Slashdot Mirror
iOS 11.4 Disables Lightning Connector After 7 Days, Limiting Law Enforcement Access (macrumors.com)
hyperclocker shares a report from Mac Rumors: The iOS 11.4 update, currently being beta tested, includes a USB Restricted Mode that introduces a week-long expiration date on access to the Lightning port on your iOS devices if your phone hasn't been unlocked, which has implications for law enforcement tools like the GrayKey box. USB Restricted Mode was outlined this morning by Elcomsoft after testing confirmed that the feature has indeed been enabled. In Elcomsoft's experience, after an iPhone or iPad has been updated to iOS 11.4, if it hasn't been unlocked or connected to a paired computer in the last 7 days using a passcode, the Lightning port is useless for data access and limited to charging.
"At this point, it is still unclear whether the USB port is blocked if the device has not been unlocked with a passcode for 7 consecutive days; if the device has not been unlocked at all (password or biometrics); or if the device has not been unlocked or connected to a trusted USB device or computer," reports Elcomsoft. "In our test, we were able to confirm the USB lock after the device has been left idle for 7 days. During this period, we have not tried to unlock the device with Touch ID or connect it to a paired USB device. What we do know, however, is that after the 7 days the Lightning port is only good for charging."
"At this point, it is still unclear whether the USB port is blocked if the device has not been unlocked with a passcode for 7 consecutive days; if the device has not been unlocked at all (password or biometrics); or if the device has not been unlocked or connected to a trusted USB device or computer," reports Elcomsoft. "In our test, we were able to confirm the USB lock after the device has been left idle for 7 days. During this period, we have not tried to unlock the device with Touch ID or connect it to a paired USB device. What we do know, however, is that after the 7 days the Lightning port is only good for charging."
I bet it has implications for any other attacker who uses the same vulnerabilities, too.
From a technical standpoint, Law Enforcement is never a special case. That's whether you're protecting computer systems or armoring a knight against swords.
Just like I disabled TouchID and the passcode. I just want easy access.
Ahhh...the great dumpster continuum. Many a free computer will be found there. -- sowth (748135)
The harder it is for law enforcement to access an electronic device, the better our privacy and personal security. Well it sucks for law enforcement to be restricted from accessing the phones of criminals, that's a sacrifice we MUST allow, for all of us to have basic privacy and security.
Too bad you can't select the time out period in settings. 12-24 hours would be ideal.
It only disables data on the lightning port. You are still free to unlock via the passcode or other means.
Only the State obtains its revenue by coercion. - Murray Rothbard
"Older iOS devices" probably won't get this feature since many of them aren't compatible with iOS 11.4, and it sounds like the feature automatically turns off when you start using the device again.
I'd rather personally give my PIN to any law enforcement officer who cared to ask for it than have this feature implemented.
I think the issue is more in regards to when they don't ask.
An enigma, wrapped in a riddle, shrouded in bacon and cheese
What part of even the summary much less the article made you think this was permanent? Unlock with passcode, and all is forgiven...
I wonder if you could spoof NITZ and change the time on the phone to defeat this?
What gives you the idea that it'd permanently lock out the USB port? Its a security feature like when you reboot and it requires a passcode before everything works.
I have older iOS devices that I sometimes go weeks at a time leaving them untouched on the shelf but I pick them up to play with once in a while. Heck, I go on vacations greater than week a couple of times a year and since I don't want to bother with roaming, I leave my primary phone at home. I certainly don't want my USB to permanently lock out the first time I don't touch my phone for a week. I'd rather personally give my PIN to any law enforcement officer who cared to ask for it than have this feature implemented.
Why does this feature bother you? It doesn't brick the phone, it just disables USB data until you unlock the phone, once unlocked everything is back to normal. My only issue with the feature is that the lockout should be more like 7 minutes instead of 7 days.
I certainly don't want my USB to permanently lock out the first time I don't touch my phone for a week.
By "permanently" I assume you mean "until I unlock my phone", and not really "permanently".
Better known as 318230.
It just means you have to unlock your device first before you can connect it to your computer. After a week, all it can do is charge from USB.
It doesn't permanently disable USB, it just makes it so if your device hasn't been unlocked, after a week, a data connection to the device is no longer possible.
It's a workaround to those GreyKey boxes - to use those to break the code, you need to do it within a week.
Uh, you realize unlocking it will unlock the USB right back, right? If the inconvenience of putting in a PIN or touching your finger on the reader once after a week is too much, then just don't use any kind of authentication and the phone won't ever go in restricted mode.
I'm just going to put this here because I know where this topics going go.
First words out of your mouth when talking to law enforcement are as follows, "I want my lawyer."
Then you shut the fuck up till he gets there.
