Apple Is Testing a Feature That Could Kill Police iPhone Unlockers (vice.com)

← Back to Stories (view on slashdot.org)

Apple Is Testing a Feature That Could Kill Police iPhone Unlockers (vice.com)

Posted by msmash on Tuesday June 5, 2018 @02:00AM from the cat-and-mouse-race dept.

Lorenzo Franceschi-Bicchierai, reporting for Motherboard: On Monday, at its Worldwide Developers Conference, Apple teased the upcoming release of the iPhone's operating system, iOS 12. Among its most anticipated features are group FaceTime, Animoji, and a ruler app. But iOS 12's killer feature might be something that's been rumored for a while and wasn't discussed at Apple's event. It's called USB Restricted Mode, and Apple has been including it in some of the iOS beta releases since iOS 11.3.

The feature essentially forces users to unlock the iPhone with the passcode when connecting it to a USB accessory everytime the phone has not been unlocked for one hour. That includes the iPhone unlocking devices that companies such as Cellebrite or GrayShift make, which police departments all over the world use to hack into seized iPhones. "That pretty much kills [GrayShift's product] GrayKey and Cellebrite," Ryan Duff, a security researcher who has studied iPhone and is Director of Cyber Solutions at Point3 Security, told Motherboard in an online chat. "If it actually does what it says and doesn't let ANY type of data connection happen until it's unlocked, then yes. You can't exploit the device if you can't communicate with it."

37 of 187 comments (clear)

Min score:

Reason:

Sort:

Cludge fix? by sinij · 2018-06-05 02:05 · Score: 3, Interesting

I admit, I don't know exactly how GrayKey and Cellebrite work. However, if viewed from proper access control and privileges point of view, it shouldn't be possible to siphon the kinds of data (e.g. contacts, calls) that it is reportedly capable of doing.

So, could someone explain to me why they went with a solution that still leaves 1 hour window of opportunity to compromise a phone instead of fixing, what I guess are overly permissive privileges within the file system?
1. Re:Cludge fix? by Anonymous Coward · 2018-06-05 02:10 · Score: 5, Informative
  
  I admit, I don't know exactly how GrayKey and Cellebrite work. However, if viewed from proper access control and privileges point of view, it shouldn't be possible to siphon the kinds of data (e.g. contacts, calls) that it is reportedly capable of doing.
  So, could someone explain to me why they went with a solution that still leaves 1 hour window of opportunity to compromise a phone instead of fixing, what I guess are overly permissive privileges within the file system?
  The file system isn’t left open, there are kernel exploits in iOS. Apple’s developers aren’t perfect and don’t know where they left things like buffer overflows that can be exploited. They fix them as they find them, but of course GrayKey won’t share its trade secret. Instead of thinking that patching every possible exploit is possible, they restrict access to the device so that although exploits will probably always exist, someone without the passcode can’t interact with the phone at all. Problem is though, when you forget your password with this feature, there is no restore. Cool brick!
2. Re:Cludge fix? by bensafrickingenius · 2018-06-05 02:10 · Score: 4, Insightful
  
  I too was thrown by the 1 hour window. How often outside of sleepy time does one's phone remain unlocked for an entire hour?
  
  --
  I am not left-handed, either!
3. Re:Cludge fix? by Anonymous Coward · 2018-06-05 02:13 · Score: 5, Funny
  
  I too was thrown by the 1 hour window. How often outside of sleepy time does one's phone remain unlocked for an entire hour?
  When the police seize it.
4. Re:Cludge fix? by omnichad · 2018-06-05 02:14 · Score: 2
  
  It would be smarter if that one hour window only applies to unlocks that grant USB access, not all unlocks. Much like an unlocked phone still requires confirmation for an app store purchase.
5. Re:Cludge fix? by AmiMoJo · 2018-06-05 02:17 · Score: 2
  
  I'm not sure this change will affect GrayKey and Cellebrite anyway. My understanding is that they attack the phone's bootloader. It's a special bit of firmware that loads at boot time and is designed to make recovery from a broken OS image possible. It seems that they found some vulnerability in it that they can exploit to disable the passcode attempt limit and then automatically try passcodes until they find the right one.
  Also, this fix doesn't seem to be enough... On my Pixel you always have to unlock to access any of the phone's resources via USB. There is no 1 hour grace period, it's needed every single time.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
6. Re:Cludge fix? by bondsbw · 2018-06-05 02:19 · Score: 5, Funny
  
  Apple’s developers aren’t perfect
  No no no... that's not how it works. Apple developers definitely are perfect, and everything they "fix" is really just better perfection.
  
