Apple made headlines when it fought the FBI in the San Bernardino case, turning down the demands to break into the strongly encrypted iPhone allegedly used by the shooter. As an advocate of user privacy, Apple declared that its smartphones come equipped with encryption, which even if the company wanted, cannot be broken into. However, a security firm called Elcomsoft has now claimed that the Apple iPhones automatically send a user’s call history to the company’s servers if iCloud is enabled. Now the scariest part is that the call data gets uploaded in many instances without user choice or notification.
The call details which are uploaded to Apple’s servers contain the list of calls received and made, complete with phone numbers, date, time, and duration. Not only this, the Russian digital forensics firm has claimed that the details also include missed and bypassed calls. CEO of Elcomsoft, Vladimir Katalov, said that “You only need to have iCloud itself enabled” for the data to be sent. These details are stored up by Apple for up to four months. While a large number of network providers also retain call logs for a year or more in the US, this isn’t necessarily the case with companies outside the country. For law enforcement agencies, which have been long fighting it out with companies such as Apple to oblige to their demands of building backdoors to their smartphone encryption systems, information as detailed as even missed calls being stored on the servers could prove a huge advantage in solving criminal cases.
Following the revelations made by whistleblower Edward Snowden about the mass surveillance programs of the US governments, technology companies have been taking user privacy more seriously than before. Top companies, including Google, Facebook, Microsoft, and Apple started publishing transparency reports detailing the number of times the government requested data on their users and how many times the companies fully or partially complied with the requests. The latest report by Elcomsoft could now make it easier for authorities who are struggling to obtain data from the encrypted iPhone or from the carrier.
A report on The Intercept notes that the iCloud syncing isn’t restricted only to the regular phone call log but also includes FaceTime – the iOS-only feature to make audio or video calls. The security firm believes that syncing of both regular calls and FaceTime call logs automatically to iCloud dates back to at least iOS 8.2 which was released in March 2015, which is two years after the mega disclosure of the global surveillance programmes by Snowden. ALSO READ: After FBI, Delhi Police wants to hack Apple’s iPhones
Apple has now moved to iOS 10 and above. But is the software still syncing users’ private call data automatically to the cloud without their knowledge? According to Katalov, it is. Incoming missed calls that are made through third-party VoIP apps like Skype, WhatsApp, Viber, and that user Apple CallKit to make the calls, are also detailed and logged to the iCloud.
What it means for law enforcement agencies?
In the US, in order to attain access to user data through a network provider or device manufacturer, the agencies require a court order. As Apple has keys to unlock iCloud accounts, the agencies can get direct access to the data with a simple court order. However, in order to extract the data, they will still need a tool.
Now whether to make it easy for law enforcement agencies to get their hands on such data or to put Apple in a spot, Elcomsoft said that it is releasing an update to its Phone Breaker software tool which will make it easier to extract call histories from iCloud accounts by using the account holder’s credentials. The tools built by Elcomsoft are used by law enforcement, corporate security departments, and even consumers. The company also leases some of its extraction code to Cellebrite, the Israeli firm the FBI regularly uses to get into seized phones and iCloud data.
Meanwhile, for consumers, their call data is now more vulnerable to hacking as anyone who might be able to obtain their iCloud credentials could potentially misuse it. There have been instances in the past where hackers have been able to get access to iCloud credentials of celebrities and carried out phishing attacks. The hackers, reportedly used Elcomsoft’s software to break into some of the celebrity photos once the accounts were compromised.
Katalov said that if someone were to attempt to download data in an iCloud account, the owner would receive an email notification. However, no notification is sent when someone downloads synced call logs from iCloud. ALSO READ: Indian official thanks 17-year-old for hacking into website of the Indian Consulate General in New York
Apple said that this syncing of call logs is intentional. “We offer call history syncing as a convenience to our customers so that they can return calls from any of their devices,” an Apple spokesperson said. “Device data is encrypted with a user’s passcode, and access to iCloud data including backups requires the user’s Apple ID and password. Apple recommends all customers select strong passwords and use two-factor authentication.”
Calling it the “Achilles heels of privacy on the iPhone”, Chris Soghoian, chief technologist for the American Civil Liberties Union, said, “The two biggest privacy problems associated with iCloud don’t have check boxes [for users to opt out], nor do they require that you opt in either,” the report notes.
Katalov further notes that while there is an option to disable uploading or syncing Notes, Contacts, Calendars, and web history, there is no option for users to disable the call logs. One way to ensure call logs will disappear from the cloud is if a user deletes a specific call record from the log on their iPhone. This way it will also get deleted from their iCloud account during the next automatic synchronization.
Does it mean other OS are safe?
According to the Elcomsoft CEO, Apple isn’t the only company which is syncing call logs to the cloud. Android devices also sync data to the cloud while Windows 10 devices sync call logs by default with other devices using the same account. In stock versions of Android, there is no way to select categories to sync. However, some third-party Android versions, do offer the option. The security firm further discovered that call log syncing occurs only with Android 6.x and newer versions.
Do customers know?
Some of the customers who are aware that their call logs are being synced to the iCloud are frustrated with the feature. This is because in situations where they have same Apple ID as someone with a different device, for example spouse or children, then they see calls from device getting synced automatically to the device of the other person who is using the same ID.
Annoyed users say that if one of the users of the same Apple ID misses a call, the notification pops up on the other device. This is also the case with call history. One user’s call details appear on another’s device using the same ID. However, not all customers are aware that it isn’t exactly a glitch but an ‘intentional’ loophole that Apple calls convenience. ALSO READ: Mark Zuckerberg’s Pinterest account hacked again
The only way consumers could save themselves from being hacked is to use two-factor authentication for their accounts. Be it on Android or iOS or Windows 10, multi-step authentication feature ensure there are lesser chances of one being attacked by malicious hackers. As for Apple, well, the fight between privacy and security just went a notch up.