TL;DR

  • Pairing an iOS device to a host (computer running iTunes) gives that host significant access to data on the iOS device and requires connecting the unlocked iOS device to a host over USB
  • Once paired, that host (or another host that has stolen its pairing record) can access significant amounts of user personal data from the iOS device over USB and Wi-Fi through the com.apple.mobile.file_relay and com.apple.mobile.house_arrest lockdown services
  • These services will not return user data files that are encrypted and locked by iOS Data Protection but the files returned by file_relay are not protected by iOS Data Protection and do include significant amounts of personal user data that would otherwise be encrypted in iTunes encrypted backups (“Encrypt Backup” is enabled)
  • The com.apple.mobile.file_relay service is not used or referenced by any public Apple software so its intended client software is unknown outside of Apple
  • Apple released a Knowledge Base article describing these services and stating that the file_relay service is used by Apple on internal devices and may also be used by AppleCare with user consent for diagnostics.

Background

When you connect an unlocked iOS device running iOS 7 and later to a computer over USB, you are prompted to “Trust” or “Don’t Trust” the computer and notified that your settings and data will be accessible from that computer over USB or Wi-Fi. Trusting a computer (pairing) creates a set of keys and certificates, which are stored in a pairing record on both the host and the iOS device. Prior to iOS 7, there was no dialog and “Trust” was effectively silent and automatic. This permitted “juice-jacking” attacks whereby malicious hosts could physically masquerade as charging stations and surreptitiously pair with devices plugged into to them.

iOS device management features such as app installation, backup, restore, and configuration are implemented using lockdown services running on the iOS device. Accessing lockdown services requires establishing an SSL connection to lockdownd on the iOS device over USB or the network and authenticated using those keys in a pairing record on the device. Enabling iTunes Wi-Fi Syncing (“Sync with this iPhone over Wi-Fi”) enables network access to lockdownd over TCP port 62078. Network access to lockdownd can also be enabled directly through an USB connection to lockdownd in a way that does not enable iTunes Wi-Fi Syncing. This means that the iTunes and iOS user interfaces will show that iTunes Wi-Fi syncing is not enabled, but network access to lockdownd is still permitted. If Wi-Fi Syncing is enabled, network access to lockdownd can also be enabled in such a way that it remains enabled even if Wi-Fi Syncing is disabled. In addition to being accessible over Wi-Fi, a network accessible lockdownd may possibly also be connected to over the cellular data network, depending on mobile carrier network configuration.

There are a number of lockdown services used by iTunes, Xcode, and Apple Configurator. One lockdown service, com.apple.mobile.file_relay, has not been found to be used or referenced by any public Apple software. This service returns compressed archives of selected Data Sources. The data sources now available contain a significant amount of user information stored on the device and these archives may contain decrypted copies of files encrypted by Data Protection.

The com.apple.mobile.house_arrest service is used by iTunes File Sharing to copy files to/from 3rd party app home directories. As of iOS 7, all 3rd party app files are protected by the iOS Data Protection NSFileProtectionCompleteUntilUserAuthentication class by default. The escrow keybag from the pairing record can be passed to house_arrest to allow it to unlock, decrypt, and transfer those 3rd party app files encrypted using iOS Data Protection. In practice, house_arrest must be used after the device has been unlocked the first time by the user after boot.

Recommendations

  • iPhone 4S and later devices are at their most secure state when powered off. iPhones prior to the 4S are vulnerable to the limera1n Boot ROM exploit and all data not protected by iOS Data Protection can be accessed. Any four-digit passcode can be brute force guessed on the device in 20 minutes or less. Complex passcodes require more time to guess and may be effectively made unguessable.
  • Use Apple Configurator to restrict pairing to only the host running Configurator. This will prevent pairing the device to another host, even when it is unlocked.
  • On the iOS device, tapping “Erase All Content and Settings” is the only way to clear all of its pairings (in addition to all of the other data stored on the device).
  • For a less destructive way to clear pairings, backup the device through iTunes (encrypt backup with a strong passphrase), “Erase All Content and Settings” on the iOS device, and then restore device settings and data using iTunes.

Acknowledgements

I’d like to thank Jonathan Zdziarski for taking the time to personally clarify his research and review drafts of this post.

References

iOS: About diagnostic capabilities

Zdziarski, Jonathan. “Identifying back doors, attack points, and surveillance mechanisms in iOS devices” (slides)

Zdziarski, Jonathan. “Identifying back doors, attack points, and surveillance mechanisms in iOS devices” (paper)