  --
  All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
7. Re:Cludge fix? by BorgDrone · 2018-06-05 02:29 · Score: 3, Insightful
  
  They don't need to patch every possible exploit, only ones that allow privilege escalation.
  Well, if you give them a list of exploits that these tools use, I'll bet they will be more than happy to fix them.
  
  if a product, like GrayKey and Cellebrite is released, then it is imperative that Apple reverse-engineer it to fix bugs they exploit.
  And to do that they need to get their hands on one of them first, and GrayKey/Cellebrite are doing everything they can to prevent that.
8. Re: Cludge fix? by MachineShedFred · 2018-06-05 02:37 · Score: 2
  
  The time from when a cop takes it from you, and when they get a judge to sign a search warrant allowing them to look at it.
  
  --
  Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
9. Re:Cludge fix? by NFN_NLN · 2018-06-05 02:40 · Score: 4, Interesting
  
  The file system isn’t left open, there are kernel exploits in iOS. Apple’s developers aren’t perfect and don’t know where they left things like buffer overflows that can be exploited.
  I remember back in the satellite smart card hacking days when we had to "glitch" cards. We would put them in a special card reader and run commands through a loop over and over. As the commands were running through you could adjust the VCC voltage supplied to the card. If you hit the right timing/voltage the card would "glitch" and you could write to protected memory and gain access. You could buy unhacked cards by the hundreds and with enough skill 90% of the cards were glitchable. There isn't any amount of coding skill that can defend against a glitch like that.
10. Re:Cludge fix? by KiloByte · 2018-06-05 02:54 · Score: 5, Informative
  
  How many privilege escalation and code execution flaws in, for example, current RHEL?
  With the default desktop, plug in any USB mass storage with a crafted filesystem. Even a simple filesystem like ext4 whose maintainer keeps religiously fuzzing it keeps popping up new exploitable flaws; no one bothers issuing CVEs nor even backporting patches to stable kernels for these (as the attack mode is known since forever, and there's only so much educating distro maintainers about security Tytso and co can do). Besides ext4, we have some ridiculously complex filesystems like btrfs or xfs, and plenty of unmaintained ones like qnx4/qnx6 that nevertheless have their modules enabled, including automount, on distro kernels.
  Red Hat/Fedora's default is to automount any inserted removable media, at least in the desktop version, even if the screen is locked. This is exactly a case of flaw discussed in this very article; I guess other USB sub-protocols other than mass storage also might have similarly egregious flaws. Shutting down recognizing any new USB devices (other than possibly dumb chargers) while locked is a long overdue fix.
  
  --
  The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
11. Re:Cludge fix? by UnknowingFool · 2018-06-05 03:04 · Score: 2
  
  I would assume the time allowance is for syncing and backups. Depending on the phone and the computer that could take a long time if the phone has a lot of files and the computer is older and using USB2.
  
  --
  Well, there's spam egg sausage and spam, that's not got much spam in it.
12. Re:Cludge fix? by AmiMoJo · 2018-06-05 03:09 · Score: 2
  
  The bootloader loads before the OS does. It doesn't have any concept of users. All it can do is ask for the passcode to decrypt flash memory or secure erase and overwrite the flash with a new image (for disaster recovery).
  The idea is that the secure element rate limits the number of password attempts. However, it appears that they have found some way to circumvent the limit, which involves exploiting the bootloader. It might be a case of loading their own code, or causing the secure element to crash and reset the attempt count/delay timer, or something else.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
13. Re:Cludge fix? by UnknowingFool · 2018-06-05 03:12 · Score: 5, Informative
  
  I'm not sure this change will affect GrayKey and Cellebrite anyway. My understanding is that they attack the phone's bootloader.
  How does GrayKey and Cellebrite get access to the boot loader? Cellebrite currently sells a small device that plugs into the phone.
  
  Eventually, law enforcement came to rely on Cellebrite's Universal Forensics Extraction Device, the UFED. It's a small, hand-held device that's easy to use. Police can simply plug in a phone and download the device's memory to a flash drive in a matter of seconds. That's how police can find your deleted text messages.
  GrayKey is a box that plugs into the Lightning port.
  
  The product itself is a gray box four inches deep by two inches tall, with two lightning cables sticking out of the front. Up to two phones can be plugged into the device at a time and are connected for about two minutes.
  If the iPhone refuses to communicate via cable then neither device can probably work unless the companies find a flaw they can exploit.
  