I read at +2. If your post doesn't reach that level I will not see or respond to it.
If users could select a period of time from 1 day to never, it would be even better. Seven days could just be the default setting.
My only issue with the feature is that the lockout should be more like 7 minutes instead of 7 days.
That was my thought, too.
Or make it user-settable.
Comment removed based on user account deletion
car mode?
> If a company was known for renting vehicles explicitly for getaway cars, they would be shut down.
You pretty much answered your own question there.
Renting out cars is fine. Tailoring a service as getaway cars, and advertising getaway cars for criminals, would be unlawful.
> Many companies (Napster, AudioGalaxy) were shut down for helping with IP infringement.
And in those cases evidence was introduced, such as internal emails, showing that company executives were actively trying to get more infringing content added, such as paying people to add infringing content.
Or make it user-settable.
Lol, This is Apple, you can't even set how long the snooze function is for the alarm clock.
"All tyranny needs to gain a foothold is for people of good conscience to remain silent." [Thomas Jefferson]
So if I hook the phone up to the car stereo via a usb cable, or to the Windows laptop via a usb cable, I'd be outta luck?
This means I'd have to get an Android phone next. Who thought up this idiocy?
Im not sure how this works but why does the lightning/usb port do anything when the device is locked?
Is there any reason not to have an option to keep USB restricted mode unless the device is *currently* unlocked? Or it has to be unlocked within the last 5 minutes? What use case is there where you want to connect USB to it but cannot unlock it? (Aside from, of course nefarious purposes)
Obviously, if you've been outside of America, you've been up to some un-American doings and are suspect.
yeesh, do I have to explain everything for you?
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
It doesn't permanently disable USB, ...
Here's a quote from the article, quoting Apple documentation:
Emphasis mine. "At least once a week" is not the same as "sometime within the last week". Letting the phone sit on the shelf locked for a year and then entering the passcode to connect it to something is not "at least once a week".
Now, of course, the Apple docs could be wrong, and it seems likely they are. But, this would not be the first time that a company does something stupid that they actually document correctly (e.g. Android write-protecting SD cards after 4.4.) They do seem to say that it is permanent, however.
Awesome - when can I get 11.4? We need to take our privacy back!
So turn your phone off before leaving?
No, it should be user-specified. There's not a terribly good reason why you shouldn't be able to set 7 minutes, he sets 7 days, and I set 7 hours....
"I do not agree with what you say, but I will defend to the death your right to say it"
Is there any reason not to have an option to keep USB restricted mode unless the device is *currently* unlocked?
In theory right now I think you can connect a phone to the car and have music immediately playing without having to unlock the phone...
The way people use phones though, I'd make the duration 24 hours before blocking data access as almost certainly someone will unlock a phone once every 24 hours. Seven days seems like a bit too long.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Not so much a feature aimed for privacy and more a feature to deter law enforcement.
I'm just waiting for the US gov to sue Apple at this point for interfering with crime investigations.
-1 Flamebait!
Oh my! Apple fanboi strikes again! You dumbasses think they are really restricting access to everybody? Boy, have I got a bridge for you!
Music? This is Apple. They forced EVERYTHING to that single port.
I would prefer my iPhone data connection to be disabled always...
But yet people are giving up personal data to social networks with no issues.
Also if it is made by man it can and will be hacked. Just give it some time.
I'd rather personally give my PIN to any law enforcement officer who cared to ask for it than have this feature implemented.
In the US and most other countries, we already have laws to compel you to give up your PIN if the police have a good reason (aka "probable cause") to believe you've been involved in - or are planning to be involved in - criminal activity.
If the police have a warrant, and you do not provide your PIN, you will go to jail until you become willing to provide them access. You're safely locked up, unable to harm others. They can keep you there until you die, unless you give them the access they've legally demanded.
That's why the whole idea that police and three-letter agencies need exceptional on-demand access to any device they choose is so ridiculous - they can already get at those phones OR lock up the phone owners permanently! Yeah, it doesn't work in the tiny edge case where the phone owner is dead... but in those cases the immediate harm has almost certainly already been done, and the police have a specific already-identified person from which they can begin any subsequent investigation, should they feel it necessary. To claim such a tiny and likely unimportant edge case somehow justifies the significant degradation of all people's personal liberty and financial security is simply absurd.
#DeleteChrome
Sure there is. You could have options for everything. But the more options you have, the harder it is for users to find the option they want.
In this case there's no good reason to hand the decision over to users anyway. Almost none will be interested in changing it, or even be aware that there's such a feature or what it's for.
You may be right, but there is nothing in the summary which remotely implies that it's reversible.
Set a useful default.
Then if the user wants to change from the default, then he can, if he doesn't give a rat's ass, then he doesn't have to think about it.
