Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Is Testing a Feature That Could Kill Police iPhone Unlockers (vice.com)

Posted by msmash on from the cat-and-mouse-race dept.

Lorenzo Franceschi-Bicchierai, reporting for Motherboard: On Monday, at its Worldwide Developers Conference, Apple teased the upcoming release of the iPhone's operating system, iOS 12. Among its most anticipated features are group FaceTime, Animoji, and a ruler app. But iOS 12's killer feature might be something that's been rumored for a while and wasn't discussed at Apple's event. It's called USB Restricted Mode, and Apple has been including it in some of the iOS beta releases since iOS 11.3.

The feature essentially forces users to unlock the iPhone with the passcode when connecting it to a USB accessory everytime the phone has not been unlocked for one hour. That includes the iPhone unlocking devices that companies such as Cellebrite or GrayShift make, which police departments all over the world use to hack into seized iPhones. "That pretty much kills [GrayShift's product] GrayKey and Cellebrite," Ryan Duff, a security researcher who has studied iPhone and is Director of Cyber Solutions at Point3 Security, told Motherboard in an online chat. "If it actually does what it says and doesn't let ANY type of data connection happen until it's unlocked, then yes. You can't exploit the device if you can't communicate with it."

123 of 187 comments (clear)

  1. Cludge fix? by sinij · · Score: 3, Interesting

    I admit, I don't know exactly how GrayKey and Cellebrite work. However, if viewed from proper access control and privileges point of view, it shouldn't be possible to siphon the kinds of data (e.g. contacts, calls) that it is reportedly capable of doing.

    So, could someone explain to me why they went with a solution that still leaves 1 hour window of opportunity to compromise a phone instead of fixing, what I guess are overly permissive privileges within the file system?

    1. Re:Cludge fix? by Anonymous Coward · · Score: 5, Informative

      I admit, I don't know exactly how GrayKey and Cellebrite work. However, if viewed from proper access control and privileges point of view, it shouldn't be possible to siphon the kinds of data (e.g. contacts, calls) that it is reportedly capable of doing.

      So, could someone explain to me why they went with a solution that still leaves 1 hour window of opportunity to compromise a phone instead of fixing, what I guess are overly permissive privileges within the file system?

      The file system isn’t left open, there are kernel exploits in iOS. Apple’s developers aren’t perfect and don’t know where they left things like buffer overflows that can be exploited. They fix them as they find them, but of course GrayKey won’t share its trade secret. Instead of thinking that patching every possible exploit is possible, they restrict access to the device so that although exploits will probably always exist, someone without the passcode can’t interact with the phone at all. Problem is though, when you forget your password with this feature, there is no restore. Cool brick!

    2. Re:Cludge fix? by bensafrickingenius · · Score: 4, Insightful

      I too was thrown by the 1 hour window. How often outside of sleepy time does one's phone remain unlocked for an entire hour?

      --
      I am not left-handed, either!
    3. Re:Cludge fix? by Anonymous Coward · · Score: 5, Funny

      I too was thrown by the 1 hour window. How often outside of sleepy time does one's phone remain unlocked for an entire hour?

      When the police seize it.

    4. Re:Cludge fix? by omnichad · · Score: 2

      It would be smarter if that one hour window only applies to unlocks that grant USB access, not all unlocks. Much like an unlocked phone still requires confirmation for an app store purchase.

    5. Re:Cludge fix? by AmiMoJo · · Score: 2

      I'm not sure this change will affect GrayKey and Cellebrite anyway. My understanding is that they attack the phone's bootloader. It's a special bit of firmware that loads at boot time and is designed to make recovery from a broken OS image possible. It seems that they found some vulnerability in it that they can exploit to disable the passcode attempt limit and then automatically try passcodes until they find the right one.

      Also, this fix doesn't seem to be enough... On my Pixel you always have to unlock to access any of the phone's resources via USB. There is no 1 hour grace period, it's needed every single time.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    6. Re:Cludge fix? by Dixie_Flatline · · Score: 1

      They work by cracking the passcode, basically. Supposedly, they found a way to repeatedly test the passcode without triggering the cooldowns, or something similar. Once the phone is unlocked, obviously, all the data is available to whoever wants it.

    7. Re:Cludge fix? by bondsbw · · Score: 5, Funny

      Apple’s developers aren’t perfect

      No no no... that's not how it works. Apple developers definitely are perfect, and everything they "fix" is really just better perfection.

      --
      All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
    8. Re:Cludge fix? by currently_awake · · Score: 1

      The American Government probably requires Apple to have backdoor access to phone data via USB. If it wasn't deliberate they would have blocked the access by fixing the USB bug. They should also block software updates without unlocking the phone, to prevent the FBI getting a court warrant to force Apple to make "unlock assistance" software.

    9. Re:Cludge fix? by phantomfive · · Score: 1

      Apple’s developers aren’t perfect and don’t know where they left things like buffer overflows that can be exploited.

      Having looked at the kernel code, I would suggest they aren't trying very hard.

      --
      "First they came for the slanderers and i said nothing."
    10. Re:Cludge fix? by Anonymous Coward · · Score: 1

      I too was thrown by the 1 hour window. How often outside of sleepy time does one's phone remain unlocked for an entire hour?

      Jesus man, put the phone down and get a life.

      My phone will go for hours without being unlocked, because I'm not tethered to it like a teenager.

      In the case of law enforcement, a 1 hour window likely means before they get a chance to try to break into it, it's already fully locked down.

      Of course, they'll just make it illegal to make encryption they can't get into, or they'll make it a legal requirement that you unlock your phone for the police -- because neither government nor police care about such things as your rights or due process.

    11. Re:Cludge fix? by sinij · · Score: 1

      Why is modifying bootloader doesn't require root access on iOS?

    12. Re:Cludge fix? by BorgDrone · · Score: 3, Insightful

      They don't need to patch every possible exploit, only ones that allow privilege escalation.