  --
  Well, there's spam egg sausage and spam, that's not got much spam in it.
14. Re:Cludge fix? by rickb928 · 2018-06-05 03:22 · Score: 2
  
  To what, search warrants?
  
  --
  deleting the extra space after periods so i can stay relevant, yeah.
15. Re:Cludge fix? by AmiMoJo · 2018-06-05 04:14 · Score: 3, Interesting
  
  Reminds me of the attack that finally recovered the hidden Gameboy boot ROM. Up until that point it had to be replaced by an open source one in emulators. The ROM was inside the CPU, and the final instruction in it disabled the ability to read said ROM until the next reset.
  Someone realized they could simply count the number of clock cycles needed to exit the ROM after reset, then sent that number -1 and glitched the clock line. The glitch caused the ROM-read-disable instruction to be skipped and the ROM could be dumped with a custom cart.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
16. Re:Cludge fix? by msauve · 2018-06-05 04:18 · Score: 3, Interesting
  
  "I'm not sure this change will affect GrayKey and Cellebrite anyway."
  
  I'd assume that Apple has gotten their hands on one, knows how it works, and has used it to develop and test their new feature.
  
  --
  "National Security is the chief cause of national insecurity." - Celine's First Law
17. Re:Cludge fix? by UnknowingFool · 2018-06-05 04:38 · Score: 2
  
  The bootloader can be accessed via the lightning port. That's how iTunes can recover an unbootable phone by doing a "factory reset". In that case iTunes instructs the bootloader to secure erase the flash memory and writes a new OS image to it.
  That would probably destroy any ability to recover the data on the phone as the per file encryption keys would be lost forever. This feature isn't to make a phone immune to theft; it's to make the data on the phone more secure from hacking.
  
  --
  Well, there's spam egg sausage and spam, that's not got much spam in it.
18. Re:Cludge fix? by UnknowingFool · 2018-06-05 04:48 · Score: 4, Interesting
  
  Let's say that Apple can do this. The problem is that Apple is then limited to plugging every single flaw one at time. With this feature they can mitigate a whole class of exploits.
  
  --
  Well, there's spam egg sausage and spam, that's not got much spam in it.
19. Re:Cludge fix? by CaptainDork · 2018-06-05 05:01 · Score: 2
  
  ... when you forget your password ...
  You've also forgotten how to use the goddam phone.
  
  If you forgot your passcode, or if a message says that your device is disabled, follow these steps to remove your passcode.
  
  --
  It little behooves the best of us to comment on the rest of us.
Hyperbole much? by Jason1729 · 2018-06-05 02:07 · Score: 4, Informative

"Apple Is Testing a Feature That Could Kill Police iPhone Unlockers. " Um, the feature you describe will prevent current unlockers from working on an iPhone with the feature enabled. But it's not going to kill the unlocker. That conjures up imagery of something that will detect the unlocker and fire high voltage into it or some such.

I guess my 4-digit pin kills anyone who tries to casually snoop at my phone.
It could be so much easier! by idji · 2018-06-05 02:15 · Score: 4, Interesting

What if your left thumb unlocked your phone and your right thumb wiped the device invisibly? The criminal could never know, you deniability and the police will be too scared to tap your dead finger to the phone.
Or what if left-right-left unlocked and left-right-right wiped?
1. Re:It could be so much easier! by Anonymous Coward · 2018-06-05 02:25 · Score: 2, Insightful
  
  Fingerprints have a non-zero chance of being misidentified, and the user a huge chance of accidentally doing the wrong swipe command because they forgot or recently switched gestures.
  Bad idea, imho
2. Re:It could be so much easier! by wbr1 · 2018-06-05 03:02 · Score: 2
  
  What you are promoting is a dead-man-switch. Technically easy to implement, but not done by any device manufacturer currently. Probably because they do not want the piles of support calls for accidental phone wipes.
  
  --
  Silence is a state of mime.
3. Re:It could be so much easier! by Anonymous Coward · 2018-06-05 03:06 · Score: 2
  
  It's actually a good idea, just poorly implemented. Instead of wiping after a single swipe of the panic finger, it would require 3-4 swipes.
  
  Of course, to really work, you would need to allow the user to decide if the fingerprint sensor should only function as an unlock, or only function as a panic-wipe. Otherwise, you as a user would want to know if the "error reading fingerprint" message is the real deal or the phony "swipe X more times to initiate factory reset" message. But if you use an alternate message, the bad guys would know about alternate messages and would watch you try to unlock it and stop you if the alternate message displays. Also, since it would require multiple swipes before wiping, the bad guys could just demand that you use a different finger for each swipe. That could be somewhat alleviated by letting you specify 9 prints as wipe prints, with 3-4 successful scans of any of those 9 initiating a wipe. But there'd still be the possibility of the bad guys choosing the correct finger before enough successful panic-swipes.
  
