A researcher has revealed what he claims to be previously undiscovered ways that users can be surveilled through their iPhone.



Research released by iOS exploitation expert Jonathan Zdziarski at the Hackers On Planet Earth conference in New York last week showed there were a number of previously undocumented “forensic services” and “surveillance mechanisms” within iOS.



These tools, Zdziarski claims, would allow anyone with a decent level of technical skill and determination to get hold of plenty of sensitive data of a target, including photos, contacts and location.

Zdziarski suggested the National Security Agency (NSA) might have used such methods for accessing targets’ information, but said he had no proof.

Apple has explained these services as genuine “diagnostic” features to allow IT departments and store assistants to manage iPhones.



But Zdziarski said these functions break Apple promises in that they “bypass backup encryption while copying more of your personal data than ever should come off the phone for the average consumer”.



“I understand that every OS [operating system] has diagnostic functions, however these services break the promise that Apple makes with the consumer when they enter a backup password; that the data on their device will only come off the phone encrypted,” he said in a blog post in response to Apple’s explanation for the tools’ existence.



What Zdziarski’s paper noted, however, was that any exploitation of these features would require the phone to be paired with a compromised computer, something the user would have to agree to.

Pairing requires the iPhone to be unlocked and then connected to a PC via USB, representing another barrier to exploitation. Apple has been keen to point all this out.



Yet some risks remain. When this pairing takes place, a pairing file is created and stored on both the PC and the iPhone. Anyone who retrieved that file could siphon off all kinds of data from an iPhone, according to the researcher. Data from the phone could even be accessed over Wi-Fi if the paired devices were on the same network, Zdziarski said.



“That tiny little pairing record file is the key to downloading, installing and even manipulating data and applications on the target device,” the paper explained.

“This is good news for the ‘good’ cops, who do crazy things like get warrants; it’s very bad for anyone who is targeted by spy agencies or malicious hackers looking to snoop on their data.”



Once a law enforcement official, intelligence agent or malicious attacker has that file, either by hooking up a phone to their own desktop and initiating the pairing process or hacking a pre-paired PC, they could access all kinds of data that would reveal much about the victim.



Via a feature called “lockdownd”, the “com.apple.mobile.installation_proxy” service allows for anyone with an Apple enterprise licence to download malware without having to have the software vetted.

The “com.apple.mobile.house_arrest” tool could be used to access databases and personal data from third-party apps. There’s also an option to turn on a packet sniffer, which records all online activities carried out on the device.



But the most worrying feature, according to Zdziarski, is a “file relay”, which includes a mechanism to copy all metadata stored on an iPhone, while picking up GPS location data, the user calendar and contacts book, photos and recent messages typed on the screen. This is “data that should simply not be allowed to come off the device without knowledge of the user’s backup password”, Zdziarski said.



The feature allowed access to information that should have been encrypted, he added, and this data is “far too personal to ever be used by Apple”. It would only be useful for intelligence agencies and police, Zdziarski said.



Though many want more information from Apple on these previously undisclosed services and security bypasses, the company can continue to point out that an attacker would need to be in control of that pairing file and in proximity of a target iPhone to retrieve data.

The company had not responded to a request for comment at the time of publication.



• Researchers: Lawyers blocked our Black Hat demo on de-anonymising Tor