      Well, if you give them a list of exploits that these tools use, I'll bet they will be more than happy to fix them.

      if a product, like GrayKey and Cellebrite is released, then it is imperative that Apple reverse-engineer it to fix bugs they exploit.

      And to do that they need to get their hands on one of them first, and GrayKey/Cellebrite are doing everything they can to prevent that.

    13. Re:Cludge fix? by sinij · · Score: 1

      With apple cash horde, just buy them out. They have cash to spare.

    14. Re:Cludge fix? by TigerPlish · · Score: 1

      How often outside of sleepy time does one's phone remain unlocked for an entire hour?

      Every evening, when I leave it in the bedroom and I'm watching something in the movie room. I don't let my phone be a cybershackle out of business hours.

      Want me? Call me! Otherwise I'll get back to you whenever.. if ever.

      Weekends? Many hours pass without me looking at it or unlocking it. I just don't caaaaaaaaare about constant connectivity, in fact, the older I get the more I loathe it.

      --
      The "Civilized World" jumped the shark ca. 1973.
    15. Re:Cludge fix? by tsa · · Score: 1

      Indeed. They never make mistakes. Steve smites them with fire and fury if they do.

      --

      -- Cheers!

    16. Re: Cludge fix? by MachineShedFred · · Score: 2

      The time from when a cop takes it from you, and when they get a judge to sign a search warrant allowing them to look at it.

      --
      Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
    17. Re:Cludge fix? by NFN_NLN · · Score: 4, Interesting

      The file system isn’t left open, there are kernel exploits in iOS. Apple’s developers aren’t perfect and don’t know where they left things like buffer overflows that can be exploited.

      I remember back in the satellite smart card hacking days when we had to "glitch" cards. We would put them in a special card reader and run commands through a loop over and over. As the commands were running through you could adjust the VCC voltage supplied to the card. If you hit the right timing/voltage the card would "glitch" and you could write to protected memory and gain access. You could buy unhacked cards by the hundreds and with enough skill 90% of the cards were glitchable. There isn't any amount of coding skill that can defend against a glitch like that.

    18. Re:Cludge fix? by KiloByte · · Score: 5, Informative

      How many privilege escalation and code execution flaws in, for example, current RHEL?

      With the default desktop, plug in any USB mass storage with a crafted filesystem. Even a simple filesystem like ext4 whose maintainer keeps religiously fuzzing it keeps popping up new exploitable flaws; no one bothers issuing CVEs nor even backporting patches to stable kernels for these (as the attack mode is known since forever, and there's only so much educating distro maintainers about security Tytso and co can do). Besides ext4, we have some ridiculously complex filesystems like btrfs or xfs, and plenty of unmaintained ones like qnx4/qnx6 that nevertheless have their modules enabled, including automount, on distro kernels.

      Red Hat/Fedora's default is to automount any inserted removable media, at least in the desktop version, even if the screen is locked. This is exactly a case of flaw discussed in this very article; I guess other USB sub-protocols other than mass storage also might have similarly egregious flaws. Shutting down recognizing any new USB devices (other than possibly dumb chargers) while locked is a long overdue fix.

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    19. Re:Cludge fix? by UnknowingFool · · Score: 1

      I admit, I don't know exactly how GrayKey and Cellebrite work. However, if viewed from proper access control and privileges point of view, it shouldn't be possible to siphon the kinds of data (e.g. contacts, calls) that it is reportedly capable of doing.

      I would assume that both require plugging in a cable instead over wifi or cellular connection. The problem isn't "siphoning" data. The problem is taking advantage of some flaw in the iPhone. Apple can fix each and every flaw however this would also help mitigate many attacks.

      So, could someone explain to me why they went with a solution that still leaves 1 hour window of opportunity to compromise a phone instead of fixing, what I guess are overly permissive privileges within the file system?

      I would say all security involves a balance of convenience vs effectiveness. If they didn't leave the 1 hour, that would mean that their customers would have to use a passcode every single time which would be inconvenient. The fingerprint and face scans are also a trade off of convenience vs effectiveness. You can set a extremely long ultra secure alphanumeric passcode to unlock your phone if you want but most people don't want to do that.

      Sorta like customers have to authorize purchases on the Apple store with a passcode or a fingerprint unlock. However if you buy multiple things within 15 mins so you don't have to keep re-authorizing. With the store authorization you can set it to always require instead of 15 mins. With this you can turn it on or off.

      --
      Well, there's spam egg sausage and spam, that's not got much spam in it.
    20. Re:Cludge fix? by Megol · · Score: 1

      I think you have an addiction.

    21. Re:Cludge fix? by UnknowingFool · · Score: 2

      I would assume the time allowance is for syncing and backups. Depending on the phone and the computer that could take a long time if the phone has a lot of files and the computer is older and using USB2.

      --
      Well, there's spam egg sausage and spam, that's not got much spam in it.
    22. Re:Cludge fix? by AmiMoJo · · Score: 2

      The bootloader loads before the OS does. It doesn't have any concept of users. All it can do is ask for the passcode to decrypt flash memory or secure erase and overwrite the flash with a new image (for disaster recovery).

      The idea is that the secure element rate limits the number of password attempts. However, it appears that they have found some way to circumvent the limit, which involves exploiting the bootloader. It might be a case of loading their own code, or causing the secure element to crash and reset the attempt count/delay timer, or something else.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    23. Re:Cludge fix? by Nkwe · · Score: 1

      Why is modifying bootloader doesn't require root access on iOS?

      The boot loader is what *starts* iOS. iOS isn't actually running yet when the boot loader loads it, so iOS can't protect itself at this point. Pretty much all computers work this way - they have a lightweight piece of code (the boot loader) that is in the firmware of the device, this code's sole job is to read the operating system from storage, and start the operating system. The hardware of the device loads and runs the firmware boot loader, which in turn loads and runs the software operating system.