  And to clarify, each time I said "bad guys" I was not referring to cops or other governmental enforcers. I was referring to whatever you the reader would consider actual bad guys. Yes this idea would of course also hinder legal law enforcement, but trying to argue in favor of security when the other side screams "think of the pedophile terrorists!" is a losing battle. So I frame it as protecting people against the pedophile terrorists rather than protecting people's rights against law enforcement over-reach.
4. Re:It could be so much easier! by geekmux · 2018-06-05 03:31 · Score: 2
  
  What if your left thumb unlocked your phone and your right thumb wiped the device invisibly? The criminal could never know, you deniability and the police will be too scared to tap your dead finger to the phone. Or what if left-right-left unlocked and left-right-right wiped?
  Uh, do you really think it's going to be "so much easier" to explain to law enforcement why you erased your smartphone and not make it look like you were destroying evidence?
  Try and remember the "criminals" Apple is trying to defeat here. I can assure you the larger battle will be more legal than technical when it comes to end-users wiping their own devices.
5. Re:It could be so much easier! by Uberbah · 2018-06-05 03:44 · Score: 2
  
  The cops see you talking on your phone. Then, they ask you to unlock it. You say "Sure!" and suddenly the phone wipes. Congratulations on your charge for obstruction of justice.
  If you open your big mouth, you're screwed anyway. On the other hand, if you casually lock the phone and switch it to your left hand to wipe with your other thumb for the erase and then say "I do not consent to any searches" and "I will only speak to my lawyer", the cops will have a much harder time proving anything.
6. Re:It could be so much easier! by bobobobo · 2018-06-05 06:46 · Score: 2
  
  Tangentially related, but I believe you can tap the power button 5 times to bring up the emergency prompt. Doing that will lock the phone out of biometric logins adding another layer of security.
Isn't Android doing this since years? by Zorpheus · 2018-06-05 02:32 · Score: 5, Insightful

Sounds pretty much like it works in Android
1. Re:Isn't Android doing this since years? by dargaud · 2018-06-05 07:25 · Score: 2
  
  It depends a bit on the version, but nowadays you have to unlock the phone AND select file transfer (each time), otherwise you can't copy shit.
  
  --
  Non-Linux Penguins ?
Seems illegal. by in10se · 2018-06-05 02:38 · Score: 4, Funny

It seems like killing police for unlocking an iPhone would get Apple in trouble.

--
Popisms.com - Connecting pop culture
..That Could Kill Police iPhone Unlockers by kiviQr · 2018-06-05 02:40 · Score: 2

If they really wanted to kill unlockers they should have included capacitor based USB Killer.
Re: Typical Apple by MachineShedFred · 2018-06-05 02:40 · Score: 2

Which is why the article has a screenshot showing a switch to disable it?

--
Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
Re:I don't understand why this wasn't already a th by UnknowingFool · 2018-06-05 03:14 · Score: 2

It has to be implemented most likely at a very low level in the hardware or iOS or it might be circumvented somehow via software.

--
Well, there's spam egg sausage and spam, that's not got much spam in it.
Different Fingerprints: Different VMs by crow · 2018-06-05 03:26 · Score: 3, Interesting

What I want is to have encrypted VMs on my phone, with different fingerprints unlocking different VMs. Or perhaps different levels of unlocking. Unlocking the phone doesn't have to be a binary operation.
Something like this would also be great for handing my phone to my son so that he can play games, while locking him out of my email and such.
1. Re:Different Fingerprints: Different VMs by dargaud · 2018-06-05 07:23 · Score: 2
  
  I don't know about iPhones, but on android you can have different users with different unlocking methods (one can be password, the other fingerprint, the other a drawing, etc), each with it's own account. I'm not sure how it merges with an encrypted phone, but, yes, you can basically do that... if you don't have an iPhone (as usual).
  
  --
  Non-Linux Penguins ?
Re:Won't stop imaging. by Whorhay · 2018-06-05 03:56 · Score: 2

Doing all that will require a lot more time and expertise than an officer simply plugging in a usb cable. By raising the amount of effort required to break the security the authorities are forced to prioritize which phones they can crack. Overall this should result in fewer people having their phones compromised.