Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Iphone Privacy Security Apple Hardware Your Rights Online

iPhones Secretly Send Call History To Apple, Security Firm Says (theintercept.com) 124

Russian digital forensics Elcomsoft says iPhones send near real-time logs to Apple servers even when iCloud backup is switched off. The firm adds that these logs are stored for up to four months. From a report on the Intercept:"You only need to have iCloud itself enabled" for the data to be sent, said Vladimir Katalov, CEO of Elcomsoft. The logs surreptitiously uploaded to Apple contain a list of all calls made and received on an iOS device, complete with phone numbers, dates and times, and duration. They also include missed and bypassed calls. Elcomsoft said Apple retains the data in a user's iCloud account for up to four months, providing a boon to law enforcement who may not be able to obtain the data either from the user's carrier, who may retain the data for only a short period, or from the user's device, if it's encrypted with an unbreakable passcode. "Absolutely this is an advantage [for law enforcement]," Robert Osgood, a former FBI supervisory agent who now directs a graduate program in computer forensics at George Mason University, said of Apple's call-history uploads. "Four months is a long time [to retain call logs]. It's generally 30 or 60 days for telecom providers, because they don't want to keep more [records] than they absolutely have to. So if Apple is holding data for four months, that could be a very interesting data repository and they may have data that the telecom provider might not."
This discussion has been archived. No new comments can be posted.

iPhones Secretly Send Call History To Apple, Security Firm Says

Comments Filter:
  • off-shore revenue (Score:5, Interesting)

    by gti_guy ( 875684 ) on Thursday November 17, 2016 @10:24AM (#53305435)
    Well, that's one way to ensure that your off-shore revenue doesn't get touched by the US govt -- provide users' call data to the US govt in exchange for the favor.
    • Isn't the iPhone a US politician's usual choice? Maybe it's more along the lines of Apple saying "If our tax liability were to suddenly increase then your call history becomes public".

      • no, they will probably say we'll stop retaining call history at all and have the FBI and other agencies run to congress to keep their tax benefits going

  • 30 or 60 days (Score:1, Interesting)

    by Anonymous Coward

    Sorry, wireless companies keep records a hell of a lot longer than that. Just log into your wireless account and look at your bill history. That info is not secure if they issue a warrant to the company for your phone records.

    But sorry, please start the Apple hate machine....

    • Re:30 or 60 days (Score:5, Insightful)

      by stealth_finger ( 1809752 ) on Thursday November 17, 2016 @10:56AM (#53305715)
      I'm sorry but the people selling you phone service keeping logs of your phone calls is one thing, the people that just made the phone have no business at all logging that data for any reason. But I guess it's ok though because apple did it and apple can do no wrong.
      • I'm sorry but the people selling you phone service keeping logs of your phone calls is one thing, the people that just made the phone have no business at all logging that data for any reason. But I guess it's ok though because apple did it and apple can do no wrong.

        With iCloud enabled calls to your iPhone are also routed to iPads or Macs so you can answer via FaceTime. Apple is "integrating" with your phone service provider.

        • by SeaFox ( 739806 )

          With iCloud enabled calls to your iPhone are also routed to iPads or Macs so you can answer via FaceTime. Apple is "integrating" with your phone service provider.

          What's your point? Once the call is over with it can't be routed to your Mac or iPad, so there's no reason to keep a log of a call once it is completed.

          • by drnb ( 2434720 )

            With iCloud enabled calls to your iPhone are also routed to iPads or Macs so you can answer via FaceTime. Apple is "integrating" with your phone service provider.

            What's your point? Once the call is over with it can't be routed to your Mac or iPad, so there's no reason to keep a log of a call once it is completed.

            "Move seamlessly between your devices with Handoff, Universal Clipboard, iPhone Cellular Calls, SMS/MMS messaging, Instant Hotspot, and Auto Unlock."
            https://support.apple.com/en-u... [apple.com]

            Plus as the AC mentioned there is also calling someone back using the Mac or iPad at a later date.

  • by roman_mir ( 125474 ) on Thursday November 17, 2016 @10:30AM (#53305487) Homepage Journal

    So if Apple is holding data for four months, that could be a very interesting data repository and they may have data that the telecom provider might not.

    Cook: "In my point of view, [privacy] is a civil liberty that our Founding Fathers thought of a long time ago and concluded it was an essential part of what it was to be an American. Sort of on the level, if you will, with freedom of speech, freedom of the press." [slashdot.org]

    So, Timmy, is privacy worth being protected or not? How is this 'protecting privacy'? Just because you can obtain these logs, why are you doing it?

    • by Anonymous Coward

      Your privacy is being protected; Apple is protecting it for you by looking after your data for a while. Don't you trust them? If it doesn't give you a warm, fuzzy feeling, and make you feel a little bit special to have Apple holding onto your data, then you should turn in your fanboi card immediately.