So, no, there's not really a good reason why it shouldn't be user-settable....
"I do not agree with what you say, but I will defend to the death your right to say it"
iPhones already need to be unlocked before a new connected device will be authorized to access data from the phone, so that's not what this feature is for. Presumably, this new feature will prevent exploitation of flaws in the USB driver, which is presumably the exploit utilized by Cellebrite and/or Grayshift. The better long-term solution is to fix those flaws.
The real issue is that the 7-day limitation makes it nearly useless. It's taking a bet that whatever attacker seized your phone won't use the unlocking device within 7 days. Sure, if there's a huge backlog of devices, or lots of red tape, then it might take more than 7 days. But chances are that if the police bust in your door, they will already have a search warrant that includes your phone, which they will probably find within 1 minute of entry. So long as they're aware of the 7 day limit, they will make sure to access it by then. Now, if the lockout was say 5 minutes, then they'd need the unlocking device on hand, and hope/check that the phone was unlocked at the time they kick in your door.
I think a better solution would be to require authorization to enable USB data transfer whenever a device is connected that can transfer data, and this authorization persists until the device is unplugged, rather than an amount of time after the phone locks.
Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
And a safe can be opened given enough time. I just want that time to be after I'm dead.
The KDE vs Gnome paradigm...
A default doesn't take away the problem of too many options for users to find anything.
Generally speaking, options need to be fought against. They need to justify the real estate they use. This wouldn't.
Conservatives love local law enforcement because fat cats in the sticks wish uncle sam would go away so they can graduate from county commissioner to warlord of the Western Arkansas fiefdom. That's the extent of any powerful "conservative"'s love for state and local rights. Whenever there is a challenge to local established power structures they never hesitate to call in the feds or whine to congress if the challenger is too powerful for their local goon squads.
Thieves and other black hats can get to your device in minutes after stealing it. It takes western law enforcement a week to get subpoenas. This protects only criminals from good governments. It does not protect you from criminals, corrupt governments, spy agencies or malicious corporations.
Apple is blatantly advertising this as a law enforcement defeat device and consequently complicit in crimes. Worst case is pretty likely, that this will be causal to weakening due process on search warrants and consequently more phones will be searched with less oversight.
What if the display is broken, so you cannot unlock it for a week?
lock up the phone owners permanently!
Sure like they have the time to lock-up all the suspect/innocents they encounter at the border/inland. Re-read what you wrote...doesn't make sense. They will instead THINK TWICE about confiscating an iPhone instead of randomly searching all the fucking people innocent or not if they can't crack it.
I hope that this isn't as stupid as it sounds. seven days? Why to ANY programmers know what their customers want? Seven days? Why not three days? I hope that this will be user definable by the user as I would want my phone set to one day. Most people would probably want one to two days as they use their phone daily. Skip a day of usage would mean that they probably lost their phone or had it stolen by the KGB, Stassi, FBI, or whatever they call themselves.
Let's not lie, now. Apple has signing keys and can put any software they want on the phone. The key already exists. The relevant questions are who else has them. We know the Chinese do; iPhone sales are allowed in China. We assume that no black hats have them, as we trust that they're dumb enough to blab. We know Apple has them. We assume that western governments don't, as they keep asking others to crack iPhones.
I actually don't get why this is not instantaneous, in order for you to connect via USB data the phone should be unlocked. The phone disconnect data until the USB is unplugged.
I think android even asks if you want to connect data, so you have unlock to confirm. This is a sight hassle and I have been caught out as to why I can't connect data, but makes sense from a security standpoint.
I don't have a iphone, so I could be missing something.
Apple customers need very simple choices. I learned that when I bought a Mac Plus. (The sound the disk drive made while ejecting was kinda cute)
I'd rather personally give my PIN to any law enforcement officer who cared to ask for it than have this feature implemented.
In the US and most other countries, we already have laws to compel you to give up your PIN if the police have a good reason (aka "probable cause") to believe you've been involved in - or are planning to be involved in - criminal activity.
If the police have a warrant, and you do not provide your PIN, you will go to jail until you become willing to provide them access. You're safely locked up, unable to harm others. They can keep you there until you die, unless you give them the access they've legally demanded.
That's why the whole idea that police and three-letter agencies need exceptional on-demand access to any device they choose is so ridiculous - they can already get at those phones OR lock up the phone owners permanently! Yeah, it doesn't work in the tiny edge case where the phone owner is dead... but in those cases the immediate harm has almost certainly already been done, and the police have a specific already-identified person from which they can begin any subsequent investigation, should they feel it necessary. To claim such a tiny and likely unimportant edge case somehow justifies the significant degradation of all people's personal liberty and financial security is simply absurd.
What world do you live in? There is no such law on the books.
It applies to all users.
