Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Releases iOS 11.4.1, Blocks Passcode Cracking Tools Used By Police (theverge.com)

Posted by BeauHD on from the cease-and-desist dept.

An anonymous reader quotes a report from The Verge: Apple today released iOS 11.4.1, and while most of us are already looking ahead to all the new stuff coming in iOS 12, this small update contains an important new security feature: USB Restricted Mode. Apple has added protections against the USB devices being used by law enforcement and private companies that connect over Lightning to crack an iPhone's passcode and evade Apple's usual encryption safeguards.

If you go to Settings and check under Face ID (or Touch ID) & Passcode, you'll see a new toggle for USB Accessories. By default, the switch is off. This means that once your iPhone or iPad has been locked for over an hour straight, iOS will no longer allow USB accessories to connect to the device -- shutting out cracking tools like GrayKey as a result. If you've got accessories that you want to continue working after your iPhone has been sitting locked for awhile, you can toggle the option on to remove the hour limit. Apple's wording is a bit confusing. You should leave the toggle disabled if you want your iPhone to be most secure.

11 of 129 comments (clear)

  1. Thanks by saloomy · · Score: 5, Insightful

    I feel better now that if anyone wants to access my phone, they need to ask me first. If only the carriers would stand up for us the same way.

    1. Re:Thanks by saloomy · · Score: 5, Insightful

      Note: I realize there are probably other vulnerabilities out there, and this will probably be a never-ending game of chess between law enforcement / authoritarian governments, and big tech. It is just great to see them pushing back against George Orwell's 1984.

    2. Re:Thanks by dgatwood · · Score: 5, Insightful

      It already exists. It's called "crack open the phone immediately". I'd be a lot more impressed with this technology if the user could configure the time all the way down to zero. There's no valid reason to allow new external devices to be probed while the phone is locked—not even one second after the phone is locked. The user can't do anything with those external devices without unlocking the device anyway.

      This is, of course, as opposed to communicating with existing, known devices while the device is locked, which could be used by things like docks. Basically, it should stop probing for new devices immediately, and lock the port when the last device disappears, or immediately if there's nothing plugged into the port.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

  2. Re: Except: China by saloomy · · Score: 5, Informative

    Apple agreed to store Chinese data in China. This allows China to subpoena Apple for the data of its citizens.

    But, Apple has a modus operandi to process as much data on the phone as possible, and encrypt with user-held decryption keys what it stores on its servers. They didn't generate and give China a special master key or the like. Whatever you can say about them, within the confines of the various bodies of law they operate it, they seem to push for the most privacy-focused solution to privacy challenges.

  3. Serious question: by CaptainDork · · Score: 4, Interesting

    Why is this story always about iPhone?

    Are Android and other mobile OS not an encryption concern for LEO?

    Thanks.

    --
    It little behooves the best of us to comment on the rest of us.
    1. Re:Serious question: by GrandCow · · Score: 5, Interesting

      Correct, Android phones are (basically) an open book. There is some encryption but nothing near the level of protection of an iPhone. Yes, your friend isn't going to pick up your phone off the table and get past your passcode, but if someone with resources wants in to an Android phone, they're getting in fairly easily.

      --
      "Well kids, you tried your best, and you failed. The lesson is, never try." -Homer Simpson
  4. Re:Warrant by dgatwood · · Score: 4, Insightful

    So you have an hour to get the phone to the lab and have the warrant in hand before cracking it.

    Nope. You have an hour for the cop to take the logger device out of his or her pocket, crack the phone, and extract the data into a storage device, under an "exigent circumstances" exception. In the best-case scenario, they then must obtain a warrant to extract the data from the storage device and rifle through it. Either way, you can safely assume that time-limited access means that warrant requirements will get weakened to accommodate that time limit. The only limit that won't inevitably lead to the rapid erosion of our fourth amendment rights is a zero-length limit.

    --

    Check out my sci-fi/humor trilogy at PatriotsBooks.

  5. Excellent by gweihir · · Score: 4, Interesting

    Law enforcement of all colors has amply demonstrated that they do not understand device security and why it is important. Hence this is good news.

    Incidentally, if you let the police decide what freedoms and protection against the state people have, you end up with a police-state. These people have entirely the wrong mindset. When you remember that the primary purpose of the police is protecting the rich and powerful and fighting (slave) upraisings, this becomes much more obvious. All that "to serve and protect" crap is basically propaganda.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  6. Re:You're being played! by gweihir · · Score: 4, Insightful

    The NSA has no interest in criminals...

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  7. Re:Crime by design? by Arkham · · Score: 4, Insightful

    Now. I really gotta wonder about this one though. They are actively trying to put a stop to law enforcement gaining access to devices they have confiscated? Who does this? Why would someone do this? It's one thing to make a product very secure and shrug when LE finds a way around it to get evidence, but it's an entirely another thing when one sees what LEO is doing to break into devices and FIXING IT!

    The problem with this logic is assuming that US law enforcement are the only ones trying to break into locked phones. Apple sells more phones around the world than they do in the US. It could be oppressive nation-states looking to punish citizens who oppose them, or criminals looking to steal peoples' identity, money, etc.

    --
    - Vincit qui patitur.
  8. Re:its not about security by andymadigan · · Score: 4, Informative

    Settings > Face ID & Passcode > Erase Data [toggle]

    Description: "Erase all data on this iPhone after 10 failed passcode attempts"

    WTF are you talking about? My iPad had this setting disabled, and somehow got into a state where it wouldn't accept the passcode while charging over lightning (thus resulting in many 'failed passcode attempts'). It eventually locked me out for an hour after multiple failed attempts, but it never erased the device. The lock-out is temporary, no data was lost.

    Oh, and backup isn't a paid service. My iPhone and iPad are both backed up to iCloud, and (combined) they're using less than 1GB of the free 5GB plan. If you really want a full backup of the phone (including the binaries of the apps), then you have to backup to a computer using iTunes, also free.

    I do wish iOS had the capability to backup directly to a NAS (with encryption) like Time Machine, but I doubt Android has that capability either.

    --
    The right to protest the State is more sacred than the State.