    • by Anubis IV ( 1279820 ) on Thursday November 17, 2016 @11:18AM (#53305939)

      Just because you can obtain these logs, why are you doing it?

      Apple already answered that question. From the article (yes, I'm guilty of reading it in this instance):

      Apple acknowledged that the call logs are being synced and said it’s intentional.

      “We offer call history syncing as a convenience to our customers so that they can return calls from any of their devices,” an Apple spokesperson said in an email.”Device data is encrypted with a user’s passcode, and access to iCloud data including backups requires the user’s Apple ID and password. Apple recommends all customers select strong passwords and use two-factor authentication.”

      Moreover, the article contradicts the headline's assertion that this was a "secret" collection of data, since Apple has apparently been up-front about the collection ever since it was added, having disclosed it in their security white papers over the last few years. Plus, users are apparently in control of the data still. Deleting the log on your phone syncs the deletion through to iCloud as well, allowing the user to delete the log at any time.

      Of course, it would be better if Apple didn't have access to the data in the first place, and while Apple has announced their intent to encrypt things in such a way that they wouldn't be able to access them, the article rightly calls them out for having yet to actually do so in the 9 months since they announced those plans.

      The article goes on to mention that this same call log syncing feature was added to newer versions of Android and Windows Phone as well, with the exact same caveats about it being impossible to turn off without turning off all syncing services. Neither Google or Microsoft were mentioned as having announced plans to encrypt the data to keep it out of their own hands, though I'd hope (but not expect that) they'd all jump on that bandwagon.

      • Apple has apparently been up-front about the collection ever since it was added, having disclosed it in their security white papers over the last few years.

        And of course the average iPhone user spends lots of time reading security white papers, in between the hours they devote to keeping up with all the Technical Service Bulletins for their car...

        • by Anubis IV ( 1279820 ) on Thursday November 17, 2016 @01:20PM (#53307553)

          And that's a fair point. Apple already does quite a bit [apple.com] to try and educate their users about the security and privacy of their devices, but the industry as a whole needs to be doing an even better job, as I'm sure you'd agree.

          Even so, the details were readily available to anyone who was interested in them, and Apple's white papers are fairly easy reading as far as technical breakdowns go, so the headline's claim that Apple was secretly collecting the data is clearly false, which is highlighted by the fact that the article itself refutes the headline.

        • Just like androids read the source code? Enough do that the bulk are protected. Same as it ever was.
      • Deleting the log on your phone syncs the deletion through to iCloud as well, allowing the user to delete the log at any time.

        And that's the difference that makes ALL the difference.

        I agree that it would be much better if this was an "Opt-Out/In" Setting, and if it were encrypted from Apple's view, too.

        But unless you are under an active investigation, keeping your call-log "pruned" is a good first step.

    • by praxis ( 19962 )

      So, Timmy, is privacy worth being protected or not? How is this 'protecting privacy'? Just because you can obtain these logs, why are you doing it?

      I'm not Tim, but I'll wager an answer.

      Apple offers a service where it can route calls from your phone to your other Apple devices as part of iCloud syncing. They store you call history as part of your iCloud data as call history is useful to have synced on all your devices and computers able to make and take calls. If you turn off iCloud, they don't store this data, as there's no point to do so.

      I would argue that they could do a better job though, by having more granular controls over this feature and allow

  • by Anonymous Coward

    Yeah that's how it happens. I setup my iPhone and secretly is syncs my call history to my phone. Wow! Where did that come from I wonder?

    • I was assuming it was getting it from the secure Cloud? Isn't that what iCloud is? Like the regular Cloud but better.
    • Yeah... call history is synced between devices... in near real-time... and it goes back about four months! It is one thing if there is a user-centered purpose for it...
      • by Kohath ( 38547 )

        It is one thing if there is a user-centered purpose for it...

        So you can see who called you and easily return calls.

      • by praxis ( 19962 )

        It is one thing if there is a user-centered purpose for it...

        I find it useful to see my call history on devices other than my phone. Those other devices that can also make and take calls.

  • Comment removed (Score:5, Insightful)

    by account_deleted ( 4530225 ) on Thursday November 17, 2016 @10:39AM (#53305549)
    Comment removed based on user account deletion
    • Re:Yeah, and? (Score:4, Interesting)

      by 110010001000 ( 697113 ) on Thursday November 17, 2016 @10:40AM (#53305583) Homepage Journal
      "Also I'm still a little pissed that my BLU smartphone has been sending my SMS messages to China"

      Only a LITTLE pissed? Interesting.
    • But iCloud only stores "a lot of stuff that's more personal than your call history" when the user enables it to do so. Apple is storing the call data without the user's knowledge or ability to control it.
      • Comment removed (Score:4, Insightful)

        by account_deleted ( 4530225 ) on Thursday November 17, 2016 @10:46AM (#53305625)
        Comment removed based on user account deletion
        • What if the user wants their photos backed up to iCloud but not their call logs?
        • by vux984 ( 928602 )

          but it's implied by the very act of syncing.

