Zdziarski noted the considerable developments Apple has made to ensure its iOS devices are secure, to the point where the iPhone 5 and iOS 7 is more secure from everyone. Everyone, that is, except for Apple itself.
Although third party documents on Apple devices are encrypted, the library and caches folders are typically not. What this means is that an unlocked device allows access to data which would normally be encrypted. There is currently no way to disable this vulnerability.
The back door access to this information is typically activated with computers which are paired to the Apple device through USB, where the user has granted security access by indicating that the computer is a trusted one. This is frequently done by users in order to move files to or from a device and to update the software. Unfortunately this feature also allows access to information like online log-ins, contacts and web history by anyone connected to the same wifi network, where that wifi network is “known” to the device.
Zdziarski explains how this happens,
In order to understand how an attacker could penetrate an iPhone from the owner’s desktop computer, it’s important to understand how pairing works… A pairing is a trusted relationship with another device, where the client device is granted privileged, trusted access. In order to have the level of control to download personal data, install applications, or perform other such tasks on an iOS device, the machine it’s connected to must be paired with the device. This is done through a very simple protocol, where the desktop and the phone create and exchange a set of keys and certificates. These keys are later used to authenticate and establish an encrypted SSL channel to communicate with the device. Without the correct keys, the attempted SSL handshake fails, preventing the client from obtaining privileged access.
Zdziarski also reviews other iPhone vulnerabilities, including fingerprint overrides, interception of iMessage contents, and installation of invisible and malicious software.
Apple’s response has been published on Zdziarski’s blog, where they appear to acknowledge the vulnerabilities while emphasizing that they are intended to enhance user function. However, Zdziarski adds,
Apple’s seeming admission to having these backdoors, however legitimate a use they serve Apple, unfortunately have opened up some serious privacy weaknesses as well. We know, from the Snowden leaks via Der Spiegel, that NSA has penetrated target desktop machines to later access iPhone features. We also know that desktop machines are often seized by law enforcement and with that pairing record data, can access the data on the device using these services – even if backup encryption is turned on. Pairing records can be stolen a number of different ways, ranging from a shared coffee shop computer to an ex-lover whose computer you used to trust, leaving your phone unlocked at a bar (Apple should know something about this), or countless other scenarios – all giving the attacker perpetual access to your device via USB and usually WiFi until you wipe the device. It is only recently that iOS even added a trust dialog; prior to this, your device would automatically pair with anything that you plugged it into.
I still maintain that lawyers are subject to professional standards of reasonableness, and would never be expected to understand the level of technological sophistication in Zdziarski’s paper. However, they should take reasonable steps to ensure minimize these risks, such as using passcodes and only pairing devices with computers that are themselves secure.
Although these measures still will not prevent those motivated enough to access information on Apple products, government agencies who often possess this type of sophistication have many other means of securing this data regardless.