Russian digital forensics firm ElcomSoft on Thursday reported that Apple automatically uploads iPhone call logs to iCloud remote servers, and that users have no official way to disable this feature other than to completely switch off the iCloud drive.
The data uploaded could include a list of all calls made and received on an iOS device, as well as phone numbers, dates and times, and duration, the firm said.
Apple retains the cloud-based data for up to four months, according to ElcomSoft’s report. It includes calendars, wallet, books, notes and other data synced with iCloud. Even photos may be retained remotely longer than Apple has indicated.
Apple currently relies on a two-factor authentication system that requires an iCloud token along with an Apple ID and password, but ElcomSoft’s new Phone Breaker 6.20 software can allow law enforcement to bypass those checks.
For its part, Apple has defended the fact that the data is backed up on the cloud.
“We offer call history syncing as a convenience to our customers so that they can return calls from any of their devices,” an Apple spokesperson said in a statement provided to TechNewsWorld by company rep Ryan James.
“Apple is deeply committed to safeguarding our customers’ data,” the spokesperson added. “That’s why we give our customers the ability to keep their data private. Device data is encrypted with a user’s passcode, and access to iCloud data including backups requires the user’s Apple ID and password. Apple recommends all customers select strong passwords and use two-factor authentication.”
Privacy or Security?
ElcomSoft made its announcement not so much to call attention to the potential weaknesses in Apple’s data storage practices, as to address how easily its own software can obtain the information. It is billed as a tool for law enforcement, but it’s not too hard to imagine that hackers could utilize similar tools for nefarious purposes.
“It is very concerning, as this can’t be something that is a surprise to Apple; it is baked into their design for the product and services,” said Jim Purtilo, associate professor of computer science at the University of Maryland.
“Only Apple can speak to its motive for orchestrating this behavior, but this is a way to project an image of security to consumers,” he told TechNewsWorld.
These iPhone users may believe their data are encrypted and secure, “which is mostly true, even if only on their actual device, while [Apple] is still working accommodatingly with the feds, who get tremendous value from the traffic analysis made possible by these saved data,” Purtilo added.
The fact that Apple is being called out this week is somewhat notable in its own right.
“Apple doesn’t seem to be walking its talk in the sense of actually doing what it publicly claims to be doing,” noted Charles King, principal analyst at Pund-IT.
The other part of this is in the lack of transparency customers have into the process, and the fact that there is no easy way to opt out, he told TechNewsWorld.
“If you use iCloud, you’re in whether you want to be or not,” King added.
However, “as several reports on Apple’s situation mention, the company isn’t alone in syncing or saving call data,” King explained, adding that it is standard practice for U.S. carriers to retain call data for up to 12 months.
“Where Apple could run into problems is in foreign markets that restrict retention of caller data,” he said. “The company also risks some egg on its face if ElcomSoft’s contention that more data is collected and that some is retained for longer than Apple says is the case.”
Who Guards the Guards?
The fact that this information is being uploaded to the iCloud is noteworthy, given the showdown that Apple had with the FBI over its ability to obtain information from an iPhone belonging to Syed Rizwan Farook, who carried out last December’s terrorist attack in San Bernardino.
Farook’s phone was protected cryptographically. Apple challenged more than 11 orders to assist in providing access to the phone, issued by the United States district courts under the All Writs Act of 1789.
The question is whether the FBI showdown was necessary, based on ElcomSoft’s findings. Much of the data may have been on the iCloud and hence accessible.
“If most users rely on iCloud services, then police largely don’t need the actual device in order to investigate someone; the data have already been disclosed for far more convenient access by whoever asks,” explained Purtilo.
“Consumers should be so lucky that only the police are accessing their data; in this news, we more or less need to presume other less upstanding groups have been accessing the data too,” he added.
For the vast majority of users, this may be a nonissue, noted Pund-IT’s King.
“Most criminals and ne’er-do-wells probably know enough not to use their personal phones for conducting illegal business,” he suggested.
“How threatening the practice may be is hard to say, but with Apple actively trying to pitch its products for enterprise applications and use cases, companies considering deploying iPhones and iPads may want to question how their employees’ call data is being collected and secured,” King added. “Personal communication is the lifeblood of many businesses, to the point that any threat of injury and hemorrhage should be avoided.