Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Is Testing a Feature That Could Kill Police iPhone Unlockers (vice.com)

Posted by msmash on from the cat-and-mouse-race dept.

Lorenzo Franceschi-Bicchierai, reporting for Motherboard: On Monday, at its Worldwide Developers Conference, Apple teased the upcoming release of the iPhone's operating system, iOS 12. Among its most anticipated features are group FaceTime, Animoji, and a ruler app. But iOS 12's killer feature might be something that's been rumored for a while and wasn't discussed at Apple's event. It's called USB Restricted Mode, and Apple has been including it in some of the iOS beta releases since iOS 11.3.

The feature essentially forces users to unlock the iPhone with the passcode when connecting it to a USB accessory everytime the phone has not been unlocked for one hour. That includes the iPhone unlocking devices that companies such as Cellebrite or GrayShift make, which police departments all over the world use to hack into seized iPhones. "That pretty much kills [GrayShift's product] GrayKey and Cellebrite," Ryan Duff, a security researcher who has studied iPhone and is Director of Cyber Solutions at Point3 Security, told Motherboard in an online chat. "If it actually does what it says and doesn't let ANY type of data connection happen until it's unlocked, then yes. You can't exploit the device if you can't communicate with it."

7 of 187 comments (clear)

  1. Cludge fix? by sinij · · Score: 3, Interesting

    I admit, I don't know exactly how GrayKey and Cellebrite work. However, if viewed from proper access control and privileges point of view, it shouldn't be possible to siphon the kinds of data (e.g. contacts, calls) that it is reportedly capable of doing.

    So, could someone explain to me why they went with a solution that still leaves 1 hour window of opportunity to compromise a phone instead of fixing, what I guess are overly permissive privileges within the file system?

    1. Re:Cludge fix? by NFN_NLN · · Score: 4, Interesting

      The file system isn’t left open, there are kernel exploits in iOS. Apple’s developers aren’t perfect and don’t know where they left things like buffer overflows that can be exploited.

      I remember back in the satellite smart card hacking days when we had to "glitch" cards. We would put them in a special card reader and run commands through a loop over and over. As the commands were running through you could adjust the VCC voltage supplied to the card. If you hit the right timing/voltage the card would "glitch" and you could write to protected memory and gain access. You could buy unhacked cards by the hundreds and with enough skill 90% of the cards were glitchable. There isn't any amount of coding skill that can defend against a glitch like that.

    2. Re:Cludge fix? by AmiMoJo · · Score: 3, Interesting

      Reminds me of the attack that finally recovered the hidden Gameboy boot ROM. Up until that point it had to be replaced by an open source one in emulators. The ROM was inside the CPU, and the final instruction in it disabled the ability to read said ROM until the next reset.

      Someone realized they could simply count the number of clock cycles needed to exit the ROM after reset, then sent that number -1 and glitched the clock line. The glitch caused the ROM-read-disable instruction to be skipped and the ROM could be dumped with a custom cart.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    3. Re:Cludge fix? by msauve · · Score: 3, Interesting

      "I'm not sure this change will affect GrayKey and Cellebrite anyway."

      I'd assume that Apple has gotten their hands on one, knows how it works, and has used it to develop and test their new feature.

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
    4. Re:Cludge fix? by UnknowingFool · · Score: 4, Interesting

      Let's say that Apple can do this. The problem is that Apple is then limited to plugging every single flaw one at time. With this feature they can mitigate a whole class of exploits.

      --
      Well, there's spam egg sausage and spam, that's not got much spam in it.
  2. It could be so much easier! by idji · · Score: 4, Interesting

    What if your left thumb unlocked your phone and your right thumb wiped the device invisibly? The criminal could never know, you deniability and the police will be too scared to tap your dead finger to the phone.
    Or what if left-right-left unlocked and left-right-right wiped?

  3. Different Fingerprints: Different VMs by crow · · Score: 3, Interesting

    What I want is to have encrypted VMs on my phone, with different fingerprints unlocking different VMs. Or perhaps different levels of unlocking. Unlocking the phone doesn't have to be a binary operation.

    Something like this would also be great for handing my phone to my son so that he can play games, while locking him out of my email and such.