    24. Re:Cludge fix? by UnknowingFool · · Score: 5, Informative

      I'm not sure this change will affect GrayKey and Cellebrite anyway. My understanding is that they attack the phone's bootloader.

      How does GrayKey and Cellebrite get access to the boot loader? Cellebrite currently sells a small device that plugs into the phone.

      Eventually, law enforcement came to rely on Cellebrite's Universal Forensics Extraction Device, the UFED. It's a small, hand-held device that's easy to use. Police can simply plug in a phone and download the device's memory to a flash drive in a matter of seconds. That's how police can find your deleted text messages.

      GrayKey is a box that plugs into the Lightning port.

      The product itself is a gray box four inches deep by two inches tall, with two lightning cables sticking out of the front. Up to two phones can be plugged into the device at a time and are connected for about two minutes.

      If the iPhone refuses to communicate via cable then neither device can probably work unless the companies find a flaw they can exploit.

      --
      Well, there's spam egg sausage and spam, that's not got much spam in it.
    25. Re:Cludge fix? by rickb928 · · Score: 2

      To what, search warrants?

      --
      deleting the extra space after periods so i can stay relevant, yeah.
    26. Re:Cludge fix? by AmiMoJo · · Score: 1

      The bootloader can be accessed via the lightning port. That's how iTunes can recover an unbootable phone by doing a "factory reset". In that case iTunes instructs the bootloader to secure erase the flash memory and writes a new OS image to it.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    27. Re:Cludge fix? by luvirini · · Score: 1

      >There isn't any amount of coding skill that can defend against a glitch like that.

      Actually there is a fairly simple solution. Though it is not about coding skill is is about understanding the problem.

      If you data can is some cases be modified you need to sign it using digital signature methods, and if the signature is not correct you refuse to use the data.

      Of course the "smart" cards of the era were nothing of the sort and wider understanding of digital signing is from a later era so not really a realistic/likely solution for the programmers back then, but is has to do with other knowledge, not coding skill.

    28. Re:Cludge fix? by AHuxley · · Score: 1

      Re "1 hour window of opportunity to compromise a phone"
      Police move in. The well educated computer aware protester shuts their trendy new big brand phone off.
      Police make arrests. Time taken to fill the van, bus back to the police station due to more arrests. Questions about name, ability to call to lawyer. Identity and citizenship questions. More time passes given the numbers arrested.
      Property gets sorted. An advanced new phone is discovered beyond the exiting guides police have on most new big brand US phones. A tech expert is contacted.
      The tech expert arrives to support police in their need to look at the data in the new phone..
      One hour has passed.
      A first direct question about the dongle location is asked.

      --
      Domestic spying is now "Benign Information Gathering"
    29. Re:Cludge fix? by hjf · · Score: 1

      Problem is though, when you forget your password with this feature, there is no restore. Cool brick!

      Problem is though, when you forget your password with this feature, there is no restore. Cool brick!

      AFAIK it's not bricked. But you lose all your access to all your Apple data if you forget this password. It's not just your phone that you lose.
      But if you regain access to this, you can have your phone back.
      At least it makes your iphone a little less valuable to thieves. If it's completely bootloader-bricked, with serial number checks to all peripherals (including screen and fingerprint reader) it's theoretically not worth even for spares.
      Of course, eventually someone will find out how to bypass this. But at least the one who stole your phone will have nothing but a brick, hopefully for a long time.

    30. Re: Cludge fix? by angel'o'sphere · · Score: 1

      You might be living under a rock.
      The recent 5 or more years /. was full with news that cops don't need a search warrant to look at the data of your phone.

      --
      Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
    31. Re:Cludge fix? by Kulahan · · Score: 1

      I don't have to do CVE search to know that it is exactly zero, and if some are found they are fixed pronto.

      Translation: "We don't know how many there are, but fixing these issues is a very high priority

      So, they're about on par with pretty much every software company out there?

    32. Re:Cludge fix? by mccrew · · Score: 1

      This is silly. They don't need to patch every possible exploit, only ones that allow privilege escalation.

      OK, Mr. Armchair Problem Solver, can you just take a minute to list all those privilege escalation exploits that have been discovered by researchers, nation-states, and all others, which they are jealously guarding and will never give up voluntarily?

      1. 1.
      2. 2.
      3. 3.

      Feel free to use more space if this isn't enough.

      We're waiting...

      --
      Hey, Windows users, there is no such thing as "forward" slash, there is only slash and backslash.
    33. Re:Cludge fix? by Anonymous Coward · · Score: 1

      Kludge is spelled with a 'K', thank you.

    34. Re:Cludge fix? by AmiMoJo · · Score: 3, Interesting

      Reminds me of the attack that finally recovered the hidden Gameboy boot ROM. Up until that point it had to be replaced by an open source one in emulators. The ROM was inside the CPU, and the final instruction in it disabled the ability to read said ROM until the next reset.

      Someone realized they could simply count the number of clock cycles needed to exit the ROM after reset, then sent that number -1 and glitched the clock line. The glitch caused the ROM-read-disable instruction to be skipped and the ROM could be dumped with a custom cart.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    35. Re:Cludge fix? by mysidia · · Score: 1

      Problem is though, when you forget your password with this feature, there is no restore. Cool brick!

      What if they changed the logic... (1) Enter USB restricted Mode as soon as the phone is locked, but only if the iPhone has been Unlocked at least Once after booting up.

      (2) Turn off the phone, and turn it back on while holding the Home button (or something), or with no USB device connected --- the device will either boot without entering restricted mode or detect no USB device connected and stay out of restricted mode until the phone is unlocked by entering the passphrase at least once, but since the device hasn't been unlocked yet: the kernel doesn't have the ability to decrypt any of the files.

    36. Re:Cludge fix? by msauve · · Score: 3, Interesting

      "I'm not sure this change will affect GrayKey and Cellebrite anyway."

      I'd assume that Apple has gotten their hands on one, knows how it works, and has used it to develop and test their new feature.

