Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
IOS Privacy Security Software Apple Technology

Apple Releases iOS 11.4.1, Blocks Passcode Cracking Tools Used By Police (theverge.com) 129

An anonymous reader quotes a report from The Verge: Apple today released iOS 11.4.1, and while most of us are already looking ahead to all the new stuff coming in iOS 12, this small update contains an important new security feature: USB Restricted Mode. Apple has added protections against the USB devices being used by law enforcement and private companies that connect over Lightning to crack an iPhone's passcode and evade Apple's usual encryption safeguards.

If you go to Settings and check under Face ID (or Touch ID) & Passcode, you'll see a new toggle for USB Accessories. By default, the switch is off. This means that once your iPhone or iPad has been locked for over an hour straight, iOS will no longer allow USB accessories to connect to the device -- shutting out cracking tools like GrayKey as a result. If you've got accessories that you want to continue working after your iPhone has been sitting locked for awhile, you can toggle the option on to remove the hour limit. Apple's wording is a bit confusing. You should leave the toggle disabled if you want your iPhone to be most secure.

This discussion has been archived. No new comments can be posted.

Apple Releases iOS 11.4.1, Blocks Passcode Cracking Tools Used By Police

Comments Filter:
  • Thanks (Score:5, Insightful)

    by saloomy ( 2817221 ) on Monday July 09, 2018 @06:21PM (#56920056)

    I feel better now that if anyone wants to access my phone, they need to ask me first. If only the carriers would stand up for us the same way.

    • Re:Thanks (Score:5, Insightful)

      by saloomy ( 2817221 ) on Monday July 09, 2018 @06:24PM (#56920072)

      Note: I realize there are probably other vulnerabilities out there, and this will probably be a never-ending game of chess between law enforcement / authoritarian governments, and big tech. It is just great to see them pushing back against George Orwell's 1984.

      • by msauve ( 701917 )
        Orwell's 1984? It's more like Gilliam's Brazil.
    • What about Android?
  • Except, Apple has done enough of some sort of *mumble*mumble* that China lets them sell their gadgets in China.

    Do you really think if it's important, US agents don't bring it back with them from China to use here?

    • Re: Except: China (Score:5, Informative)

      by saloomy ( 2817221 ) on Monday July 09, 2018 @06:46PM (#56920192)

      Apple agreed to store Chinese data in China. This allows China to subpoena Apple for the data of its citizens.

      But, Apple has a modus operandi to process as much data on the phone as possible, and encrypt with user-held decryption keys what it stores on its servers. They didn't generate and give China a special master key or the like. Whatever you can say about them, within the confines of the various bodies of law they operate it, they seem to push for the most privacy-focused solution to privacy challenges.

  • Serious question: (Score:5, Interesting)

    by CaptainDork ( 3678879 ) on Monday July 09, 2018 @07:29PM (#56920384)

    Why is this story always about iPhone?

    Are Android and other mobile OS not an encryption concern for LEO?

    Thanks.

    • Re:Serious question: (Score:5, Interesting)

      by GrandCow ( 229565 ) on Monday July 09, 2018 @07:34PM (#56920394)
      Correct, Android phones are (basically) an open book. There is some encryption but nothing near the level of protection of an iPhone. Yes, your friend isn't going to pick up your phone off the table and get past your passcode, but if someone with resources wants in to an Android phone, they're getting in fairly easily.
      • Re: (Score:1, Troll)

        How? Let's skip the rhetoric.
        • Re: (Score:2, Informative)

          by Anonymous Coward

          Currently all Android devices let you boot the device into a boot loader configuration where it doesn't load an operating system, all using nothing more than the buttons on the front and sides of the device.
          Then basic debugging features can be enabled and through the USB port one can block copy the entire internal flash device.

          The exact procedure can be different depending on the model and manufacturer of the hardware.
          For my Nexus you just boot it up holding down power and volume-down buttons.

