Apple Releases iOS 11.4.1, Blocks Passcode Cracking Tools Used By Police (theverge.com) 129
An anonymous reader quotes a report from The Verge: Apple today released iOS 11.4.1, and while most of us are already looking ahead to all the new stuff coming in iOS 12, this small update contains an important new security feature: USB Restricted Mode. Apple has added protections against the USB devices being used by law enforcement and private companies that connect over Lightning to crack an iPhone's passcode and evade Apple's usual encryption safeguards.
If you go to Settings and check under Face ID (or Touch ID) & Passcode, you'll see a new toggle for USB Accessories. By default, the switch is off. This means that once your iPhone or iPad has been locked for over an hour straight, iOS will no longer allow USB accessories to connect to the device -- shutting out cracking tools like GrayKey as a result. If you've got accessories that you want to continue working after your iPhone has been sitting locked for awhile, you can toggle the option on to remove the hour limit. Apple's wording is a bit confusing. You should leave the toggle disabled if you want your iPhone to be most secure.
If you go to Settings and check under Face ID (or Touch ID) & Passcode, you'll see a new toggle for USB Accessories. By default, the switch is off. This means that once your iPhone or iPad has been locked for over an hour straight, iOS will no longer allow USB accessories to connect to the device -- shutting out cracking tools like GrayKey as a result. If you've got accessories that you want to continue working after your iPhone has been sitting locked for awhile, you can toggle the option on to remove the hour limit. Apple's wording is a bit confusing. You should leave the toggle disabled if you want your iPhone to be most secure.
Thanks (Score:5, Insightful)
I feel better now that if anyone wants to access my phone, they need to ask me first. If only the carriers would stand up for us the same way.
Re:Thanks (Score:5, Insightful)
Note: I realize there are probably other vulnerabilities out there, and this will probably be a never-ending game of chess between law enforcement / authoritarian governments, and big tech. It is just great to see them pushing back against George Orwell's 1984.
Re: (Score:3)
Re: Thanks (Score:1)
With Android, you don't have to use a "Grey Key", any old app from the Google Play Store will do.
Microsoft... man I'm not going to even touch that one. Last time the "patched" a bug, they broke L2TP VPNs
Re: (Score:2, Informative)
First, Apple's hardware consistently outperforms the competition. Do you actually research? iPhones have the fastest bench marks in the industry. That really isn't disputed, by anyone.
Second, they are a corporation, of course they are profit driven. You think Google and Samsung hawk phones for the goodness of their souls or some religious calling? Please. Take a fucking chill pill and calm the fuck down.
Re: Thanks (Score:1)
Google thinks customers first and worried about money later. And no, their hardware IS crap. AND THEY DO NOT OUTPERFORM.
Iâ(TM)ve done more research than you will ever. If you want a decent laptop without a piece of shit unless touch bar ur stuck with a 4 year old chipset. Take a look macroumwrs buying guides for their computers and see which ones are on âdonâ(TM)t buyâ(TM). What the fu k is with the air, and the Mac mini. The iMac pro is an overpriced piece of shit that Mac frantics are
Re: (Score:2)
Also he is posting from iOS.....
Nice!
Re: (Score:2)
Google thinks customers first and worried about money later. And no, their hardware IS crap. AND THEY DO NOT OUTPERFORM.
Iâ(TM)ve done more research than you will ever. If you want a decent laptop without a piece of shit unless touch bar ur stuck with a 4 year old chipset. Take a look macroumwrs buying guides for their computers and see which ones are on âdonâ(TM)t buyâ(TM). What the fu k is with the air, and the Mac mini. The iMac pro is an overpriced piece of shit that Mac frantics are racing overs. Where can you find a VR supported Mac. They just suck. Behind the times, or stuck at the times of thinking they can wow their base by crappy gimmicks, and shaving off a few mm from their laptop while killing the battery. They are just dumb.
They do not outperform shit. Ever since Steve jobs was gone, the fucking company went downhill. I hate them. They suck.