          Given when setting syncing up i generally have a list of checkboxes that say whether i want to sync A, B, or C then syncing something else without disclousure is definitely not 'implied'.

      • Re:Yeah, and? (Score:5, Insightful)

        by MachineShedFred ( 621896 ) on Thursday November 17, 2016 @11:17AM (#53305921) Journal

        Without the user's knowledge?

        So when they get a new device and the call history magically shows up after putting in the iCloud account and password, it's divining that through psychic feed or something?

        No ability to control it?

        Turn off iCloud. It no longer stores this information. Sounds like a fairly easy and basic control to me. Would it be better if there was an individual switch for this function? Probably, but at some point you end up with an overwhelming page of little switches for every single little thing, and it's a usability nightmare that most people wouldn't bother with anyway.

        • What if it's their first iPhone, so they won't see their previous call sync to know it's happening? And what if they're not tech savvy to even know what iCloud is? Are non-techies undeserving of privacy protection?
          • Well, as they have to actually opt-in to iCloud, then I would assume that they read what it actually does before blindly turning it on and establishing a set of credentials.

            There are the non-techies, then there is the willfully ignorant.

    • it's a cheap no margin phone from a chinese manufacturer. what did you expect?

    • (Also I'm still a little pissed that my BLU smartphone has been sending my SMS messages to China until today for reasons that nobody is willing to give an even vaguely plausible answer to.)

      Probably the exact same reason apple has. They can, and can probably make money from it.

    • IKR?

      Telemetry is the new normal, they all do it. Apple, MS, Google, etc, etc, etc....

  • So can the FBI force apple to turn that over next time?

    • So can the FBI force apple to turn that over next time?

      Yes, and the "forcing" would be just like "forcing" a horny 16-year old to have sex with a hot chick who has her legs spread and is whispering, "C'mon, baby, bang me!"

    • by AHuxley ( 892839 )
      NSA Can Access More Phone Data Than Ever (Oct 20, 2016)
      http://abcnews.go.com/US/nsa-p... [go.com]
      "... the percentage of available records has shot up from 30 percent to virtually 100. Rather than one internal, incomplete database, the NSA can now query any of several complete ones."
      The US gov is getting it all. They just hope the wider public does not notice and keeps on trusting their fav US brands.
  • > And what could be more convenient than not having to bother with the information that it's being done?
  • by Anonymous Coward on Thursday November 17, 2016 @10:42AM (#53305601)

    Oh my god! You mean when Apple said they'd store all the data on my phone remotely for me, the madmen actually went and did it?

    I'm suing.

  • by the_skywise ( 189793 ) on Thursday November 17, 2016 @10:45AM (#53305617)

    "“We offer call history syncing as a convenience to our customers so that they can return calls from any of their devices,” an Apple spokesperson said in an email.”Device data is encrypted with a user’s passcode, and access to iCloud data including backups requires the user’s Apple ID and password. Apple recommends all customers select strong passwords and use two-factor authentication.”

    Not defending Apple here and I only have an iPhone (no other part of the Apple ecosystem) so I can't speak to the need (or usefulness) of being able to return a call from my iPad or Mac if I miss a call from my iPhone. This just smacks of more Siri/cloud/Cortana data collection garbage to me.

    Heck, I'd have the iCloud completely turned off still if it weren't for their "new" feature where they stopped syncing with Outlook notes and I had to have someway of backing up/sync'ing note items with the rest of my PCs. (I backup my iPhone to an abacus at home...)

    • by MachineShedFred ( 621896 ) on Thursday November 17, 2016 @11:21AM (#53305969) Journal

      I used this just today actually - I left my phone in my bedroom on it's charger, and I missed a call. I was able to click a 'redial' button on my MacBook Pro and return the call.

      It was rather convenient, actually.

    • by guruevi ( 827432 )

      It also allows you to pick up your phone from your computer or other devices. It's immensely useful if you sit at a desk and need to take a call, you can just use a headset. It's kind of 'expected' that such notification data runs throughout the ecosystem. Don't like it, turn off iCloud, then it doesn't happen unlike Android devices where it always happens regardless of your settings.

