Apple Will Seal Up Law Enforcement’s Favorite iPhone Cracking Method

[DooKey]

An upcoming version of iOS is going to stop law enforcement from using the USB port on iPhones to break into the phone. The feature is called USB Restricted Mode and if the phone is locked will limit access after one hour of inactivity. At this point the USB port will only allow charging. Apple says they just want to improve security for users and this has nothing to do with preventing the cops from doing their job.

That solution should thwart iPhone-cracking devices like those made by GrayShift and Cellebrite. Such devices, particularly GrayShift’s GrayKey, which promises to unlock even new iPhone models, use the USB port to access a locked iPhone in order to crack its password using more attempts than would normally be allowed.

 

[Stimpy88]

Nice to see personal security is being taken care of. The more, the better when it comes to personal data.

 

[Usual_suspect]

They know damn well it’s to prevent law enforcement... and I like it!

Seriously, authorities need to remember we have a right to privacy. Some of us like to exercise that right not because we did something wrong, but because we don’t want people knowing our business.

I have an iPhone X and with FaceID I make sure to keep the attention aware feature on.

 

[Comixbooks]

If the Cops have your phone it's probably wasn't because you were playing Pokemon Go.

 

[jaericho]

Everything is stored in the cloud, so LE will probably just go to Apple directly for the info. They don't need the phone itself.

 

[Zumino Zufeilon]

Turning off cloud storage/integration is easy on an iOS device (now, if you choose to, different story).

And "If you don't do anything wrong, you have nothing to fear" is the worst excuse/rational ever.

Privacy is privacy for a reason.

Happy to see this. My pin is 8 digits, good luck breaking that in an hour.

 

[the-one1]

Turning off cloud storage/integration is easy on an iOS device (now, if you choose to, different story).

And "If you don't do anything wrong, you have nothing to fear" is the worst excuse/rational ever.

Privacy is privacy for a reason.

Happy to see this. My pin is 8 digits, good luck breaking that in an hour.

Is it?: 12345678

or the numerical equivalent of?: password

 

[BSmith]

Rights to privacy? Sooooo,...it's okay for all these major corporations to gather and sell our personal data, but gawd forbid the police get their hands on it. Got to scratch my head on that one.

Wait,..so what is being said is you want the police to pay for the data, just like all the rest of the coporations do? Is that a fair summation?

Just trying to get a handle on why Apple, Microsoft, Google, and social site of your choice, and even VPN companies it is okay for them to take our data and do what they want with it, but if the police want access to that very same data,...then everyone gets up in arms. Just good old fashion double standards at play or pure simple hypocrisy?

Pretty sure you do not have a leg to stand on if you are screaming "my right to privacy is being violated" as it pertains to the police, while waving a smart phone in the air. The again, it makes for good memes.

 

[ThatsAgood1jay]

Rights to privacy? Sooooo,...it's okay for all these major corporations to gather and sell our personal data, but gawd forbid the police get their hands on it. Got to scratch my head on that one.

Wait,..so what is being said is you want the police to pay for the data, just like all the rest of the coporations do? Is that a fair summation?

Just trying to get a handle on why Apple, Microsoft, Google, and social site of your choice, and even VPN companies it is okay for them to take our data and do what they want with it, but if the police want access to that very same data,...then everyone gets up in arms. Just good old fashion double standards at play or pure simple hypocrisy?

Pretty sure you do not have a leg to stand on if you are screaming "my right to privacy is being violated" as it pertains to the police, while waving a smart phone in the air. The again, it makes for good memes.

Welcome to the Corporate Hellscape.

Also, at least in public, Apple has said they do not openly sell data to profit off of customers. They only 'share' with critical developers to enhance experience, whatever that means.

 

[mord]

Rights to privacy? Sooooo,...it's okay for all these major corporations to gather and sell our personal data, but gawd forbid the police get their hands on it. Got to scratch my head on that one.