You truly need to seek help. You are not even a little bit rational.
Re: (Score:2)
I will agree with him on the laptop/desktop front.. However I've never liked apple, since the 90's when I was forced to use their garbage computers at school. Seems like the computers that actually needed to do real world work like the ones in my drafting classes, were PC's. Either way, there is no denying that iPhones are the best product apple has ever made, and the only phone I will consider using. However, jailbreaking is a must, which adds a bunch of work to keep secure. Android.. well they have been g
Re: (Score:2)
Seems like the computers that actually needed to do real world work like the ones in my drafting classes, were PC's.
You didn't reference whether you were talking about Apple //s or Macintoshes, both of which were in use in Education in the 1990s (the Apple // was sold until 1992, and there were STILL outcries from the Education market when they were discontinued). But I will assume you are talking about Macs.
Real work?
Matlab: First on Macs
Excel: First on Macs
GUI Microsoft Word: First on Macs
PowerPoint: First on Macs
Access: First on Macs (as Microsoft File)
Visual BASIC: First on Macs (as Microsoft BASIC for Macintosh)
Phot
Re: Thanks (Score:2)
Here. [wikipedia.org] Now you know.
Re: (Score:1)
Found El Trumpo, Donald the Worst.
Yea, we know you use an iphone because of the broken '.
Re: (Score:1)
Simmer down, Mr. President, have your burger and diet coke, and take a deep breath.. You think Apple is into Big Brotherish behavior? Oh man wait till you get anything Android, where data-siphoning apps are so much more available.
But whatever. Sounds to me like you've made up your mind. Do what you want, 'tis a free country... for now.
And you do know that since it is your employer's phone they can plant whatever they wish on it, yes? Oh, you didn't? Poor little fool. Their kit, their rules, love it
Re: (Score:1)
What do you mean? Yeah, so Now I feel safer knowing that law enforcement donâ(TM)t have tools they need to do their job. Wtf,
Apple is a piece of crap. I hate them and everything they stand for, including their money first customer second model. I mean who the fuck sells obsolete hardware at twice the price of newer hardware. Fuck them. This is all a money thing for them.
Ahem.
First, they don't sell obsolete hardware in the laptop/desktop arena. Mac mini and the current Mac Pro notwithstanding.
Second, I don't know what delusional, Blind Apple Hating world you live in; but out here in FACT-land, mist people agree that Apple's mobile device performance is generally at LEAST a full generation ahead of the competition.
So, kindly .FOAD, COWARD.
Re:Thanks (Score:5, Insightful)
It already exists. It's called "crack open the phone immediately". I'd be a lot more impressed with this technology if the user could configure the time all the way down to zero. There's no valid reason to allow new external devices to be probed while the phone is locked—not even one second after the phone is locked. The user can't do anything with those external devices without unlocking the device anyway.
This is, of course, as opposed to communicating with existing, known devices while the device is locked, which could be used by things like docks. Basically, it should stop probing for new devices immediately, and lock the port when the last device disappears, or immediately if there's nothing plugged into the port.
Warrant (Score:2)
Re:Warrant (Score:5, Insightful)
Nope. You have an hour for the cop to take the logger device out of his or her pocket, crack the phone, and extract the data into a storage device, under an "exigent circumstances" exception. In the best-case scenario, they then must obtain a warrant to extract the data from the storage device and rifle through it. Either way, you can safely assume that time-limited access means that warrant requirements will get weakened to accommodate that time limit. The only limit that won't inevitably lead to the rapid erosion of our fourth amendment rights is a zero-length limit.
How much do you think logger devices cost??? (Score:2)
Nope. You have an hour for the cop to take the logger device out of his or her pocket
I assure you there is NO WAY some magic iPhone cracker device (which remember still has to break through passcode security) is inexpensive enough there is going to be more than one per city, and probably only major cities at that. If there is a cop close at hand with one it would probably mean they had spent months gathering evidence on an extremely guilty person.