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
    37. Re:Cludge fix? by Immerman · · Score: 1

      There's an awful thin line between "bricked" and "bricked unless you can eventually find the password that you've forgotten". How many times have you managed to recall a password after forgetting it?

      Of course, if they're still regularly calling home to Apple for updates and the like, Apple might be able to at least do a remote wipe and restore to factory default state, so the phone itself wouldn't be lost, just all the data on it. That'd be nice.

      --
      --- Most topics have many sides worth arguing, allow me to take one opposite you.
    38. Re:Cludge fix? by Immerman · · Score: 1

      >So, they're about on par with pretty much every software company out there?

      I like your universe. How do I get there from here, where most software companies could care less about security issues beyond copy protection?

      --
      --- Most topics have many sides worth arguing, allow me to take one opposite you.
    39. Re:Cludge fix? by TheFakeTimCook · · Score: 1

      I admit, I don't know exactly how GrayKey and Cellebrite work. However, if viewed from proper access control and privileges point of view, it shouldn't be possible to siphon the kinds of data (e.g. contacts, calls) that it is reportedly capable of doing.

      So, could someone explain to me why they went with a solution that still leaves 1 hour window of opportunity to compromise a phone instead of fixing, what I guess are overly permissive privileges within the file system?

      It's not that the privileges are "overly permissive", it's just that, once you're in, it trusts you to be you.

      Anything else would be like the first version of UAC in Visturd. Annoying as fuck, with very little additional benefit.

      I agree that 1 hour is a bit long; but it probably drops to zero if you have time to lock the phone with the "panic gesture" (press the sleep button 5 times).

    40. Re:Cludge fix? by ctilsie242 · · Score: 1

      A DFU restore? I wonder how this USB "locking" mechanism will deal with that. Maybe iBoot or the firmware will allow a firmware overwrite and erase, but not any ability to read.

    41. Re:Cludge fix? by Immerman · · Score: 1

      Well, it'd almost certainly be impossible for *you* to do so - how would you talk to the phone? Normally you'd plug it into your PC and initiate a reset, but now plugging it into the PC doesn't actually do anything unless the phone is unlocked, so...

      The only chance would be if the phone is still wirelessly connecting to Apple, and Apple has the capability to remotely trigger a reset.

      --
      --- Most topics have many sides worth arguing, allow me to take one opposite you.
    42. Re:Cludge fix? by TheFakeTimCook · · Score: 1

      This is also silly design. It should be possible to wipe and reset it.

      Who says there isn't?

      If you have the "Wipe after 10 tries" switched-on, then it will do that anyway.

    43. Re:Cludge fix? by Immerman · · Score: 1

      How would that protect against a hardware compromise that allows the attacker to write to memory that *should* be protected? What would prevent the attacker from then just changing the required signature to their own?

      --
      --- Most topics have many sides worth arguing, allow me to take one opposite you.
    44. Re:Cludge fix? by Joce640k · · Score: 1

      They don't need to patch every possible exploit, only ones that allow privilege escalation.

      Well, if you give them a list of exploits that these tools use, I'll bet they will be more than happy to fix them.

      In this case they don't need to patch any exploits, they just need to disable the USB connector.

      (the existing 'exploit' appears to be that they don't do that)

      --
      No sig today...
    45. Re:Cludge fix? by Immerman · · Score: 1

      > If it wasn't deliberate they would have blocked the access by fixing the USB bug.
      Is that not exactly what they're doing? They don't know exactly what the bug is, so they're making the USB port useless unless the phone is already unlocked.

      Of course that's sort of the nuclear option, as it removes the easiest routes to repairing a phone with "broken" software, as well as probably interfering with the functionality of a number of clock-radios and other often-idle accessories. But it does the job.

      --
      --- Most topics have many sides worth arguing, allow me to take one opposite you.
    46. Re:Cludge fix? by UnknowingFool · · Score: 2

      The bootloader can be accessed via the lightning port. That's how iTunes can recover an unbootable phone by doing a "factory reset". In that case iTunes instructs the bootloader to secure erase the flash memory and writes a new OS image to it.

      That would probably destroy any ability to recover the data on the phone as the per file encryption keys would be lost forever. This feature isn't to make a phone immune to theft; it's to make the data on the phone more secure from hacking.

      --
      Well, there's spam egg sausage and spam, that's not got much spam in it.
    47. Re:Cludge fix? by jrmcferren · · Score: 1

      "They should also block software updates without unlocking the phone, to prevent the FBI getting a court warrant to force Apple to make "unlock assistance" software."

      You mean like how I have to enter my passcode to update either the iPhone or a Paired Apple Watch?

      --
      sudo mod me up
    48. Re:Cludge fix? by UnknowingFool · · Score: 4, Interesting

      Let's say that Apple can do this. The problem is that Apple is then limited to plugging every single flaw one at time. With this feature they can mitigate a whole class of exploits.

      --
      Well, there's spam egg sausage and spam, that's not got much spam in it.
    49. Re:Cludge fix? by AmiMoJo · · Score: 1

      Yes, that's the point. You can only erase the flash, you can't recover data from the phone via the bootloader.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    50. Re:Cludge fix? by CaptainDork · · Score: 2

      ... when you forget your password ...

      You've also forgotten how to use the goddam phone.

      If you forgot your passcode, or if a message says that your device is disabled, follow these steps to remove your passcode.

      --
      It little behooves the best of us to comment on the rest of us.
    51. Re:Cludge fix? by sexconker · · Score: 1

      NFN_NLN was referring to fucking with the cards.

      luvirini pointed out that doesn't fucking matter if the device reading the card checks that it's signed by a trusted key.

      You're referring to fucking with the device reading the cards.

    52. Re:Cludge fix? by Darinbob · · Score: 1

      You can duplicate digital signatures though. This can be solved by other means, but it's primarily why a lot of systems try to just hide the data instead.