          Apple has neve

          • by hankwang ( 413283 ) on Monday July 09, 2018 @11:51PM (#56921218) Homepage

            The flash device is encrypted using a random-generated (strong) key that's stored on the phone but not on the flash device; the key itself is not derived from the PIN; instead, the key can be accessed only using the PIN . The secure subsystem will not allow brute-forcing the PIN, deleting the decryption key after too many attempts. So downloading the flash device will give you a lot of random numbers, at most telling you how much of the flash storage was in use. (Are you sure that you don't need to unlock the bootloader first? Unlockimg it will also result in a factory reset and erasing of the decryption key).

            It's possible that some manufacturers don't have the secure subsystem (some Samsung devices on Android 4 required a long alphanumeric screen unlock code if device encryption was on, wtf?) but I would be surprised if this is the case for Nexus 5 and later.

            Maybe Swillden, our local Android security expert, will chime in.

            • by Anonymous Coward

              Yeah, this isn't enough. Android copies passwords in clear text through java, has no hardware root of trust -- because it cannot due to the whole "we want to sell as much of this shit information gathering OS to as many hardware vendors as possible" business model -- and a host of other issues. Android is far superior in terms of user choice, but it is shit in avoiding tracking you and anything to do with security. Likewise, Apple is complete trash in terms of cost, user choice, and basically everything els

      • Thank you for the answer. I truly did not know. I've only owned an iPhone because work has paid for it.

      • by AmiMoJo ( 196126 )

        Nope, Android devices are more secure than the iPhone.

        Take the Pixel 2. Flash memory is encrypted with a key, same as the iPhone. Key is stored in a secure element, same as the iPhone. Arbitrarily long passwords supported, same as the iPhone.

        But where Android is better is that you need to unlock the phone and enable USB data every single time you want to use it. There is no time-out, the moment you unplug the USB cable it's locked to charge only/host mode again.

        Some manufacturers go even further, e.g. Samsu

    • Re:Serious question: (Score:4, Informative)

      by CaptainDork ( 3678879 ) on Monday July 09, 2018 @09:29PM (#56920848)

      Why in simple hell is a question modded down?

      I don't have an agenda. I just want to know why iPhones are the story and no other phones are, apparently, a concern.

      And I ended it politely.

      • Re:Serious question: (Score:4, Informative)

        by Arkham ( 10779 ) on Monday July 09, 2018 @10:31PM (#56921014)

        Why in simple hell is a question modded down?

        I don't have an agenda. I just want to know why iPhones are the story and no other phones are, apparently, a concern.

        And I ended it politely.

        Because many, many Android phones have unpatched vulnerabilities.

        https://www.cnet.com/news/repo... [cnet.com]
        https://techtoday.io/71-of-and... [techtoday.io]

        There are lots of articles. The number varies between 50% and 90% of phones. Even if the manufacturer by some miracle decides to update the phone, the carrier probably won't. Only a few phones (mostly Google devices) get updates direct from Google, and carriers don't generally push those because they get incentives from HTC, Samsung etc to sell the other phones instead.

        • by AmiMoJo ( 196126 )

          Only a few phones (mostly Google devices) get updates direct from Google

          Untrue. All Android devices get updates direct from Google, it's a mandatory part of using the Android operating system (you must install Play Sevices that delivers the patches).

          Also, if 90% of Android phones are vulnerable, why don't we see vast botnets consisting of a billion phones? Surely they would be an extremely attractive target for hackers, for botnets, for crypto mining and for stealing personal information. Yet somehow it doesn't happen... Perhaps because Android isn't so badly designed that an u

          • by AmiMoJo ( 196126 )

            Huh, hard to tell what triggered the poor mod in that one. Android isn't security flaw ridden is somehow offensive to them??

        • Thank you.

          I was puzzled that two companies are making a buck selling exploits for iPhone but there's no equivalent cottage industry for Android and Windows.

          I appreciate your answer.

      • by AmiMoJo ( 196126 )

        Mainly because Apple is way behind on this (Android locks USB data transfer the moment you unplug the cable, no one hour time-out or any of that nonsense) and we don't see unlock devices being sold for Android phones that claim to be secure.

        For example, where are the unlock devices for the Pixel 2 or Galaxy S8 with Knox enabled?