Wait,..so what is being said is you want the police to pay for the data, just like all the rest of the coporations do? Is that a fair summation?

Just trying to get a handle on why Apple, Microsoft, Google, and social site of your choice, and even VPN companies it is okay for them to take our data and do what they want with it, but if the police want access to that very same data,...then everyone gets up in arms. Just good old fashion double standards at play or pure simple hypocrisy?

Pretty sure you do not have a leg to stand on if you are screaming "my right to privacy is being violated" as it pertains to the police, while waving a smart phone in the air. The again, it makes for good memes.

I get what you are saying. I'm kind if inbetween I guess. Best way to not get caught is dont do anything to get caught to start with. If you do, don't do it or talk about it on any device. There will be evidence somewhere.

That said, I am a somewhat private person. My use if social media is very linited. Mostly to what is required by my employer. That's not much. I dont put anything online.

I don't want hackers, script kiddies, breaking into my stuff. Can I stop that? No, but I can make it as difficult as I can and limit what they can get if they do break in.

Issue is, what you pointed out. There isn't much I can do about the data google, amazon, etc have on me. Much less what credit reporting agencys, banks, etc have.

I am all for any increase in security companies can put in.

May that limit cops from finding evidence on some crook? Yes. Do the requirements to get a warrant impede that also? Yes. So should we give cops the right to sieze and search everythi g at will? No. Ill give up some security for freedom. Its always a balance.

I don't think we live in a perfect country or have anywhere near perfect laws. I am thankful we have the freedom to discuss this openly, expressing all of our viewpoints.

 

[katanaD]

They only 'share' with critical developers to enhance experience, whatever that means.

it allows them to Enhance the Experience at their bank accounts...

 

[Retronym]

My pin is 8 digits, good luck breaking that in an hour.

filthy casual

 

[Verge]

Everything is stored in the cloud, so LE will probably just go to Apple directly for the info. They don't need the phone itself.

Yup, just requires a warrant

 

[Verge]

filthy casual

12345678

 

[Lakados]

Rights to privacy? Sooooo,...it's okay for all these major corporations to gather and sell our personal data, but gawd forbid the police get their hands on it. Got to scratch my head on that one.

Wait,..so what is being said is you want the police to pay for the data, just like all the rest of the coporations do? Is that a fair summation?

Just trying to get a handle on why Apple, Microsoft, Google, and social site of your choice, and even VPN companies it is okay for them to take our data and do what they want with it, but if the police want access to that very same data,...then everyone gets up in arms. Just good old fashion double standards at play or pure simple hypocrisy?

Pretty sure you do not have a leg to stand on if you are screaming "my right to privacy is being violated" as it pertains to the police, while waving a smart phone in the air. The again, it makes for good memes.

Apple is one of the few tech giants that doesn’t sell user data. They collect non identifiable usage and diagnostic data but they do not share or sell it with 3’rd parties.

 

[ScottSummers79]

Anything that forces law enforcement to follow the Constitution is good in my books. I have no problem with LE getting a hold on the data, I just want them to have to follow the law to get it, not bypass the law because they can. That makes them law-breakers (in a just world), and would then make them criminals, and personally I'd rather not think of LEOs as a bunch of criminals. The bad ones we see in the news already drive that assumption up enough.

 

[Patton187]

If the Cops have your phone it's probably wasn't because you were playing Pokemon Go.

This kind of thinking could do us in.

 

[Usual_suspect]

Difference is consent. We give those major corporations consent in order to use their product. Apple claims differently as they don’t want to profit off of their customers data, but what goes on behind closed doors is another story. Google and Microsoft on the other hand openly admit to this practice and we for the most part give the okay.

Rights to privacy? Sooooo,...it's okay for all these major corporations to gather and sell our personal data, but gawd forbid the police get their hands on it. Got to scratch my head on that one.

Wait,..so what is being said is you want the police to pay for the data, just like all the rest of the coporations do? Is that a fair summation?