Re: (Score:3)
At $16k, they're barely half the cost of a police car. And I'd imagine they'll get cheaper in quantities.
Re: (Score:2)
On the contrary. If most users are using something that limits the time window, it will be "necessary" to have more of these.
Need to be quicker than the SOS trigger too (Score:2)
Re: Thanks (Score:1)
2-button squeeze and the phone is immediately secured, no hour wait
FTFY
Re: (Score:2)
It already exists. It's called "crack open the phone immediately". I'd be a lot more impressed with this technology if the user could configure the time all the way down to zero. There's no valid reason to allow new external devices to be probed while the phone is locked—not even one second after the phone is locked. The user can't do anything with those external devices without unlocking the device anyway.
This is, of course, as opposed to communicating with existing, known devices while the device is locked, which could be used by things like docks. Basically, it should stop probing for new devices immediately, and lock the port when the last device disappears, or immediately if there's nothing plugged into the port.
While I agree, I am sure the one-hour timeout was set to balance security against convenience.
Having said that, the only reason I can think of to make the timeout non-adjustable is that makes it somewhat less vulnerable to hacking.
Re: (Score:2)
I don't see why they didn't make the time-out zero. On Android it's zero, every time you plug a USB cable in you have to unlock and enable the data connection if you need it.
What were Apple thinking?
Re: (Score:2)
To perhaps allow convenience for car owners who connect their phones to their cars via USB? Most of the time that's the most common use case so they'd connect their phones and drive away listening to tunes either directly over USB, via CarPlay or other option.
It's one of those "balance" things - you have to allo
Re: (Score:2)
Except: China (Score:2)
Except, Apple has done enough of some sort of *mumble*mumble* that China lets them sell their gadgets in China.
Do you really think if it's important, US agents don't bring it back with them from China to use here?
Re: Except: China (Score:5, Informative)
Apple agreed to store Chinese data in China. This allows China to subpoena Apple for the data of its citizens.
But, Apple has a modus operandi to process as much data on the phone as possible, and encrypt with user-held decryption keys what it stores on its servers. They didn't generate and give China a special master key or the like. Whatever you can say about them, within the confines of the various bodies of law they operate it, they seem to push for the most privacy-focused solution to privacy challenges.
Re:You're being played! (Score:5, Insightful)
The NSA has no interest in criminals...
Re: (Score:1)
Nobody EVER backs up their phone to the cloud.
Serious question: (Score:5, Interesting)
Why is this story always about iPhone?
Are Android and other mobile OS not an encryption concern for LEO?
Thanks.
Re:Serious question: (Score:5, Interesting)
Re: (Score:1, Troll)
Re: (Score:2, Informative)
Currently all Android devices let you boot the device into a boot loader configuration where it doesn't load an operating system, all using nothing more than the buttons on the front and sides of the device.
Then basic debugging features can be enabled and through the USB port one can block copy the entire internal flash device.
The exact procedure can be different depending on the model and manufacturer of the hardware.
For my Nexus you just boot it up holding down power and volume-down buttons.
Apple has neve
Re:Serious question: (Score:4, Insightful)
The flash device is encrypted using a random-generated (strong) key that's stored on the phone but not on the flash device; the key itself is not derived from the PIN; instead, the key can be accessed only using the PIN . The secure subsystem will not allow brute-forcing the PIN, deleting the decryption key after too many attempts. So downloading the flash device will give you a lot of random numbers, at most telling you how much of the flash storage was in use. (Are you sure that you don't need to unlock the bootloader first? Unlockimg it will also result in a factory reset and erasing of the decryption key).
It's possible that some manufacturers don't have the secure subsystem (some Samsung devices on Android 4 required a long alphanumeric screen unlock code if device encryption was on, wtf?) but I would be surprised if this is the case for Nexus 5 and later.
Maybe Swillden, our local Android security expert, will chime in.
