“My ex-wife is spying on me,” my new client began. “She knows where I am 24 hours a day. She somehow got my girlfriend’s contact info, leaves her weird voicemails and always seems to conveniently show up at the same places as me in public.”
It was a statement I’d heard — in some form — endless times from an endless number of clients. While each situation had its own set of nuances, the source of the alleged spying was always the same: the client’s smartphone.
“I already know she’s tapped my phone,” he continued, punctuating his sentence by firmly placing his new iPhone on my desk. Dylan, my digital forensic examiner, who was present for the meeting, picked it up and quickly flipped through a few menus.
“Let’s put this in airplane mode,” Dylan said. “Just in case.”
I knew exactly what he was thinking: If the phone was compromised, there was a chance it could be recording our entire meeting. At the very least, if my new client’s phone was indeed infected with spyware, there would be a GPS data point of his visit to our office, sticking out like a stubbed toe to anybody who cared enough to pay attention.
“Approximately when was the last time your ex-wife would have been in the same room as your phone?” I asked.
Almost all spyware found in domestic cases required that someone have physical access to the phone to install it. If you’re sleeping in the same bed, it’s easy enough to “accidentally” grab the wrong phone from the nightstand during a midnight bathroom visit.
“She’s never seen this phone,” he replied. It wasn’t the answer I was expecting. “We haven’t been together in over a year, and I just replaced my iPhone three months ago.”
I handed my client the necessary forms to document the chain of custody for his phone, and then turned Dylan loose on taking a forensic image of the phone and seeing what he could find.
Two days passed. Our investigation of the phone hadn’t turned up a thing. We manually examined each and every app on the phone, and they all checked out; there was no spyware present on the device. Without an app installed, how was the data getting out?
While there was always the possibility that my client simply had an overactive imagination, that did not seem likely in this case. He cited specific details in private text-message conversations that his ex would bring up when she approached him in public. Something had to be missing.
Approaching the situation from a different perspective, we contacted the client and had him bring in any credit-card statements he could find from his final year with his wife. Based on our subsequent conversations, we learned that he suspected that her spying had been going on since long before the divorce. It was a shot in the dark, but at that point we didn’t have much else to go on.
“Have you ever heard of TeenSafe?” Dylan asked, breaking the silence as we pored over the client’s bills.
Sure enough, a quick Google search revealed that TeenSafe was a service provider aimed at giving parents “protective knowledge” over their teenagers’ phones. Concerned parents could read text messages, check GPS history, view contacts and engage in other behavior typically found with spyware.
But even more fascinating was the method of deployment: TeenSafe did not need to be installed on an iPhone at all. Customers would simply provide TeenSafe with their “child’s” Apple ID and password, and TeenSafe would download the phone’s backup files from iCloud. The service would then simply parse through the backup files and output all the information to its own web portal. As long as iCloud backups were enabled, TeenSafe would have access to everything passing through the phone.
A call to TeenSafe’s tech support department confirmed that the phone was indeed registered with our client’s Apple ID and password.
We had found our leak. But the implications were concerning: Even without a service like TeenSafe, simply gaining access to a user’s iCloud would provide a tech-savvy person enough to track their every move.
And iCloud accounts are notoriously easy to answer the password-recovery questions for. You simply need the subject’s birthday and the answers to a few standardized questions easily found on social media or known by a significant other.
I now insist that all my Apple-loving clients use two-factor authentication on their Apple IDs, especially if they use iCloud backups.
Neal Custer is president of Reveal Digital Forensics & Security, a subsidiary of Custer Agency Inc., and an adjunct professor at Boise State University. firstname.lastname@example.org. Written in collaboration with Dylan Evans, Reveal’s vice president of operations. This column appears in the Aug. 17-Sept. 20, 2016, edition of the Idaho Statesman’s Business Insider magazine. Click here for the e-edition (subscription required).