Just trying to get a handle on why Apple, Microsoft, Google, and social site of your choice, and even VPN companies it is okay for them to take our data and do what they want with it, but if the police want access to that very same data,...then everyone gets up in arms. Just good old fashion double standards at play or pure simple hypocrisy?

Pretty sure you do not have a leg to stand on if you are screaming "my right to privacy is being violated" as it pertains to the police, while waving a smart phone in the air. The again, it makes for good memes.

 

[Uvaman2]

This kind of thinking IS doING us in.

FTFY

 

[twonunpackmule]

If the Cops have your phone it's probably wasn't because you were playing Pokemon Go.

You're right. You could simply be going for a walk, and someone in uniform mistakes you for someone else. Begins to harass you and demand you unlock your phone to confirm location.

 

[BSmith]

Difference is consent. We give those major corporations consent in order to use their product. Apple claims differently as they don’t want to profit off of their customers data, but what goes on behind closed doors is another story. Google and Microsoft on the other hand openly admit to this practice and we for the most part give the okay.

Tell me, exactly what data did we give consent to, for those corporations to benefit from? How can anyone yell about "rights to privacy" when the police want access to data, yet we grant access to everything in our lives to corporations?

If the police need something off my phone in order to aid in an investigation, I will be happy to give it to them. At least I will be able to get a clue as to what data they are looking for. Try that with any number of corporations.

 

[Jim Kim]

pertinent read https://www.wired.com/story/crypto-war-clear-encryption/

 

[That_Sound_Guy]

Everything is stored in the cloud, so LE will probably just go to Apple directly for the info. They don't need the phone itself.

If that were the case this hack wouldn't exist for LE. And the boston bombers phone wouldn't have been a big deal.

I have nothing stored in the cloud, all to cloud crap turned off. Apple may be saving identifiable info without me knowing and if so, shame on them. I set my password to wipe the phone after 10 tries and hope for the best if it's ever taken or stolen. No fingerprint or face recog. Course stolen and taken have the same meaning when it comes to law enforcement against you with your property.

 

[sfsuphysics]

Turning off cloud storage/integration is easy on an iOS device (now, if you choose to, different story).

And "If you don't do anything wrong, you have nothing to fear" is the worst excuse/rational ever.

Privacy is privacy for a reason.

Happy to see this. My pin is 8 digits, good luck breaking that in an hour.

Not saying you... my experience in seeing others phones you can probably reduce the guessing on that by seeing the quasi-permanent smudge marks on the numbers you press the most (i.e. your unlock code)

 

[sfsuphysics]

You're right. You could simply be going for a walk, and someone in uniform mistakes you for someone else. Begins to harass you and demand you unlock your phone to confirm location.

Then that is a issue in itself that needs to be dealt with. It's one thing for a cop to take your stuff and throw it into the Raptor iPhone Cracker/Downloader Tool™ that all cops would have as standard issue in the Dysopian future and it's another thing that you have the iPhone of the guy who committed mass murder all in the name of (insert reason here) and all his encrypted stuff was found at his place of residence.

 

[lcpiper]

This kind of thinking could do us in.

Because he is statistically correct?

I understand what you are trying to say, it's just that the comment you quoted doesn't actually support it.

 

[lcpiper]

You're right. You could simply be going for a walk, and someone in uniform mistakes you for someone else. Begins to harass you and demand you unlock your phone to confirm location.

Cop can demand all he wants to, all you have to do is say no.

No the cop has two choices, he can arrest you or not. Following this is the rest of the legal arrest process or, you going about your day. Same thing happens when a cop asks you if he can look in your trunk, you can say yes or no. If the cop doesn't need your permission he's just going to do it anyway and hopefully it's with good cause.

 

[TordanGow]

pertinent read https://www.wired.com/story/crypto-war-clear-encryption/

This article isn't interesting at all and is actually quite rubbish.

