Ride the Lightning

Apple to Close iPhone Security Hole – Law Enforcement Infuriated

June 18, 2018

The New York Times (sub.req.) reported last week that Apple will close the technological loophole that let authorities hack into iPhones, angering police and other officials and restarting the argument over whether the government has a right to get into our personal devices.

Apple said it was planning an iPhone software update that would effectively disable the phone's charging and data port — the opening where users plug in headphones, power cables and adapters — an hour after the phone is locked. While a phone can still be charged, a person would first need to enter the phone's password to transfer data to or from the device using the port.

This would thwart law enforcement officials, who have typically been opening locked iPhones by connecting another device running special software to the port, often days or even months after the smartphone was last unlocked. News of Apple's planned software update has spread through security blogs and law enforcement circles — and many in investigative agencies are infuriated.

"If we go back to the situation where we again don't have access, now we know directly all the evidence we've lost and all the kids we can't put into a position of safety," said Chuck Cohen, who leads an Indiana State Police task force on Internet crimes against children. The Indiana State Police said it unlocked 96 iPhones for various cases this year, each time with a warrant, using a $15,000 device it bought in March from Grayshift.

Privacy advocates said Apple would be right to fix a security flaw that has become easier and cheaper to exploit. "This is a really big vulnerability in Apple's phones," said Matthew D. Green, a professor of cryptography at Johns Hopkins University. A Grayshift device sitting on a desk at a police station, he said, "could very easily leak out into the world."

In an e-mail, an Apple spokesman, Fred Sainz, said the company is constantly strengthening security protections and fixes any vulnerability it finds in its phones, partly because criminals could also exploit the same flaws that law enforcement agencies use. "We have the greatest respect for law enforcement, and we don't design our security improvements to frustrate their efforts to do their jobs," he said.

Two main companies have helped law enforcement hack into iPhones: Cellebrite, an Israeli forensics firm purchased by Japan's Sun Corporation in 2006, and Grayshift, which was founded by a former Apple engineer in 2016. Law enforcement officials said they generally send iPhones to Cellebrite to unlock, with each phone costing several thousand dollars to open. In March, Grayshift began selling a $15,000 GrayKey device that the police can use to unlock iPhones themselves.

Apple has closed loopholes in the past. For years, the police used software to break into phones by trying every possible passcode. Apple blocked that technique in 2010 by disabling iPhones after a certain number of incorrect attempts. But the Grayshift and Cellebrite software appear to be able to circumvent that technology test thousands of passwords.

Hillar Moore, the district attorney in Baton Rouge, La., said his office had paid Cellebrite thousands of dollars to unlock iPhones in five cases since 2017, including an investigation into the hazing-related death of a fraternity pledge at Louisiana State University. He said the phones had yielded crucial information, and he was upset that Apple planned to close such a useful investigative avenue. "They are blatantly protecting criminal activity, and only under the guise of privacy for their clients," he said.

"The guise of privacy?" I submit it is no guise at all and that we all have a vested interest in privacy.

In the first 10 months of 2017, the Manhattan district attorney's office said it had recovered and obtained warrants or consent to search 702 locked smartphones, two-thirds of which were iPhones. Smartphones running Google's Android software have been generally easier to access, partly because many older devices lack encryption. This is one reason why we recommend getting modern devices with the latest encryption technologies.

The encryption on smartphones applies only to data stored solely on the phone. Companies like Apple and Google regularly give law enforcement officials access to the data that consumers back up on their servers, such as via Apple's iCloud service. Apple said that since 2013, it has responded to more than 55,000 requests from the United States government requesting information about more than 208,000 devices, accounts or financial identifiers.

And I took special note of the last two paragraphs from the story, which echoes what John and I have been saying for months when we lecture.

Apple's latest move is part of a longer cat-and-mouse game between tech companies and law enforcement, said Michelle Richardson, an analyst at the Center for Democracy and Technology, which supports protections for online privacy.

"People always expected there would be this back-and-forth — that government would be able to hack into these devices, and then Apple would plug the hole and hackers would find another way in," she said.

Personally, I am rooting for the companies that protect our privacy. Those are certainly the companies whose devices lawyers want to buy to fulfill their ethical obligations.

But as this post is published, I have just learned that Grayshift has already claimed that it can defeat Apple's "USB Restricted Mode."  And the battle goes on.

E-mail: Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
https://www.senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson