Yesterday I posted: Do you want a backdoor with that iPhone/iPad? only to read today UPDATE: The Apple backdoor that wasn’t by Violet Blue.
Thinking I may have been taken in by a hoax, I read Violet’s post rather carefully:
From Violet’s post:
Since Mr. Zdziarski presented “Identifying back doors, attack points, and surveillance mechanisms in iOS devices“, his miscasting of Apple’s developer diagnostics as a “backdoor” was defeated on Twitter, debunked and saw SourceClear calling Zdziarski an attention seeker in Computerworld, and Apple issued a statement saying that no, this is false.
In fact, this allegedly “secret backdoor” was added to diagnostic information that has been as freely available as a page out of a phone book since 2002.
Interesting. So if you are called an “attention seeker” in Computerworld and a vendor denies your claim, the story is false?
Let’s read the sources before jumping to the conclusion that the story was false.
From the Computerworld account:
Apple swiftly rejected Zdziarski’s accusations, pointing out that end users are in complete control of the claimed hacking process — the person owning the device must have unlocked it and “agreed to trust another computer before the computer is able” to access the diagnostic data the claimed NerveGas attack focuses on.
The author of the article I quoted said:
For the backdoor to be exploited by a spy, your iDevice needs to be synced to another computer via a feature called iOS pairing.
Once your iDevice is paired to your PC or Mac, they exchange encryption keys and certificates to establish an encrypted SSL tunnel, and the keys are never deleted unless the iPhone or iPad is wiped with a factory reset.
That means a hacker could insert spyware on your computer to steal the pairing keys, which allows them to locate and connect to your device via Wi-Fi.
Sounds to me like Apple and Zorabedian agree on the necessary conditions for the exploit. You have to “unlock” and “trust another computer.”
Yes?
Violet Blue ignores or doesn’t bother to read the technical agreement between Apple and Zorabedian but to take Zdziarski to task for name calling and attention seeking.
The second accusation is a pot calling the kettle black situation.
Zorabedian should have said that Apple had this backdoor since 2002, which is a useful correction to the original story.