From the Article:

It works this way: The vendor—say it’s Apple in this case, but it could be Google or any other tech company—starts by generating a pair of complementary keys. One, called the vendor’s “public key,” is stored in every iPhone and iPad. The other vendor key is its “private key.” That one is stored with Apple, protected with the same maniacal care that Apple uses to protect the secret keys that certify its operating system updates. These safety measures typically involve a tamper-proof machine (known as an HSM or hardware security module) that lives in a vault in a specially protected building under biometric lock and smartcard key.

That public and private key pair can be used to encrypt and decrypt a secret PIN that each user’s device automatically generates upon activation. Think of it as an extra password to unlock the device. This secret PIN is stored on the device, and it’s protected by encrypting it with the vendor’s public key. Once this is done, no one can decode it and use the PIN to unlock the phone except the vendor, using that highly protected private key.

So, say the FBI needs the contents of an iPhone. First the Feds have to actually get the device and the proper court authorization to access the information it contains—Ozzie’s system does not allow the authorities to remotely snatch information. With the phone in its possession, they could then access, through the lock screen, the encrypted PIN and send it to Apple. Armed with that information, Apple would send highly trusted employees into the vault where they could use the private key to unlock the PIN. Apple could then send that no-longer-secret PIN back to the government, who can use it to unlock the device.
​

This doesn't sound all that secure to me. This gives vendors keys that unlock devices. Companies get b-slapped with warrants, bull-crap national security letters, etc. and have to comply. This proposed process is woefully broken and very apparently ripe for abuse. Also, "secret keys" aren't a novel idea.

The whole point of having end to end / "no knowledge of key" encryption is so that third parties are literally unable to provide a key. I think I'll stick with unsupervised e2e encryption and if the police want to take a look into my life they can go do some good old fashioned physical surveillance.

 

[lcpiper]

pertinent read https://www.wired.com/story/crypto-war-clear-encryption/

And as I argued previously, an engineered solution. Thank You.

I can't say that this is the best solution, I just refuse to believe that we can't find one that satisfies our needs and our rights.

 

[TordanGow]

And as I argued previously, an engineered solution. Thank You.

I can't say that this is the best solution, I just refuse to believe that we can't find one that satisfies our needs and our rights.

We already have the working solution. Unrestrained E2E encryption. We don't need a "clipper chip" V2.

 

[lcpiper]

This article isn't interesting at all and is actually quite rubbish..........

The whole point of having end to end / "no knowledge of key" encryption is so that third parties are literally unable to provide a key. I think I'll stick with unsupervised e2e encryption and if the police want to take a look into my life they can go do some good old fashioned physical surveillance.

I know this is what some people believe, that they want perfect security and privacy. And as this man said in his article, the government isn't going to allow it, and frankly, I don't think most people even want that even though you might, and you might even think represent a majority. We all know that security is a balancing act, that we have to balance our needs with our privacy and security.

As I have said in the past, this debate will only go one way. That this guy in Jim Kim's article recognizes this is true should have some of you reconsider. If industry doesn't provide a good solution the government is going to come up with their own. I work with the government and I know how well they do things, I'd rather have guys like this dude help work it out instead of hoping that the government will get lucky and get it right.

We need something better than what we have now.

 

[TordanGow]

..And as this man said in his article, the government isn't going to allow it....

It's not their choice if it's allowed or not. We have freedom of expression guaranteed by 1A using any language we choose.

I choose to express myself in AES 256.

 

[lcpiper]

We already have the working solution. Unrestrained E2E encryption. We don't need a "clipper chip" V2.

Wish in one hand, shit in the other, only one will get full.

Ignore what I am telling you if you like. Keep hoping against hope, head in the sand. It's not going to happen. If industry does not help the government come up with a valid working solution, the government will create one and force it on us. I know they don't want to do this but the longer Industry waits to help out, the more likely it will come to be.

