether the device is made by Apple, Microsoft, LG, Sony, Motorola, Samsung, One+One, whoever it is. Every device and every OS has these flaws in them as well as the associated risks if you put everything about you, good or bad, legal or not, onto them, so it’s up to the user in the end to make the decision on what to buy and how much of their “identiy”, information, and secrets to put on the things. That’s where the ultimate responsibility lies.
Edited 2014-07-23 10:26 UTC
Right I mean at this point who do you trust? Do you trust your priest to be around your kids, do you trust your doctor to give you the best medicine? Do you trust your government to look out for you?
All of those groups will tell you, “Trust us we have your best interests in mind” but whatever.
In the end you hope that you don’t get targeted and you keep it moving.
Microsoft jacked us for 30 years so this is nothing new.
Edited 2014-07-23 10:49 UTC
I’ve met a gastroenterologist who didn’t believe in gluten enteropathy, an endocrinologist who only grudgingly admitted to the existence of hyperthyroidism, and an immunologist who thought there were no mainstream or effective treatments for hashimoto’s disease. And to most doctors, nutritional deficiencies don’t exist in the US (even if they’re caused by a relatively common genetic defect, which is easily compensated for if you know the correct chemical forms of which vitamins to take).
The only way to ever trust an MD is to learn the medicine yourself (making the doctor more or less redundant) so that you can go in with a full differential diagnosis, the correct drug to treat the condition, and JAMA articles to back up your claims.
In other words, MDs are basically useless, yet they want us to trust them like they’re ordained by God. Ha.
Well, medicine isn’t exactly a hobby that can be taken up part time, and the art of differential diagnoses is not something you can learn in a short period of time (esp. without real world patient exposure). That being said, I don’t dispute there are doctors on the fringes on mainstream medicine, and of course, mainstream medicine is clearly far from infallible
Edited 2014-07-23 21:49 UTC
The best second opinion you could ever get about drugs would be a pharmacist.
Zdziarski hasn’t revealed much that hasn’t been known for a very long while… What he has done is said, I can’t fathom any other purpose for these calls… of course, others have shown that there are other purposes for these calls.
He claims he’s not suggesting that Apple has purposely worked with anyone to provide these calls as a backdoor, but at the same time he insists there is no other purpose for them (just that Apple is doing it on their own for others?). He claims he’s not being conspiratorial, but he’s being exactly that.
I find it strange (or maybe not) that security experts are so conspiratorial and unimaginative that he can’t fathom anything but malice (but he’s not accusing anyone?). Maybe a complete and utter lack of imagination and a conspiratorial fervor is necessary to be a security researcher, but it never impresses me. Rather it makes me think they are all thick paranoids that understand tech very well.
Edited 2014-07-23 13:37 UTC
… that do not understand tech very well (of course).
Let’s just say some of Apple’s design choices have made the NSA’s (and other police and intelligence agencies’) jobs a lot easier than they have to be.
As an actual developer I don’t understand the uproar about these services. Since when is it up for debate that a packet sniffer is very useful for debugging?
And all of these services require you to synch and trust a computer. Zdziarski never disputes that.
So to sum up:
1. There is no security vulnerability here.
2. These are legitimately useful debugging services
3. They all require an unlocked device and a trusted computer so apple doesn’t have access to the data.
So what is the story again?
You’ll note Zdziarski’s story is shifting and fairly disingenuous:
He first claimed that packet sniffing was completely unsupported and undocumented… once Apple rebutted that by pointing to an ADC base article that shows that it is both supported and documented and that that has existed for at least 5 years, it’s now something that cannot be fathomed for any other purpose but backdoor data access for 3rd parties.
But the end user should get a switch to turn on/off all those debugging and diagnostic services (also they should be off by default), especially since they can be accessed through WiFi. Also, Apple has failed to provide a way for end users to remove previous pairing records.
Edited 2014-07-23 21:51 UTC
http://www.zdnet.com/the-apple-backdoor-that-wasnt-7000031781/?s_ci…
Ouch!
Guess you have to be an actual developer or security person to know what’s really going on.
Makes for good news though.