Welcome!

Eclipse Authors: Liz McMillan, David H Deans, JP Morgenthal, Mano Marks, Yeshim Deniz

News Feed Item

Stroz Friedberg Whitepaper Confirms Pairing Records Security Risk in Apple iOS Devices

Firm releases open source tool and offers free recommendations to safeguard personal data

NEW YORK, Aug. 11, 2014 /PRNewswire/ -- A reported security vulnerability in Apple iOS devices by which outsiders could potentially access users' personal data through pairing records has been validated in a whitepaper released by the incident response team at Stroz Friedberg, a global investigations, intelligence and risk management company.

In response, Stroz Friedberg has developed an open source tool, "unTRUST," to allow enterprise and personal users to protect their data on iOS devices such as the iPhone and iPad. The whitepaper also lists recommendations to mitigate the security risk.

"We are proactively sharing the unTRUST tool and free recommendations with corporate America," said Erin Nealy Cox, Executive Managing Director and lead of the incident response practice at Stroz Friedberg. "Enterprises today rely heavily on mobile devices for day-to-day business operations. The breach of even one employee's iPhone has the potential to expose a company's valuable information to their competitors or the public at-large."

The vulnerability can occur when a user connects his or her device to a computer via USB cable and selects "Trust" when the "Trust This Computer?" dialog box pops up. Users have the ability to elect to trust multiple computers and the potential for exploit increases as the number of trust relationships increase.

A pairing record is then created on both the device and the computer in order for them to facilitate a variety of services. An unauthorized person with access to a "trusted" computer or a modified USB charger can exploit these services's USB, remotely or over Wi-Fi and gain access to sensitive personal data. This includes user, application, diagnostic, file and system data. Stroz Friedberg developed its unTRUST tool to remove the pairing records at the heart of the issue.

The security hole was first reported during the Hackers on Planet Earth (HOPE) conference in July by digital forensic scientist Jonathan Zdziarski. He revealed several services present on iOS devices that can possibly provide unannounced packet-sniffing and data-dumping capabilities that bypass device settings and back-up encryption.

Stroz Friedberg undertook an effort to independently test and validate Zdziarski's research and was able to reproduce many of his findings on iOS devices running iOS versions 7 and 8. Details about the process and the unTRUST tool are outlined in the whitepaper, entitled "Mitigating Potential Pairing Record Risks in Apple iOS Devices" and authored by Stroz Friedberg digital forensic experts Cheri Carr and Daniel Blank.

"Stroz Friedberg is committed to protecting businesses from potential security risks," Cox said. "IT departments are increasingly adopting Apple products for use by the workforce because they are already extremely popular with employees. By taking a few proactive measures, they can be assured of the security of these devices."

Stroz Friedberg's unTRUST tool is publicly accessible through its GitHub repository. The firm also recommends general mitigation strategies, among them:

  • Delete all pairing records that currently exist on the iOS device.
  • Trust only one computer (a computer necessary for syncing and updates) and implement security controls on the iOS device and the "trusted" computer.
  • Do not allow other untrusted connections, including connections to other unnecessary computers, and other Internet-connected devices (e.g. kiosk computers).
  • Because the trusted relationship can be exploited through Wi-Fi, disable Wi-Fi when not needed.
  • For trusted computers, implement the following, where possible:
    • Encrypt data-at-rest.
    • Ensure operating system and application patching is kept up-to-date.
  • For iOS devices, implement the following, where possible:
    • Enable complex passwords.
    • Do not store account credentials in clear text on the device.
    • Ensure iOS and apps are kept up-to-date.
  • Corporations should use mobile device management apps such as MobileIron or Good Technology for protection of sensitive documents and emails.

"Mitigating Potential Pairing Record Risks in Apple iOS Devices" is available at www.strozfriedberg.com. The source code and installation files for unTRUST can be accessed at https://github.com/strozfriedberg/unTRUST.