    53. Re:Cludge fix? by andymadigan · · Score: 1

      I believe you can still do a full reset of the device by connecting it to iTunes in recovery mode. This doesn't allow you to access anything stored on the device, but you can erase everything on the phone. Of course, activation lock still prevents it from being activated again unless you have access to the Apple ID previously used on the phone.

      --
      The right to protest the State is more sacred than the State.
    54. Re:Cludge fix? by tattood · · Score: 1

      With apple cash horde, just buy them out. They have cash to spare.

      So that the founders now have a ton of cash to go and build the next, more advanced unlocking box.

      --
      WTB [sig], PST!!!
    55. Re:Cludge fix? by AmiMoJo · · Score: 1

      I don't think locking will affect DFU.

      Even if you read the flash (an optional part of the DFU spec) it's encrypted. The only realistic attack is on the passcode.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    56. Re:Cludge fix? by CohibaVancouver · · Score: 1

      For Christ's sake Anonymous Coward - Did you READ THE LINKED ARTICLE?

      The whole point is once this software change is in place DFU won't work if you don't know the device's password because you can't plug into a Mac or PC if you don't know the code.

    57. Re: Cludge fix? by Brockmire · · Score: 1

      You employ them in the security department. It's pretty common to lock up the actual talent for 2-3 years when dropping off a truckload of cash to a few smart dudes.

    58. Re: Cludge fix? by Brockmire · · Score: 1

      Are you fucking serious? That's some weak give up shit attitude. Apple has access to the fucking code, cash and tons of smart people. If you don't think there's countermeasures they are leaving on the table you are fucking wrong. They have demonstrated dropping the ball on QA several times. This is another case. They were so late to fuzz testing, they don't try hard enough. The guy who heads up Apple's spy division really dropped the fucking ball here and must be under the gun for being all talk and not getting results.

    59. Re:Cludge fix? by zippthorne · · Score: 1

      USB access should default to no, have a setting where it's just full off, and a setting where you can limit it to select machines that you've "paired" it with. How often do you connect a phone to a machine that isn't your own and want that machine to have access to your photos and contacts and app data? Isn't it more likely that any machine that isn't the one you sync with, you just want to use it to charge the battery?

      --
      Can you be Even More Awesome?!
    60. Re:Cludge fix? by thegarbz · · Score: 1

      I too was thrown by the 1 hour window. How often outside of sleepy time does one's phone remain unlocked for an entire hour?

      It's a question of nefarious timing. You go out and get pulled over for a DUI or some other stupid crap like that. The police try to sting you with a crime by fishing through your phone, but you refuse to unlock it for them. You've already wasted 15min like there. These systems aren't cheap, and every officer isn't carrying one. What are the odds of getting that phone to one of these devices in the remaining 45min?

      Apple isn't working against nation state attacks against specific targets here, they are working against the FBI and police and their thousands of seized phones.

    61. Re:Cludge fix? by Immerman · · Score: 1

      You can always get a USB charging cable that doesn't even *have* any data lines, though finding one intentionally may be a challenge. And it'd mean your phone should draw only the standard 0.5A specified by the USB standard, since it can't negotiate for higher current.

      I may be wrong here - someone with more USB protocol experience feel free to step in, but:

      I agree that your proposal would be good, but I think it would require a potentially major revision to the USB standard to implement - the USB standard is designed as a data connection of peripherals to a centrally controlling host - dumb power was never an intended purpose for it, and even today remains a fall-back option to allow for cheap chargers. It doesn't even consider the possibility of untrusted connections, especially from the device end (your phone). You plug something in to your PC, it's pretty much presumed to be a peripheral that now belongs to the PC. The device can't even initiate any communications - it can only respond to communication initiated by the host.

      What you could potentially do today is have a prompt pop come up on your phone saying "Enable data?" whenever it's plugged in, and just pretend to be a power-hungry USB hub unless and until you activate data to "plug in" the virtual phone. Or even a switch that electrically disables the data lines. But I don't think they could be auto-connected to your normal PC, because the the USB protocol doesn't involve the PC identifying itself.

      --
      --- Most topics have many sides worth arguing, allow me to take one opposite you.
    62. Re:Cludge fix? by Immerman · · Score: 1

      I wasn't actually talking about satellite cards, nor seemingly was the person who first mentioned them. We're talking about hardware exploits - which can't be easily defended against via software.

      --
      --- Most topics have many sides worth arguing, allow me to take one opposite you.
    63. Re:Cludge fix? by KingBenny · · Score: 1

      "could" smells like "ICO" lol , nothing proven yet

      --
      Free speech was meant to be free for all... how can anyone grow up in a nanny state ?
  2. Hyperbole much? by Jason1729 · · Score: 4, Informative

    "Apple Is Testing a Feature That Could Kill Police iPhone Unlockers. " Um, the feature you describe will prevent current unlockers from working on an iPhone with the feature enabled. But it's not going to kill the unlocker. That conjures up imagery of something that will detect the unlocker and fire high voltage into it or some such.

    I guess my 4-digit pin kills anyone who tries to casually snoop at my phone.

    1. Re:Hyperbole much? by arth1 · · Score: 1

      Yeah, this is false advertising. Although it might be possible to cause the battery to explode, and at least get a decent chance of maiming them.
      Just reducing the number of police trigger fingers might make this part of the world a safer place.

    2. Re:Hyperbole much? by teslar · · Score: 1

      If a product no longer works, it is likely to get discontinued ("killed off"). It's not that much of a stretch to say that making software useless will kill it.

      Captcha: epitaphs.

  3. Re:Tails Linux v.3.7 - crazy logging w/ obfs4 brid by bensafrickingenius · · Score: 1

    ** I have not looked to make sure I was commenting on the intended story.

    --
    I am not left-handed, either!
  4. It could be so much easier! by idji · · Score: 4, Interesting

    What if your left thumb unlocked your phone and your right thumb wiped the device invisibly? The criminal could never know, you deniability and the police will be too scared to tap your dead finger to the phone.
    Or what if left-right-left unlocked and left-right-right wiped?