Re: (Score:1)
Yeah, this isn't enough. Android copies passwords in clear text through java, has no hardware root of trust -- because it cannot due to the whole "we want to sell as much of this shit information gathering OS to as many hardware vendors as possible" business model -- and a host of other issues. Android is far superior in terms of user choice, but it is shit in avoiding tracking you and anything to do with security. Likewise, Apple is complete trash in terms of cost, user choice, and basically everything els
Re: (Score:2)
Thank you for the answer. I truly did not know. I've only owned an iPhone because work has paid for it.
Re: (Score:2)
Nope, Android devices are more secure than the iPhone.
Take the Pixel 2. Flash memory is encrypted with a key, same as the iPhone. Key is stored in a secure element, same as the iPhone. Arbitrarily long passwords supported, same as the iPhone.
But where Android is better is that you need to unlock the phone and enable USB data every single time you want to use it. There is no time-out, the moment you unplug the USB cable it's locked to charge only/host mode again.
Some manufacturers go even further, e.g. Samsu
Re: (Score:2)
Re:Serious question: (Score:4, Informative)
Why in simple hell is a question modded down?
I don't have an agenda. I just want to know why iPhones are the story and no other phones are, apparently, a concern.
And I ended it politely.
Re:Serious question: (Score:4, Informative)
Why in simple hell is a question modded down?
I don't have an agenda. I just want to know why iPhones are the story and no other phones are, apparently, a concern.
And I ended it politely.
Because many, many Android phones have unpatched vulnerabilities.
https://www.cnet.com/news/repo... [cnet.com]
https://techtoday.io/71-of-and... [techtoday.io]
There are lots of articles. The number varies between 50% and 90% of phones. Even if the manufacturer by some miracle decides to update the phone, the carrier probably won't. Only a few phones (mostly Google devices) get updates direct from Google, and carriers don't generally push those because they get incentives from HTC, Samsung etc to sell the other phones instead.
Re: (Score:1)
Only a few phones (mostly Google devices) get updates direct from Google
Untrue. All Android devices get updates direct from Google, it's a mandatory part of using the Android operating system (you must install Play Sevices that delivers the patches).
Also, if 90% of Android phones are vulnerable, why don't we see vast botnets consisting of a billion phones? Surely they would be an extremely attractive target for hackers, for botnets, for crypto mining and for stealing personal information. Yet somehow it doesn't happen... Perhaps because Android isn't so badly designed that an u
Re: (Score:2)
Huh, hard to tell what triggered the poor mod in that one. Android isn't security flaw ridden is somehow offensive to them??
Re: (Score:2)
Thank you.
I was puzzled that two companies are making a buck selling exploits for iPhone but there's no equivalent cottage industry for Android and Windows.
I appreciate your answer.
Re: (Score:2)
Mainly because Apple is way behind on this (Android locks USB data transfer the moment you unplug the cable, no one hour time-out or any of that nonsense) and we don't see unlock devices being sold for Android phones that claim to be secure.
For example, where are the unlock devices for the Pixel 2 or Galaxy S8 with Knox enabled?
Re: (Score:2)
Are Android and other mobile OS not an encryption concern for LEO?
They don't have any Android phones in Low Earth Orbit; couple of iPhones on the ISS, I hear...
Can one turn on the lock immediately? (Score:4, Interesting)
Very probably (Score:4, Informative)
Is there a way to bypass the one-hour wait feature and tell the phone to immediately disable the USB
There is already the button press combo to force a passcode be required to unlock vs. a fingerprint or FaceID, I imagine that would also trigger the USB lock.
Re: (Score:3)
Buy a Samsung phone? Samsung Android phones always require unlocking before a USB connection will work. I don't know why it's suddenly a big deal when Apple does this.
Excellent (Score:5, Interesting)
Law enforcement of all colors has amply demonstrated that they do not understand device security and why it is important. Hence this is good news.
