Apple told Reuters on Wednesday that the company will change how the Lighting port on the iPhone operates to protect users against hacking devices sold to governments. A forthcoming update to iOS will enable "USB Restricted Mode," which will limit the device to only charge via USB if it has not been unlocked in the last hour. After one hour, the USB port cannot be used to communicate with a computer. This greatly reduces the window of opportunity for law enforcement or anyone else in possession of hacking devices to unlock a given device.
Reuters indicated that Apple began work on this protection before learning that this avenue of attack was used commonly among law enforcement. Apple representatives told Reuters "We're constantly strengthening the security protections in every Apple product to help customers defend against hackers, identity thieves and intrusions into their personal data." Adding that: "We have the greatest respect for law enforcement, and we don't design our security improvements to frustrate their efforts to do their jobs."
Companies such as Cellebrite, which was alleged to have unlocked the phone of the San Bernardino shooter, as well as GrayShift, rely on vulnerabilities likely unknown by Apple to crack the passcode used to secure iPhones and iPads.
In the case of Grayshift, a MalwareBytes report from March detailed how their GrayKey unlocker works. Phones connected to the GreyKey are infected with a loader after approximately two minutes. This loader implant continues working after the device is disconnected, attempting to find the passcode of the device in question. According to Grayshift documentation obtained by MalwareBytes, this process "can take up to three days or longer for six-digit passcodes," while "the time needed for longer passphrases is not mentioned."
SEE: Information security policy (Tech Pro Research)
Similarly, MalwareBytes noted that the GrayKey has two versions, one of which is geofenced to the network it is set up on, and a second, more expensive version, which requires a token for two-factor authentication. While this is an attempt at protection, previous iPhone hacking devices, such as "IP-Box," have been used for illegitimate means, and MalwareBytes considers it "highly likely that these devices will ultimately end up in the hands of agents of an oppressive regime, whether directly from Grayshift or indirectly through the black market."
Since that report, hackers claiming to have obtained the source code of a GrayKey device demanded a ransom from the company. Grayshift insisted to Motherboard that only the user interface was exposed to the internet, and that this has been resolved, though Motherboard found an additional unsecured device publicly accessible to the web via Shodan.
Companies that sell packaged unlocking devices, as well as law enforcement in general, are known to often have poor security practices. In January 2017, 900GB of data from Cellebrite was dumped on the internet, including customer information, technical documents, support tickets, as well as usage logs. In 2015, 400 GB of data—including source code—was distributed online following a hack of the uncreatively-named Italian firm "Hacking Team" by a hacker identified as "Phineas Fisher". These exploits have since been used by hackers in phishing campaigns.
Despite these security breaches, law enforcement groups, including the FBI, continue to insist that tech companies should be required to provide a means of access to law enforcement in order to unlock devices—in effect, a backdoor.
Last month, the Washington Post reported that "the FBI has repeatedly provided grossly inflated statistics to Congress and the public about the extent of problems posed by encrypted cellphones," indicating that the number of phones that the bureau could not unlock were "probably between 1,000 and 2,000," while the claimed number was "nearly 7,800."
The big takeaways for tech leaders:
- A forthcoming update to iOS will enable "USB Restricted Mode" which will limit the device to only charge via USB if it has not been unlocked in the last hour.
- This limits the efficacy of commercialized unlocking kits sold to law enforcement such as Cellebrite and GrayKey.
- iOS 11 tips and tricks for business professionals (free PDF) (TechRepublic)
- Lazarus Group used ActiveX zero-day vulnerability to attack South Korean security think tank (ZDNet)
- Apple iOS 12: Cheat sheet (TechRepublic)
- For $15,000, GrayKey promises to crack iPhone passcodes for police (ZDNet)
- Biometrics and the law: Police try to unlock phone with dead man's fingerprint (TechRepublic)
- Apple to close iPhone security hole used by police, criminals (CNET)
James Sanders is a Tokyo-based programmer and technology journalist. Since 2013, he has been a regular contributor to TechRepublic and Tech Pro Research.