    1. Re:It could be so much easier! by Anonymous Coward · · Score: 2, Insightful

      Fingerprints have a non-zero chance of being misidentified, and the user a huge chance of accidentally doing the wrong swipe command because they forgot or recently switched gestures.

      Bad idea, imho

    2. Re:It could be so much easier! by squiggleslash · · Score: 1

      I too want to destroy my phone every time I accidentally pick it up with the wrong hand.

      --
      You are not alone. This is not normal. None of this is normal.
    3. Re:It could be so much easier! by OzPeter · · Score: 1

      What if your left thumb unlocked your phone and your right thumb wiped the device invisibly? The criminal could never know, you deniability and the police will be too scared to tap your dead finger to the phone.

      Or what if left-right-left unlocked and left-right-right wiped?

      Given that Apple is moving to Face ID for phone unlocking I don't see any changes based on finger prints happening. Plus the possibility of accidentally wiping a phone would have Apple really nervous about lawsuits.

      --
      I am Slashdot. Are you Slashdot as well?
    4. Re:It could be so much easier! by cascadingstylesheet · · Score: 1

      What if your left thumb unlocked your phone and your right thumb wiped the device invisibly? The criminal could never know, you deniability and the police will be too scared to tap your dead finger to the phone. Or what if left-right-left unlocked and left-right-right wiped?

      I'm hoping this is tongue in cheek ... humans are far too unreliable to make it this easy to accidentally wipe your phone.

    5. Re:It could be so much easier! by wbr1 · · Score: 2

      What you are promoting is a dead-man-switch. Technically easy to implement, but not done by any device manufacturer currently. Probably because they do not want the piles of support calls for accidental phone wipes.

      --
      Silence is a state of mime.
    6. Re:It could be so much easier! by wbr1 · · Score: 1

      Thinking about it some more, having it have multiple steps would help. Perhaps the dead-man trigger would not wipe the device but put it into an 'alert' state such that any attempt at data connection through USB or failed 'real' unlock attempt would wipe the device.

      --
      Silence is a state of mime.
    7. Re:It could be so much easier! by Anonymous Coward · · Score: 2

      It's actually a good idea, just poorly implemented. Instead of wiping after a single swipe of the panic finger, it would require 3-4 swipes.

      Of course, to really work, you would need to allow the user to decide if the fingerprint sensor should only function as an unlock, or only function as a panic-wipe. Otherwise, you as a user would want to know if the "error reading fingerprint" message is the real deal or the phony "swipe X more times to initiate factory reset" message. But if you use an alternate message, the bad guys would know about alternate messages and would watch you try to unlock it and stop you if the alternate message displays. Also, since it would require multiple swipes before wiping, the bad guys could just demand that you use a different finger for each swipe. That could be somewhat alleviated by letting you specify 9 prints as wipe prints, with 3-4 successful scans of any of those 9 initiating a wipe. But there'd still be the possibility of the bad guys choosing the correct finger before enough successful panic-swipes.

      And to clarify, each time I said "bad guys" I was not referring to cops or other governmental enforcers. I was referring to whatever you the reader would consider actual bad guys. Yes this idea would of course also hinder legal law enforcement, but trying to argue in favor of security when the other side screams "think of the pedophile terrorists!" is a losing battle. So I frame it as protecting people against the pedophile terrorists rather than protecting people's rights against law enforcement over-reach.

    8. Re:It could be so much easier! by PPH · · Score: 1

      Because my wife pulls her phone out of her purse upside down or face down just as many times as she does right side up. One swipe the wrong way and everything is gone.

      --
      Have gnu, will travel.
    9. Re:It could be so much easier! by Bearhouse · · Score: 1

      Good idea, until you fumble in your pocket, or in the dark, or try and catch the 'phone as it slips off the table and....wipe it.

    10. Re:It could be so much easier! by geekmux · · Score: 2

      What if your left thumb unlocked your phone and your right thumb wiped the device invisibly? The criminal could never know, you deniability and the police will be too scared to tap your dead finger to the phone. Or what if left-right-left unlocked and left-right-right wiped?

      Uh, do you really think it's going to be "so much easier" to explain to law enforcement why you erased your smartphone and not make it look like you were destroying evidence?

      Try and remember the "criminals" Apple is trying to defeat here. I can assure you the larger battle will be more legal than technical when it comes to end-users wiping their own devices.

    11. Re:It could be so much easier! by burtosis · · Score: 1

      But there'd still be the possibility of the bad guys choosing the correct finger before enough successful panic-swipes.

      Plot twist, all 10 fingers are invalid, the body part that actually unlocks it is left up to the readers imagination.

    12. Re:It could be so much easier! by Uberbah · · Score: 2

      The cops see you talking on your phone. Then, they ask you to unlock it. You say "Sure!" and suddenly the phone wipes. Congratulations on your charge for obstruction of justice.

      If you open your big mouth, you're screwed anyway. On the other hand, if you casually lock the phone and switch it to your left hand to wipe with your other thumb for the erase and then say "I do not consent to any searches" and "I will only speak to my lawyer", the cops will have a much harder time proving anything.

    13. Re:It could be so much easier! by arth1 · · Score: 1

      Plot twist, all 10 fingers are invalid, the body part that actually unlocks it is left up to the readers imagination.

      I think it's fairly clear that this should be the brain.

      The problem is in assuming that the finger (or in your case other body part) always will be representing the brain. That's a bad assumption.
      Authentication and authorization (by the user, not the device) need to be decoupled - the former does not imply the latter.
      "I am arth1" does not automatically validate "and arth1 wants to unlock".

    14. Re:It could be so much easier! by chispito · · Score: 1

      What if your left thumb unlocked your phone and your right thumb wiped the device invisibly? The criminal could never know, you deniability and the police will be too scared to tap your dead finger to the phone. Or what if left-right-left unlocked and left-right-right wiped?