Incidentally, if you let the police decide what freedoms and protection against the state people have, you end up with a police-state. These people have entirely the wrong mindset. When you remember that the primary purpose of the police is protecting the rich and powerful and fighting (slave) upraisings, this becomes much more obvious. All that "to serve and protect" crap is basically propaganda.
Re: (Score:2)
Hence this is good news.
I'm not so sure. If they cared about security they would make the time-out zero seconds, not one hour. What is the reason for that extremely long time-out?
Smells like someone put pressure on them to allow that one hour window of vulnerability. Maybe it's a compromise to avoid a fight with the government, allowing them to access phones they are really interested in why making the public think that Apple is protecting them.
Re: (Score:2)
This is probably a compromise with usability, as, if I understand this right, devices get kicked after this one hour. The GrayKey needs apparently 11h on average for a 6 digit PIN and much longer for a longer one. Id this time is typical for all such tools (and I would think the limiting factor is the phone, not the external attack box), then 1h of "vulnerable" time is not much of a vulnerability.
They should make this configurable down to zero though.
Re: (Score:1)
And not just dead like normal dead, dead as in shot dead by LE, for you know... shooting up the town basically.
Or shot himself, itself, herself... I can't keep all the mass shootings that have been happening in recent times all straight in my head anymore.
Re: (Score:1)
LE LE LE LE LE LE. Now that you got that LEO worship out of your system, let me tell you why you speak like a true slave. I don't care that the cops can't hack my phone. The 5th should extend to devices we carry our life in.
If the phone is hackable, it is hackable by anyone with the technology. Cops aren't the only ones who can do it, in fact they weren't the ones who figured it out, an Israeli company did who is now selling the device. So the cops are probably not the target for the fix either. The hack is
Re:Crime by design? (Score:5, Insightful)
Now. I really gotta wonder about this one though. They are actively trying to put a stop to law enforcement gaining access to devices they have confiscated? Who does this? Why would someone do this? It's one thing to make a product very secure and shrug when LE finds a way around it to get evidence, but it's an entirely another thing when one sees what LEO is doing to break into devices and FIXING IT!
The problem with this logic is assuming that US law enforcement are the only ones trying to break into locked phones. Apple sells more phones around the world than they do in the US. It could be oppressive nation-states looking to punish citizens who oppose them, or criminals looking to steal peoples' identity, money, etc.
Battery Drain? (Score:4, Interesting)
Re: (Score:2)
I want to know this too please.
Let's see them... (Score:4, Interesting)
Let's see them try to break into my voice/SMS-only 2G bar-phone with their fancy gear! Bahahah!
But seriously, this might mean that lawmakers will be more predisposed to drop the need for a search warrant in respect to searching someone's phone. It would be much easier to lobby that the need for a warrant could now significantly hamper investigations because of the short window of opportunity.
So don't look too smug, Apple may have shot you all in the foot.
Re:its not about security (Score:5, Informative)
Description: "Erase all data on this iPhone after 10 failed passcode attempts"
WTF are you talking about? My iPad had this setting disabled, and somehow got into a state where it wouldn't accept the passcode while charging over lightning (thus resulting in many 'failed passcode attempts'). It eventually locked me out for an hour after multiple failed attempts, but it never erased the device. The lock-out is temporary, no data was lost.
Oh, and backup isn't a paid service. My iPhone and iPad are both backed up to iCloud, and (combined) they're using less than 1GB of the free 5GB plan. If you really want a full backup of the phone (including the binaries of the apps), then you have to backup to a computer using iTunes, also free.
I do wish iOS had the capability to backup directly to a NAS (with encryption) like Time Machine, but I doubt Android has that capability either.
How is this going to work? (Score:1)
Re:How is this going to work? (Score:4, Interesting)
I typically plug the charger into my iPhone at night for use the next day. This new feature would seem to indicate that the port will be disconnected after one hour. The question that comes to mind is how does one get a full charged iPhone. One would hope that the software is able to determine if an "external device" is plugged in or a charger.
It specifically allows charging even when the USB data path is disabled.
Re: (Score:1)