About Stroz Friedberg, LLC
Founded in 2000, Stroz Friedberg is a global leader in investigations, intelligence, and risk services. It provides expertise in digital forensics, cybercrime and incident response, security science, forensic accounting, compliance, due diligence, data disclosure and analytics. Working at the intersection of technology, investigations, regulatory governance and behavioral science, the company is driven by a core purpose—seeking truth so clients can find the assurance and answers they need to move forward with certainty. With twelve offices across nine U.S. cities, London, Zurich and Hong Kong, Stroz Friedberg assists in managing critical risk for Fortune 100 companies as well as 80% of the AmLaw 100 and the Top 20 UK law firms. Learn more at www.strozfriedberg.com.

Media Contacts
Karen Guterl 
212-542-3167 
[email protected]

Ben Tanner 
212-445-8245 
[email protected]

SOURCE Stroz Friedberg

More Stories By PR Newswire

Copyright © 2007 PR Newswire. All rights reserved. Republication or redistribution of PRNewswire content is expressly prohibited without the prior written consent of PRNewswire. PRNewswire shall not be liable for any errors or delays in the content, or for any actions taken in reliance thereon.

@ThingsExpo Stories
SYS-CON Events announced today that MobiDev, a client-oriented software development company, will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place October 31-November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. MobiDev is a software company that develops and delivers turn-key mobile apps, websites, web services, and complex software systems for startups and enterprises. Since 2009 it has grown from a small group of passionate engineers and business...
SYS-CON Events announced today that GrapeUp, the leading provider of rapid product development at the speed of business, will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place October 31-November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Grape Up is a software company, specialized in cloud native application development and professional services related to Cloud Foundry PaaS. With five expert teams that operate in various sectors of the market acr...
SYS-CON Events announced today that Ayehu will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on October 31 - November 2, 2017 at the Santa Clara Convention Center in Santa Clara California. Ayehu provides IT Process Automation & Orchestration solutions for IT and Security professionals to identify and resolve critical incidents and enable rapid containment, eradication, and recovery from cyber security breaches. Ayehu provides customers greater control over IT infras...
We build IoT infrastructure products - when you have to integrate different devices, different systems and cloud you have to build an application to do that but we eliminate the need to build an application. Our products can integrate any device, any system, any cloud regardless of protocol," explained Peter Jung, Chief Product Officer at Pulzze Systems, in this SYS-CON.tv interview at @ThingsExpo, held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA
With the introduction of IoT and Smart Living in every aspect of our lives, one question has become relevant: What are the security implications? To answer this, first we have to look and explore the security models of the technologies that IoT is founded upon. In his session at @ThingsExpo, Nevi Kaja, a Research Engineer at Ford Motor Company, discussed some of the security challenges of the IoT infrastructure and related how these aspects impact Smart Living. The material was delivered interac...
Artificial intelligence, machine learning, neural networks. We’re in the midst of a wave of excitement around AI such as hasn’t been seen for a few decades. But those previous periods of inflated expectations led to troughs of disappointment. Will this time be different? Most likely. Applications of AI such as predictive analytics are already decreasing costs and improving reliability of industrial machinery. Furthermore, the funding and research going into AI now comes from a wide range of com...
"When we talk about cloud without compromise what we're talking about is that when people think about 'I need the flexibility of the cloud' - it's the ability to create applications and run them in a cloud environment that's far more flexible,” explained Matthew Finnie, CTO of Interoute, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
When growing capacity and power in the data center, the architectural trade-offs between server scale-up vs. scale-out continue to be debated. Both approaches are valid: scale-out adds multiple, smaller servers running in a distributed computing model, while scale-up adds fewer, more powerful servers that are capable of running larger workloads. It’s worth noting that there are additional, unique advantages that scale-up architectures offer. One big advantage is large memory and compute capacity...
With major technology companies and startups seriously embracing Cloud strategies, now is the perfect time to attend 21st Cloud Expo October 31 - November 2, 2017, at the Santa Clara Convention Center, CA, and June 12-14, 2018, at the Javits Center in New York City, NY, and learn what is going on, contribute to the discussions, and ensure that your enterprise is on the right path to Digital Transformation.