      Sounds like a good solution for iUsers who don't drink.

      --
      The Daddy casts sleep on the Baby. The Baby resists!
    15. Re:It could be so much easier! by bobobobo · · Score: 2

      Tangentially related, but I believe you can tap the power button 5 times to bring up the emergency prompt. Doing that will lock the phone out of biometric logins adding another layer of security.

  5. Won't stop imaging. by Metabolife · · Score: 1

    Image the underlying flash, wire to wire. Boot the image on a new phone, cache writes to delta, attempt unlock till limit. Reboot state, clear delta, attempt next set of codes, get combo. 6 digit passcodes are the norm and useless against this attack. USB access be damned.

    1. Re:Won't stop imaging. by tsa · · Score: 1

      Every criminal knows this so they use longer passwords.

      --

      -- Cheers!

    2. Re:Won't stop imaging. by aaarrrgggh · · Score: 1

      That is a much less trivial attack though, and not 100% reliable-- the secure enclave should be able to limit the effectiveness.

    3. Re:Won't stop imaging. by Whorhay · · Score: 2

      Doing all that will require a lot more time and expertise than an officer simply plugging in a usb cable. By raising the amount of effort required to break the security the authorities are forced to prioritize which phones they can crack. Overall this should result in fewer people having their phones compromised.

  6. I don't understand why this wasn't already a thing by mark-t · · Score: 1

    Does anybody know? What was the holdup? Certainly it couldn't have been difficult to implement, could it?

    --
    File under 'M' for 'Manic ranting'
  7. Isn't Android doing this since years? by Zorpheus · · Score: 5, Insightful

    Sounds pretty much like it works in Android

    1. Re: Isn't Android doing this since years? by Anonymous Coward · · Score: 1

      Isn't Google selling every piece of information you have on that phone?

    2. Re:Isn't Android doing this since years? by dargaud · · Score: 2

      It depends a bit on the version, but nowadays you have to unlock the phone AND select file transfer (each time), otherwise you can't copy shit.

      --
      Non-Linux Penguins ?
    3. Re:Isn't Android doing this since years? by dohzer · · Score: 1

      I am stunned that this is how Apple has been doing it!

    4. Re:Isn't Android doing this since years? by thegarbz · · Score: 1

      No. Android doesn't automatically give the phone access to SOME of the system functions without confirmation (often even when unlocked) but there is still an open communication channel between the USB device and the phone even when the phone is locked. You can see that because the device will identify itself on the lockscreen, or when I plug my locked phone into a laptop to charge I can see the full USB details of the phone on my laptop (I just can't do anything with it since Android blocks access to the file system until I unlock and confirm).

      This wouldn't stop a carefully crafted exploit.

    5. Re: Isn't Android doing this since years? by Zorpheus · · Score: 1

      Ok, there is a bit of communication when an Android device is connected to usb. Though it is not much and quite simple. It should only give a very small attack surface, and I would hope that these few routines responsible for that are checked carefully enough to make them safe.
      So am Apple device does not even do that?
      Otherwise I would say that Android is blocking much more strictly. It does not connect to any usb device unless it is told to do so, while as I understand this the iPhone connects to malicious chargers while it is unlocked.

    6. Re: Isn't Android doing this since years? by thegarbz · · Score: 1

      Possible. But I think the risk is much bigger than you estimate. The amount of information exchange needed to identify a USB device is actually quite large and the process is quite complex involving a myriad of drivers long before the permission to release the device is presented to the user.

      I think the attack surface is quite large, though I agree at present Android's handling of USB is superior to that of the iPhone's. However if they actually block ALL data including identification related data until the device is unlocked then that is a step up again.

    7. Re: Isn't Android doing this since years? by Zorpheus · · Score: 1

      Ok I don't know how Android is doing this and how much it gets involved. On an Atmel AVR an USB demo is just 3500 bytes of Code with LUFA, so it could be kept compact and simple.

    8. Re: Isn't Android doing this since years? by thegarbz · · Score: 1

      Yes the USB peripherel doesn't need to do much as a minimum to set up a connection. The USB Host on the other hand needs to support quite a bit more including having a dedicated driver for each USB class. If you setup your AVR for USB-CDC Serial on Atmel your entire USB code + application will be a fraction of the size of the driver that is invoked when you first plug it in (e.g. usbser.sys which is invoked when you use AVR LUFA's CDC Serial code is over 32kb). Likewise the example code for USB host applications in LUFA compile to something very small, but ultimately they are functionally very limited for their application, and the number of applications are incredibly limited as well. i.e. I haven't ever done it before but I don't see even the beefier AVRs having capability to act as a host for diverse devices, e.g. a serial device or an audio device depending on which is plugged in.

      That's the attack surface there, a USB host stack designed to universally take a myiad of devices. Also LUFA is quite limited in its capabilitieis compared to what the USB stack itself permits, e.g. no USB 3 which further limits the size of the code needed to get things working.

      USB support in a generic sense doesn't present much of an attack vector, but providing a very complete and universal implementation of USB that can act as a host and a device in a large variety of different ways like a smartphone potentially does.

  8. and in china they will have an unlock code for gov by Joe_Dragon · · Score: 1

    and in china they will have an unlock code for government.

  9. Seems illegal. by in10se · · Score: 4, Funny

    It seems like killing police for unlocking an iPhone would get Apple in trouble.

    --
    Popisms.com - Connecting pop culture
    1. Re:Seems illegal. by alvinrod · · Score: 1

      This prevents unauthorized access. There's no guarantee that it's the police or some other lawful agency that's attempting to unlock your phone without your consent. If the police want access, they can get a warrant. Failure to comply at that point puts you in prison in most jurisdictions so from the perspective of the police, they don't really need to care if they can't actually get into the device.

    2. Re:Seems illegal. by in10se · · Score: 1

      WHOOSH!

      Headline reads: "Apple Is Testing a Feature That Could Kill Police..."