    • Are Android and other mobile OS not an encryption concern for LEO?

      They don't have any Android phones in Low Earth Orbit; couple of iPhones on the ISS, I hear...

  • by BitterOak ( 537666 ) on Monday July 09, 2018 @07:44PM (#56920430)
    What if you will be out driving and don't want the police to have access to your phone, but don't want to wait one hour after using it before leaving the house? Is there a way to bypass the one-hour wait feature and tell the phone to immediately disable the USB when you next lock the phone? People should be able to activate maximum device security whenever they please.
    • Very probably (Score:4, Informative)

      by SuperKendall ( 25149 ) on Monday July 09, 2018 @08:58PM (#56920738)

      Is there a way to bypass the one-hour wait feature and tell the phone to immediately disable the USB

      There is already the button press combo to force a passcode be required to unlock vs. a fingerprint or FaceID, I imagine that would also trigger the USB lock.

    • by _merlin ( 160982 )

      Buy a Samsung phone? Samsung Android phones always require unlocking before a USB connection will work. I don't know why it's suddenly a big deal when Apple does this.

  • Excellent (Score:5, Interesting)

    by gweihir ( 88907 ) on Monday July 09, 2018 @08:18PM (#56920564)

    Law enforcement of all colors has amply demonstrated that they do not understand device security and why it is important. Hence this is good news.

    Incidentally, if you let the police decide what freedoms and protection against the state people have, you end up with a police-state. These people have entirely the wrong mindset. When you remember that the primary purpose of the police is protecting the rich and powerful and fighting (slave) upraisings, this becomes much more obvious. All that "to serve and protect" crap is basically propaganda.

    • by AmiMoJo ( 196126 )

      Hence this is good news.

      I'm not so sure. If they cared about security they would make the time-out zero seconds, not one hour. What is the reason for that extremely long time-out?

      Smells like someone put pressure on them to allow that one hour window of vulnerability. Maybe it's a compromise to avoid a fight with the government, allowing them to access phones they are really interested in why making the public think that Apple is protecting them.

      • by gweihir ( 88907 )

        This is probably a compromise with usability, as, if I understand this right, devices get kicked after this one hour. The GrayKey needs apparently 11h on average for a 6 digit PIN and much longer for a longer one. Id this time is typical for all such tools (and I would think the limiting factor is the phone, not the external attack box), then 1h of "vulnerable" time is not much of a vulnerability.

        They should make this configurable down to zero though.

  • Battery Drain? (Score:4, Interesting)

    by Kozar_The_Malignant ( 738483 ) on Monday July 09, 2018 @08:56PM (#56920722)
    My concern about 11.4.1 is does it fix the horrible battery drain of 11.4? I'll update tonight, because i have nothing to lose.
  • Let's see them... (Score:4, Interesting)

    by NewtonsLaw ( 409638 ) on Monday July 09, 2018 @10:33PM (#56921022)

    Let's see them try to break into my voice/SMS-only 2G bar-phone with their fancy gear! Bahahah!

    But seriously, this might mean that lawmakers will be more predisposed to drop the need for a search warrant in respect to searching someone's phone. It would be much easier to lobby that the need for a warrant could now significantly hamper investigations because of the short window of opportunity.

    So don't look too smug, Apple may have shot you all in the foot.

  • I typically plug the charger into my iPhone at night for use the next day. This new feature would seem to indicate that the port will be disconnected after one hour. The question that comes to mind is how does one get a full charged iPhone. One would hope that the software is able to determine if an "external device" is plugged in or a charger.
    • by TheFakeTimCook ( 4641057 ) on Tuesday July 10, 2018 @05:12AM (#56921884)

      I typically plug the charger into my iPhone at night for use the next day. This new feature would seem to indicate that the port will be disconnected after one hour. The question that comes to mind is how does one get a full charged iPhone. One would hope that the software is able to determine if an "external device" is plugged in or a charger.

      It specifically allows charging even when the USB data path is disabled.

Every nonzero finite dimensional inner product space has an orthonormal basis. It makes sense, when you don't think about it.

Working...