Apple computers and software just tend to be better designed.
The tendency with Windows and Linux is for programmers not to ever rhink and make decisions. They offload all decisions to users, and end up with baroque software that is difficult to use.
That nightmare of a 5th Amendment trashing precedent where the penalty for forgetting a password is an effective life sentence is thankfully not settled yet. Different courts have ruled different ways. That it's an overt violation of the 5th, namely using the contents of your mind to aid in your prosecution, is clear, but alas so many courts are willing to flat out ignore the Bill of Rights wherever law enforcement wants. It won't be settled until SCOTUS takes it up.
Maybe the port can be useful in resurrecting a semi-bricked device?
Here ya go...
https://xkcd.com/538/
Also, 7 days might as well be an eternity if they really want your data.
The second you plug into something doing other than charging, require the passcode on the phone immediately. Maybe have an option to "trust" known devices like your own computer.
The problem, is that the phone has tons of juicy bits that you have to leave on the phone.
- The credentials used by that app that you bank forces you to install as a 2factor.
- The database of received messages where any new incoming SMS will show up, if your bank still uses that as a 2factor
- Some direct payment app that you need because it's used a lot around where you live
(also around where I live, the app is using a common standard and each bank is providing a compatible app. You actually do NOT need to rely on a 3rd party like VISA or Mastercard, which might be an interesting argument by people who insist in using it).
- tons of personnal information which part of a normal functioning phone (contacts database) that you need to have around if you don't want to memorize and type every single phone number, but that could become handy for ID theft and/or social engineering.
etc.
In short people who don't use their smartphone a glorified keypad-dumb-phone/gaming console tend to have tons of bits of information that sound really tasty to any attacker that would want to access them. /.ers and even professional cryptographers have shown : there's no way to open an access only for the law-enforcement while at the same time locking out all the potential criminals).
(And as lots of other
So you need a way to lock your data safely on the phone to prevent abuse.
That's why, a lot of people have a strong desire to keep their phone locked even if they have "nothing to hide".
(Because they have tons of legal infromation that they genuinely need "to hide" against potential attacker. And be damned the (comparatively fewer) cases where it blocks law enforcement).
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
the only thing on it is contact list
Which by itself might be of interest for some attacker who would use this information (and combine it with others) to start-up a process of ID theft or social engineering.
Also you might have had to register your phone number as a 2FA or fall-back on some websites that still rely on such an insecure solution for 2FA.
So quickly steeling/borrowing your phone to impersonate you on such a website might be another motivation.
You're not as juicy as a target as dumb people who'll keep their passwords in an un-encrypted "Note", but you might still interest a few.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Or set it to disable the port on too many unsuccessful attempts to unlock, regardless of the amount of time.
The only consistent position is to recognize that government is the largest mafia racket on Earth. You pay taxes for "protection," but you don't get a choice of whether to buy this "service" or not, and there is no one to protect you from the "protectors."
First of all, the term "liberal" 300 years ago meant a supporter of personal and economic liberty; it has NOTHING to do with "the left." Today, people who identify with this tradition are known as "classical liberals" or "libertarians," and it has NO RELATION to the left, progressives, or Democrats.
The left/progressive movement as an ideology comes from Rousseau and the French Revolution, building on Machiavelli and Hobbes, and is founded on principles of state supremacy, centralized power, secular state religion, and the abolition of competing institutions. This later gave rise to Marx, Lenin, the USSR, Red China, North Korea, the modern Democratic Party, and the neoconservatives (who are Trotskyites).
If Obama wanted to end the Drug War, he could have done it in five minutes by ordering the DOJ to stop enforcing the drug laws and pardoning everyone convicted of a drug crime.
Your ability to make up excuses for he authoritarians in your own party is amazing.
I'm all for this, but had a situation a few years ago where my daughter forgot the passcode to the iPad for several days. We gave it time in hopes of her remembering it. Then we contacted Apple and eventually we fixed it by backing up the iPad to a computer via the lightening cable, then resetting/erasing the iPad and then restoring the backup.
With the new rules, we may have lost the data on the iPad, which to be fair, was basically MineCraft worlds.
I can't remember the last time I actually connected my iPhone via USB for anything. I'd much prefer it demand an unlock every single time it gets plugged in for data.
Left/Right is an orthogonal axis from Authoritarian/Libertarian (with the latter meant in its true sense, not the US right-wing political faction of that name).
There are plenty of authoritarians in the Left and the Right. Here in the UK it includes both May and Blair. Fortunately there are also libertarians in both Left and Right including most of the LibDems and the Greens.
https://www.politicalcompass.o... has a good description of this.
I really don't agree with you. I bought a used Used iPhones 7 and using iOS 11.4 on it but i didn't see any problem like that.