      --
      Popisms.com - Connecting pop culture
    3. Re:Seems illegal. by fox171171 · · Score: 1

      It seems like killing police for unlocking an iPhone would get Apple in trouble.

      The headline made me envision an exploding battery.

  10. What device is meant? by tsa · · Score: 1

    I take it that the USB device the phone is connected to can not be just any USB device but one that the phone knows?

    --

    -- Cheers!

    1. Re:What device is meant? by AHuxley · · Score: 1

      A factory crafted idongle that only works with the iproduct it got made with. Together at a factory in a distant nation with laws about working with the police...

      --
      Domestic spying is now "Benign Information Gathering"
  11. ..That Could Kill Police iPhone Unlockers by kiviQr · · Score: 2

    If they really wanted to kill unlockers they should have included capacitor based USB Killer.

  12. Re: Typical Apple by MachineShedFred · · Score: 2

    Which is why the article has a screenshot showing a switch to disable it?

    --
    Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
  13. Re:I don't understand why this wasn't already a th by aaarrrgggh · · Score: 1

    My guess is they break their MFI program parameters with it.

  14. fake news by Anonymous Coward · · Score: 1

    In Soviet America it's illegal to sell a secure cellphone to civilians.

  15. Re:I don't understand why this wasn't already a th by UnknowingFool · · Score: 2

    It has to be implemented most likely at a very low level in the hardware or iOS or it might be circumvented somehow via software.

    --
    Well, there's spam egg sausage and spam, that's not got much spam in it.
  16. Re:Great by UnknowingFool · · Score: 1

    That requires the phone to be unlocked when the police seize it though.

    --
    Well, there's spam egg sausage and spam, that's not got much spam in it.
  17. Re:I don't understand why this wasn't already a th by AHuxley · · Score: 1

    Users observed during testing would press the dongle in wrong and damage the delicate notch.
    Better cartoons got tested by artists so users will now know how to hold the dongle.
    The better cartoons and artwork is now ready so the product is now ready for average users.

    --
    Domestic spying is now "Benign Information Gathering"
  18. Re:Typical Apple by UnknowingFool · · Score: 1

    With this feature both scenario 2 and 3 are the same. This feature can be turned off so scenario 1 is a choice.

    --
    Well, there's spam egg sausage and spam, that's not got much spam in it.
  19. Different Fingerprints: Different VMs by crow · · Score: 3, Interesting

    What I want is to have encrypted VMs on my phone, with different fingerprints unlocking different VMs. Or perhaps different levels of unlocking. Unlocking the phone doesn't have to be a binary operation.

    Something like this would also be great for handing my phone to my son so that he can play games, while locking him out of my email and such.

    1. Re:Different Fingerprints: Different VMs by dargaud · · Score: 2

      I don't know about iPhones, but on android you can have different users with different unlocking methods (one can be password, the other fingerprint, the other a drawing, etc), each with it's own account. I'm not sure how it merges with an encrypted phone, but, yes, you can basically do that... if you don't have an iPhone (as usual).

      --
      Non-Linux Penguins ?
    2. Re:Different Fingerprints: Different VMs by ath1901 · · Score: 1

      I would prefer different access levels (like user vs root) that unlock with different passwords. For example, one password opens the phone with all the regular apps and another opens with regular and sensitive apps like banking. This gives plausible deniability which a two user setup does not. I am much more concerned about some evil citizen stealing than the government. If a thief can't technically crack it, they can always use the wrench" method https://xkcd.com/538/. Plausible deniability would help against that.

      I had an LG with something almost like it. The guest mode was accessed by entering a different password. But, it was a guest mode and didn't look and feel like the regular login. LineageOS has protected apps but it is not really "deniable" that some stuff is locked. It would be great if they could implement something like dual passwords.

  20. Here's an idea by llamalad · · Score: 1

    While they're at it, why not also fix the vulnerability that the unlockers exploit?

    1. Re:Here's an idea by UnknowingFool · · Score: 1

      They can fix the exploit but that also means they can only fix exploits one at a time whenever someone finds another. With this feature they can mitigate a whole class of exploits.

      --
      Well, there's spam egg sausage and spam, that's not got much spam in it.
  21. Cellebrite and Grayshift may have a problem by shubus · · Score: 1

    IF Apple implements this, and I'm sure every state & federal agency will be pushing back against this, then Cellebrite and Grayshift will have a problem and you just imagine all the tears users won't be shedding if Apple goes ahead with this.

  22. There's an easy fix for that by alispguru · · Score: 1

    Apple should just make the USB lock come on one hour after the last unlock-via-passcode event.

    The vast majority of my phone unlocks are via fingerprint/TouchID, and these should not count.

    I enter the passcode on my iPhone:

    * After a reboot
    * When my thumb is damp and won't read
    * When installing an update

    If it works this way, my phone will require a passcode for USB access... essentially all the time.

    --

    To a Lisp hacker, XML is S-expressions in drag.
  23. Re:Completely Unnecessary and a Waste of Money by sycodon · · Score: 1

    Dear AC Asshole.

    I have relayed your suggestion to the "Geniuses" at the Apple store. The same ones who told be the phone could not be recovered.

    --
    When Fascism comes to America, it will call itself Anti-Fascism, and tell you to give up your guns.
  24. Re:Typical Apple by Pseudonym · · Score: 1

    Wait, what? iPhones are going to come with a USB port?

    --
    sub f{($f)=@_;print"$f(q{$f});";}f(q{sub f{($f)=@_;print"$f(q{$f});";}f});
  25. Ruler app?? by RockDoctor · · Score: 1

    Among its most anticipated features are group FaceTime, Animoji, and a ruler app.

    There are notches at 1cm intervals along the casing? Or, for American models, 1 cm on the intermediate edge and 1in on the long edge?

    By the six balls of Jesus, Mary, Joseph and the donkey, just how incompetent are Apple users?

    --
    Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"