In Reaktion auf Zdziarski veröffentlicht Apple ein Support-Dokument über drei iOS-Diagnosedienste

IPhoneBlog de diagnostic capabilities

In einem überschaubaren aber verständlichen Support-Dokument erklärt Apple drei iOS-Diagnosedienste, die Jonathan Zdziarski mit seinem Talk auf der ‚Hackers On Planet Earth‘-Konferenz vor einigen Tagen angriff.

Klarzustellen ist dabei noch einmal: Ihm geht es nicht primär um die Daseinsberechtigung, sondern das Design mit dem die Dienste Zugriffsmöglichkeiten und Missbrauchspotenzial schaffen. Zdziarski kritisiert allem voran die Implementation, die es ermöglicht persönliche Daten auszuspionieren.

I understand that every OS has diagnostic functions, however these services break the promise that Apple makes with the consumer when they enter a backup password; that the data on their device will only come off the phone encrypted. The consumer is also not aware of these mechanisms, nor are they prompted in any way by the device. There is simply no way to justify the massive leak of data as a result of these services, and without any explicit consent by the user.

Interessant wirds, ob Apple in Reaktion insbesondere das Pairing-Verfahren, über das sich iOS und Mac OS kabelgebunden wie auch drahtlos austauschen, überarbeitet.

Obviously, Apple realized that pairing in and of itself offered very little security, as they added backup encryption to all backups as a feature – something that also requires pairing to perform. So Apple doesn’t trust pairing as a “security” solution either. And for good reason: it wasn’t designed to be secure. It is not two factor; it is not encrypted with a user paraphrase; it is simply “something you have” that gives you complete unfettered access to the phone. And it can be had as easily as copying one file, or created on the fly via USB. It can be used if law enforcement seizes your computer; it can be stolen by someone hacking in; it is by all means insecure.

Jonathan Zdziarski