The iOS 'Backdoor' Confusion: Hysteria, Insults & Finally Debate
When iOS security expert Jonathan Zdziarski took the stage at the Hackers On Planet Earth (Hope X) conference in New York earlier this month he probably didn't expect his talk to lead to widespread panic about the securioty of millions of iPhones, a public spat with a journalist and a wider debate about just what a "backdoor" really is.
But that is what has happened since Zdziarski published his Identifying back doors, attack points, and surveillance mechanisms in iOS devices presentation, which first led to panicked articles with healdines screaming that MILLIONS OF IPHONES ARE AT RISK!!!.
Zdziarski did little to pour cold water on the wild allegations, stoking the fire by saying "I suspect (based on released documents) that some of these services may have been used by the NSA to collect data on potential targets," in a blog.
Publications like The Guardian, Forbes, Ars Technica, Daily Mail and indeed your own IBTimes UK all wrote breathless pieces about the imminent dangers of backdoors Apple had built into its iOS software which could be used by nefarious actors to monitor everything they do.
The backdoor that wasn't
Apple reacted to the reports by publishing a detailed support document saying that the "backdoor" described by Zdziarski was in fact just a developer diagnostic toolset - something the security researcher said he doesn't "buy that for a minute".
If you want more detail on just what Zdziarski's presentation talked about, this by hacker Dino Dai Zovi is an excellent, calm explanation.
Following the initial reactionary coverage of the presentation (most of it second- or third-hand), there came some more considered coverage including an article from well-known technology reporter Violet Blue, entitled The Apple Backdoor that wasn't
In her article, Blue accused Zdziarski of playing "fast and loose with the now widely-accepted definition of backdoor" which in turn led to the inaccurate media reports.
The spat turned personal when Zdziarski attacked Blue on Twitter over her "shoddy, poor, biased, unverified" journalism, however speaking to IBTimes UK this week, Zdziarski claims he "certainly made no personal insults".
For her part Blue told me she initially ignored the tweets, but when they continued she "politely asked him to please stop insulting me. He responded with more insults."
Horribly slanderous
Zdziarski escalated the issue by contacting Blue's editor at ZDNet where the article appeared, calling it "horribly slanderous". Blue, who is well used to being attacked over her work, was backed up by her editors who emailed back to say nothing would be changed.
Blue claims that Zdziarski subsequently sent tweets to her and the ZDNet account calling her work "garbage", tweets that he has now deleted. Zdziarski admits that while most of his tweets to Blue remain online "maybe there's one somewhere that I inadvertently cleaned up with a number of others."
Zdziarski didn't take this lying down, and published a point-by-point riposte to Blue's article entitled The 30 Lies of @VioletBlue pointing out holes in her argument as he saw it.
Responding to the publication of this article, Blue simply said: "I think he has a lot of problems."
Internet troll
Defending his actions, Zdziarski said he hadn't said "anything terrible to [Blue]" and on the other hand "she's called me crazy, insulted me in her twitter account, accused me of using false identities to comment on her article (not true) and made a number of other derogatory remarks. All of this is very unbecoming of a principled journalist; unfortunately, Violet has acted more like an internet troll than a journalist with respect to me."
So what has really caused this rather bitter public fight between a security expert and a renowned security journalist?
In a word: Semantics.
The problem stems from the fact that despite Blue claiming there is a "widely-accepted definition" of what a backdoor is, this is not really the case.
Blue quotes a definition of the term "backdoor" from the Open Web Application Security Project (OWASP) but in reality, is there really an accepted definition which all security expects agree on?
I decided to ask some. I asked a number of security experts if the file_relay flaw revealed by Zdziarski at his talk fits their definition of a "backdoor".
I asked for a simple one-word answer - yes or no. The closest I got was "depends".
The lengthy answers I received are an indication of the lack of clarity about the term. The "depends" answer came from Tim Erlin, director of security and risk at Tripwire, who went on to say:
"There's no official technological definition of a backdoor, so the answer depends on which definition you choose to use. In my opinion, a 'backdoor' requires both intent to conceal from the end user and use as a surreptitious data collection channel. We don't know the intent of Apple in providing the capabilities Zdziarski outlines, and we don't have clear evidence of their use either."
TK Keanini, CTO at Lancope believes "this is a semantic issue at its core as the term backdoor has always pointed to some undisclosed access vector."
And rather than answering my question, Keanini poses another one:
"If a vendor discloses these things but only the experts are able to make it actionable, does it qualify as a backdoor since the average user remains unaware of these technical means and methods?"
Being much more to the point is Michael Sutton, vice president of security research at ZScaler, who sides with the ZDNet journalist:
"While a 'backdoor' has no universal definition, it is generally deemed to not only allow remote access to a machine but to also be hidden, bypass traditional security controls and be used for nefarious purposes. Given that Apple has at least at a high level, responded to Zdziarski's findings to detail the purpose of the diagnostic tools and they are accessed via documented processes, which require user consent (device pairing), I would not define the services as a backdoor."
Finally, Antti Tikkanen, director of security response at F-Secure, also sides with Blue, but adds that Apple could have
"Calling something a backdoor implies some sort of intent to use it as a backdoor. A vulnerability can be a backdoor if it's placed in the code intentionally to be used later for that purpose. Just by looking at the vulnerability at a technical level it's often impossible to tell what is what – we need more insight into how the vulnerability ended up there. All in all, I don't think there's enough evidence to declare this a backdoor. Is it bad design? Definitely."
So there you have it. Clear as mud.
Is it any surprise therefore that a controversial presentation about "backdoors" in the software that runs on the world's most popular smartphones and tablets has caused so much confusion, debate and insult-slinging?
© Copyright IBTimes 2024. All rights reserved.