In his session at Cloud Expo, Alan Winters, an entertainment executive/TV producer turned serial entrepreneur, presented a success story of an entrepreneur who has both suffered through and benefited from offshore development across multiple businesses: The smart choice, or how to select the right offshore development partner Warning signs, or how to minimize chances of making the wrong choice Collaboration, or how to establish the most effective work processes Budget control, or how to ma...
Amazon started as an online bookseller 20 years ago. Since then, it has evolved into a technology juggernaut that has disrupted multiple markets and industries and touches many aspects of our lives. It is a relentless technology and business model innovator driving disruption throughout numerous ecosystems. Amazon’s AWS revenues alone are approaching $16B a year making it one of the largest IT companies in the world. With dominant offerings in Cloud, IoT, eCommerce, Big Data, AI, Digital Assista...
SYS-CON Events announced today that Cloud Academy named "Bronze Sponsor" of 21st International Cloud Expo which will take place October 31 - November 2, 2017 at the Santa Clara Convention Center in Santa Clara, CA. Cloud Academy is the industry’s most innovative, vendor-neutral cloud technology training platform. Cloud Academy provides continuous learning solutions for individuals and enterprise teams for Amazon Web Services, Microsoft Azure, Google Cloud Platform, and the most popular cloud com...
No hype cycles or predictions of zillions of things here. IoT is big. You get it. You know your business and have great ideas for a business transformation strategy. What comes next? Time to make it happen. In his session at @ThingsExpo, Jay Mason, Associate Partner at M&S Consulting, presented a step-by-step plan to develop your technology implementation strategy. He discussed the evaluation of communication standards and IoT messaging protocols, data analytics considerations, edge-to-cloud tec...
IoT solutions exploit operational data generated by Internet-connected smart “things” for the purpose of gaining operational insight and producing “better outcomes” (for example, create new business models, eliminate unscheduled maintenance, etc.). The explosive proliferation of IoT solutions will result in an exponential growth in the volume of IoT data, precipitating significant Information Governance issues: who owns the IoT data, what are the rights/duties of IoT solutions adopters towards t...
Internet of @ThingsExpo, taking place October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 21st Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The Internet of Things (IoT) is the most profound change in personal and enterprise IT since the creation of the Worldwide Web more than 20 years ago. All major researchers estimate there will be tens of billions devic...
SYS-CON Events announced today that Enzu will exhibit at SYS-CON's 21st Int\ernational Cloud Expo®, which will take place October 31-November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Enzu’s mission is to be the leading provider of enterprise cloud solutions worldwide. Enzu enables online businesses to use its IT infrastructure to their competitive advantage. By offering a suite of proven hosting and management services, Enzu wants companies to focus on the core of their ...
In his session at @ThingsExpo, Eric Lachapelle, CEO of the Professional Evaluation and Certification Board (PECB), provided an overview of various initiatives to certify the security of connected devices and future trends in ensuring public trust of IoT. Eric Lachapelle is the Chief Executive Officer of the Professional Evaluation and Certification Board (PECB), an international certification body. His role is to help companies and individuals to achieve professional, accredited and worldwide re...
SYS-CON Events announced today that CA Technologies has been named "Platinum Sponsor" of SYS-CON's 21st International Cloud Expo®, which will take place October 31-November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. CA Technologies helps customers succeed in a future where every business - from apparel to energy - is being rewritten by software. From planning to development to management to security, CA creates software that fuels transformation for companies in the applic...
SYS-CON Events announced today that IBM has been named “Diamond Sponsor” of SYS-CON's 21st Cloud Expo, which will take place on October 31 through November 2nd 2017 at the Santa Clara Convention Center in Santa Clara, California.
The current age of digital transformation means that IT organizations must adapt their toolset to cover all digital experiences, beyond just the end users’. Today’s businesses can no longer focus solely on the digital interactions they manage with employees or customers; they must now contend with non-traditional factors. Whether it's the power of brand to make or break a company, the need to monitor across all locations 24/7, or the ability to proactively resolve issues, companies must adapt to...