Iphones secretly send your call history to Apple's cloud, even after you tell them not to

Apple has acknowledged that its Icloud service is a weak link in its security model, because by design Apple can gain access to encrypted data stored in its customers' accounts, which means that the company can be hacked, coerced or tricked into revealing otherwise secure customer data to law enforcement, spies and criminals.

So it's alarming to learn that Iphones are designed to synch your call history -- which includes calls placed over Skype, Whatsapp and Viber -- to your Icloud account, even if you have turned this setting off. To make things worse, this synch operation is hidden from you: this data is not visible when you browse your Icloud account, but Apple still has it.

The discovery came from Russian security firm Elcomsoft, who make tools that help law-enforcement, private security and Apple customers gain access to data on Apple devices without the logins and passwords that are normally used to access this data.

Apple has acknowledged that this undocumented, secret synchronization takes place and advises its customers to use two-factor authentication as an additional protective measure, though it's not clear whether this would protect Apple users against secret search warrants served against Apple itself.

Apple has announced plans to redesign Icloud so that customers can opt to keep their data private from the company, but there is no public timeline for this, and as things stand today, Icloud data can be decrypted by Apple.

Chris Soghoian, chief technologist for the American Civil Liberties Union, said he’s not surprised that Apple is collecting the information.

“It’s arguably not even the worst thing about iCloud,” he told The Intercept. “The fact that iCloud backs up what would otherwise be end-to-end encrypted iMessages is far worse in my mind. There are other ways the government can obtain [call logs]. But without the backup of iMessages, there may be no other way for them to get those messages.”

Still, he said it’s further proof that “iCloud really is the Achilles heel of the privacy of the iPhone platform. The two biggest privacy problems associated with iCloud don’t have check boxes [for users to opt out], nor do they require that you opt in either.”


Notable Replies

  1. Hmm, I had assumed that it did that after my call history was restored onto my phone after wiping it.

  2. Ok, I'll bite. What setting is this that Apple is supposedly not respecting because looking at my iPhone I can't find it...

    .. and for many this would be considered a feature.

  3. After RTFA I can safely say that as usual this is a bunch of FUD from Cory.

    iCloud backs up all of your device data including call history, Skype call history, and so on because that's what it's supposed to do. If you've ever restored a backup from iCloud onto an iDevice you'll see that it perfectly preserves just about all your data. It's not an "undocumented, secret synchronization", it's something you have to explicitly enable. It's something most customers actually want.

    If you don't like it, then don't back up to iCloud and use encrypted local backups. You'll still be able to restore all of your data but the trade off is you have to have your device connected to iTunes rather than being able to do it over the Internet.

    As with most things security and cloud related, by using cloud services you're making a trade off of security for convenience.


    I remember reading earlier this year that Apple was working on a solution for this problem but AFAIK it hasn't yet been implemented (or if it has, it's been done quietly).

  4. From the linked article it sounds as though the call logs are synced separately from backups: "Even if users disable the backups, their call logs will still get synced to Apple’s servers.".

    As I read the article, you can't prevent the log being sent, though they would be deleted if you remove them from the local device.

  5. Reading the article it sounds like if you have iCloud enabled, your call logs are sucked in with the other data -- but there's no switch to turn this on/off. There's actually a lot of things you don't have granular control over. Apple pretty plainly discloses what is backed up when you have iCloud enabled.

    Also just to be clear because it is a little confusing, enabling iCloud sync a bucket of data -- which is different than "iCloud Backup". iCloud Backup is a device-specific backup which is different than iCloud synchronization.

    For whatever reason, Apple puts messages and calls as "synchronizable" data versus "back up" data. That makes sense to me; if I have multiple iDevices, I don't want to necessarily restore an iPhone backup to an iPad, but I sure as hell want my messages and call logs to be in sync.

    As @JonBristow mentioned, it would be great if there were more knobs to twiddle this for the security/privacy conscious but I would argue the truly security/privacy conscious would opt out of iCloud completely and instead use encrypted local backups.

    To be clear I'm not defending any of these design decisions or distinctions (backup vs sync and so on). I don't think there's anything malicious or secret going on here. This just strikes me as yet another article where Cory is presenting a bunch of FUD and half-baked facts to push his own personal agenda.

Continue the discussion bbs.boingboing.net

13 more replies