Apple has installed a security backdoor in every iPhone

Apple has been accused of intentionally installing security backdoors in some 600 million iOS devices that offer surveillance-level access to data including photos, browsing history and GPS locations. The vulnerabilities were uncovered by security expert Jonathan Zdziarski.

Zdziarski, one of the early members of iOS jailbreaking teams, presented his findings in a talk at the annual Hackers on Planet Earth (HOPE/X) conference in New York. It is a hacking and development conference that has been running for some time now.

He said in his talk that the mobile operating system of Apple has undocumented functions that makes data grabbing possible via USB connections or even wirelessly over Wi-Fi -- meaning it can be done without the need for passwords or personal identifications numbers.

Based on his findings, these functions serve no other purpose except to provide access to user data on the devices. While the function could be used for management tools, they could be undermined and used for unauthorized access of data and other personal information.

Apple has issued a statement in response to the allegations saying that the company’s “diagnostic functions do not compromise user privacy and security,” but Zdziarski has responded by noting that these services “dish out data” regardless of whether the user has agreed to diagnostics.

“There is no way to disable these mechanisms,” Zdziarski writes on his personal blog. “This makes it much harder to believe that Apple is actually telling the truth here.”

Zdziarski said at the confrence, "I am not suggesting some grand conspiracy; there are, however, some services running in iOS that shouldn’t be there, that were intentionally added by Apple as part of the firmware, and that bypass backup encryption while copying more of your personal data than ever should come off the phone for the average consumer."

"I think at the very least, this warrants an explanation and disclosure to the some 600 million customers out there running iOS devices. At the same time, this is NOT a zero day and NOT some widespread security emergency. My paranoia level is tweaked, but not going crazy. My hope is that Apple will correct the problem. Nothing less, nothing more. I want these services off my phone. They don’t belong there."

If Apple is using this for diagnostics Zdziarski says it lacks any transparency (Apple only acknowledged its existence in response to the talk) and moreover makes an obvious target for hackers and home and foreign governments. Hack the background processes and they will grant complete access to iPhone data, bypassing all encryption. In fact leaked documents last year revealed the NSA actually pulled a similar tactic using a program dubbed ‘DROPOUTJEEP’ to pull information from iPhones, but that required physical access to the phone first.