      • by anegg ( 1390659 )

        This is the inevitable consequence to people wanting to use services that have an "ecosystem" that is maintained in the cloud instead of within their own local set of devices. It is not impossible to imagine having the same capabilities enabled through an ecosystem that maintained the data all on devices local to the user. However, unless people demand such an ecosystem (and are willing to pay for it), the friendly people who have built out all of their "cloud" infrastructure capabilities will be happy to

        • by guruevi ( 827432 )

          Well, I think it's entirely possible to have the 'ecosystem' be in a private server environment, plenty of people pay for it (usually large enterprises) but for the average consumer it's both too costly and too complex to maintain. Then you'd have a handful of servers all over that are 'vulnerable' to some mass attack.

  • Remember when the FBI was laying heavily on Apple to crack open the iPhone of that Terrorist dude that shot up the work-party in California? Apple refused, and this was a story for weeks in the news. John McAfee claimed his guys could crack it in 14 hours or something?

    Anyway, if Apple retains all this data, why was cracking the iPhone such a big deal? Is half the news (or maybe more) all made-up bullshit just to entertain me?

    Maybe Trump isn't really president and the news is just telling me that to keep me

    • by Kohath ( 38547 )

      Because they reset the password

    • Well as I'm sure you've RTFA
      A> They had to have the iCloud connection turned on to sync and backup to get the last 4 months of the call records.
      B> Even if they did it only collected call records made to and from the phone (this was pre-iOS10 so Skype calls weren't tracked) not contacts or text messages or emails or voicemails.

    • Apple respects your privacy when it is in the public eye and thinks it can get credit for doing so. Behind the scenes- screw privacy!

      This isn't a dig at apple. They all do this. Pay lip service to protecting your privacy whilst they sell your wiener size to Trojan for market research.

    • by AHuxley ( 892839 )
      Better to be seen has having a huge political and legal issue.
      Trust and faith in privacy is restored and the public goes back to fully trusting the brand and the networks.
      Who would buy a US product if it comes with extra mandated hardware by big gov with logs ready for open court?
      Junk trap door and back door crypto in every device as designed? The risk is the wider pubic stops talking online.
      So a big public show was put on and everyone feels so safe to talk, txt on their big brand devices again.
  • Once again, a proprietary software company is caught red-handed violating users' privacy. Sigh.

    Why are we still trusting those companies who engage in software abuse, mistreating our digital lives? What will it take before mass resignation of such companies' employees because they're fed up from being part of immoral spying schemes?

    Oh, and don't give me that food on the table bogus argument; Red Hat makes hundreds of millions profit a year with free software, and most web developers who mix and match free

  • but turn off i-Magellanic-Cloud first.

  • I recently discovered, that my VoIP-provider had the history of my calls from ever since I opened the account 7 years ago. It is conveniently searchable and downloadable in several spreadsheet-formats.

    I suppose, when I get to writing down my memoirs, it will come very handy, but it is a little irksome in the mean time. I doubt, I can turn it off or somehow request the records to be removed — I would be the first to object to any legislation forcing people to forget [iflscience.com] anything.

    • Not only that, but their monitoring utilities are likely recording all of your conversations too (assembled rtp from pcap). This is helpful to the VoIP provider to troublehshoot jitter and latency. Of course, they *probably* delete these captures after a short period of time because storage would quickly kill them.

      But for a while, anyone with access to the utils can listen to your past conversations.

  • I have an IPhone 4S using wifi and a Consumer Cellular account. Last summer in France I encountered an Apple software problem that locked my phone. The Apple store in Paris fixed it but I turned off automatic updates to stop the problem from repeating while I'm in the lovely French countryside. Apple ignore my "Don't update" instructions; they downloaded the update anyway and installed nagware that "reminds me" every evening that updates are off and I should install the new OS update..

    The end result is t

  • Comment removed based on user account deletion
  • Apple iSurveillance(tm)- "It Just Works!"

  • From the article Apple isn’t the only company syncing call logs to the cloud. Android phones do it as well, and Windows 10 mobile devices also sync call logs by default with other Windows 10 devices that use the same Microsoft account. Katalov said there are too many Android smartphone versions to test, but his company’s research indicates that call log syncing occurs only with Android 6.x and newer versions.
  • It...it's because Steve misses us all. Right?
  • The idea that Apple is doing something unique here is ridiculous. My call history arrives in the mail to me each month. That record is probably kept indefinitely and is easily available by subpoena.
  • This is why I don't use the cloud for anything! I have my own email, web, and sftp server. I set up my own personal private cloud via ownCloud and all this gets hosted on a small, low-power server in my house. My information is relatively secure and I don't have to worry about anyone else monetizing it or providing it to a government authority.
    • by AHuxley ( 892839 )
      Every type file sent up to a cloud provider gets scanned for AV and other reasons. Hope that one big encrypted file stays safe with the pw in the same OS that created it?

Think of it! With VLSI we can pack 100 ENIACs in 1 sq. cm.!

Working...