iOS Lockdown Diagnostic Services

TL;DR

Background

When you connect an unlocked iOS device running iOS 7 and later to a computer over USB, you are prompted to "Trust" or "Don't Trust" the computer and notified that your settings and data will be accessible from that computer over USB or Wi-Fi. Trusting a computer (pairing) creates a set of keys and certificates, which are stored in a pairing record on both the host and the iOS device. Prior to iOS 7, there was no dialog and "Trust" was effectively silent and automatic. This permitted "juice-jacking" attacks whereby malicious hosts could physically masquerade as charging stations and surreptitiously pair with devices plugged into to them.

iOS device management features such as app installation, backup, restore, and configuration are implemented using lockdown services running on the iOS device. Accessing lockdown services requires establishing an SSL connection to lockdownd on the iOS device over USB or the network and authenticated using those keys in a pairing record on the device. Enabling iTunes Wi-Fi Syncing ("Sync with this iPhone over Wi-Fi") enables network access to lockdownd over TCP port 62078. Network access to lockdownd can also be enabled directly through an USB connection to lockdownd in a way that does not enable iTunes Wi-Fi Syncing. This means that the iTunes and iOS user interfaces will show that iTunes Wi-Fi syncing is not enabled, but network access to lockdownd is still permitted. If Wi-Fi Syncing is enabled, network access to lockdownd can also be enabled in such a way that it remains enabled even if Wi-Fi Syncing is disabled. In addition to being accessible over Wi-Fi, a network accessible lockdownd may possibly also be connected to over the cellular data network, depending on mobile carrier network configuration.

There are a number of lockdown services used by iTunes, Xcode, and Apple Configurator. One lockdown service, com.apple.mobile.file_relay, has not been found to be used or referenced by any public Apple software. This service returns compressed archives of selected Data Sources. The data sources now available contain a significant amount of user information stored on the device and these archives may contain decrypted copies of files encrypted by Data Protection.

The com.apple.mobile.house_arrest service is used by iTunes File Sharing to copy files to/from 3rd party app home directories. As of iOS 7, all 3rd party app files are protected by the iOS Data Protection NSFileProtectionCompleteUntilUserAuthentication class by default. The escrow keybag from the pairing record can be passed to house_arrest to allow it to unlock, decrypt, and transfer those 3rd party app files encrypted using iOS Data Protection. In practice, house_arrest must be used after the device has been unlocked the first time by the user after boot.

Recommendations

Acknowledgements

I'd like to thank Jonathan Zdziarski for taking the time to personally clarify his research and review drafts of this gist.

References

iOS: About diagnostic capabilities

Zdziarski, Jonathan. "Identifying back doors, attack points, and surveillance mechanisms in iOS devices" (slides)

Zdziarski, Jonathan. "Identifying back doors, attack points, and surveillance mechanisms in iOS devices" (paper)