A security researcher is claiming to have found a set of services in iOS that appear to be a firmware-level backdoor in iOS devices. What’s more interesting is that Apple has, in a very non-Apple manner, responded to his claims by posting a support page about it. He claims that these are confirmations of the backdoors that he found in iOS and that Apple claims to use them for diagnostic and enterprise purposes. These backdoors can only be accessed by Apple (or anyone that has access to Apple’s services) so they’re mostly secure backdoors, but they are backdoors nonetheless. Most consumers are completely and wholly unaware that alternative pathways into their devices exist and can be exploited by ANYONE (in this case Apple) other than themselves. This is also why remote bricking and other ‘security’ features being pushed through legislatures are also a problem, but at least we’re aware of their existence unlike these services on iOS.
The services in question, om.apple.mobile.pcapd, com.apple.mobile.file_relay, com.apple.mobile.house_arrest among others have been addressed in Apple’s knowledge base article. Apple does not directly address Jonathan Zdziarski’s claims but instead tries to illuminate their use of these services and what they’re supposed to be used for. Apple claims that some of these services are used for diagnostic purposes internally as well as for iTunes and Apple Care support. However, the fact that these supposed backdoor services exist without users’ or developers’ knowledge is a bit worrisome.
The real truth here is that no matter what happens, or is really happening, customers should be aware of how intrusive some of these services are or can be. Sure, some of them are limited in scope in terms of what they can access, but even so, Apple should notify customers when they use such services or sign up for the operating system that there are services running on their devices that give Apple access to their device. Backdoor systems are not a joke and some of them are open invitations to hackers to try to hack into a backdoor and use it for their own purposes. Backdoors are inherently insecure and consumers should be made aware of them, malicious or not.