And this article isn't "clipper chip V2", not even close.

 

[MacLeod]

You're right. You could simply be going for a walk, and someone in uniform mistakes you for someone else. Begins to harass you and demand you unlock your phone to confirm location.

And you can tell him to go fuck himself. Even if he thinks you're a mass murderer, cops can't force you to open anything up to be searched....only a judge can order that.

They know damn well it’s to prevent law enforcement... and I like it!

Seriously, authorities need to remember we have a right to privacy. Some of us like to exercise that right not because we did something wrong, but because we don’t want people knowing our business.

I have an iPhone X and with FaceID I make sure to keep the attention aware feature on.

Actually there is no "right to privacy". That's not in the constitution anywhere. You have a right to be free from unreasonable search and seizure....doesn't say anything about ALL searches. I'm all for privacy but I'm not too keen on having something like that, that is impenetrable. I like things that can be searched with proper due process and a warrant. Law enforcement has no interest in your midget porn collection. They do have an interest in what some domestic terrorist or would-be active shooter might have in theirs.

 

[lcpiper]

It's not their choice if it's allowed or not. We have freedom of expression guaranteed by 1A using any language we choose.

I choose to express myself in AES 256.

Sounds cute, but not even remotely true. The government can mandate that in order to protect the privacy rights of it's citizens, blah blah all companies will store customer data blah blah blah, and that the data must be able to be retrieved and presented to government agencies in unencrypted format blah blah, with a warrant or national security letter ... etc et al. And no where would your right to free speech be impacted in the slightest.

They wouldn't even have to try and say that you can't encrypt your data yourself however you wish just like you can now. Just that businesses have to meet these standards and practices.

Many States require that motorcyclists where a helmet. On Army installations they must wear a lot more protective clothing other than just a helmet, boots, gloves, reflective vest or jacket, etc, for the rider's own protection. So for your digital privacy protection they can require businesses to meet specific standards. They do it with aircraft, with vehicles, no reason at all that they can't do it with cell phones and if you think otherwise then you are dreaming.

 

[lcpiper]

And you can tell him to go fuck himself. Even if he thinks you're a mass murderer, cops can't force you to open anything up to be searched....only a judge can order that.......

Actually, after completely reading your post, I have to amend mine.

I think you and I are pretty close on this. I also find that your statements are correct. I am guilty of reading things into your statement that you didn't actually say, like an incorrect assumption. I'm going to leave what I said just to keep things from being confusing.


Original reply:
This isn't right either, if they see you commit a crime, exigent circumstances, there is no legal requirement for a warrant to search your person, your vehicle, or your possessions. When it comes to your phone, I think this one is still being fought over and truthfully I forget exactly where the courts are on it. If I remember correctly I think they last ruled that your phone is more sensitive and requires more protections. But saying they can't search you or any of your shit is just patently false unless you are saying this under the presumption that you didn't do anything to warrant these actions.

 

[TordanGow]

Sounds cute, but not even remotely true. The government can mandate that in order to protect the privacy rights of it's citizens, blah blah all companies will store customer data blah blah blah, and that the data must be able to be retrieved and presented to government agencies in unencrypted format blah blah, with a warrant or national security letter ... etc et al. And no where would your right to free speech be impacted in the slightest.

They wouldn't even have to try and say that you can't encrypt your data yourself however you wish just like you can now. Just that businesses have to meet these standards and practices.

Many States require that motorcyclists where a helmet. On Army installations they must wear a lot more protective clothing other than just a helmet, boots, gloves, reflective vest or jacket, etc, for the rider's own protection. So for your digital privacy protection they can require businesses to meet specific standards. They do it with aircraft, with vehicles, no reason at all that they can't do it with cell phones and if you think otherwise then you are dreaming.

I said I (as in me not they) speak in AES 256, not a company speaks in AEs 256. You honestly think I store anything of more importance than the current weather on a third party service if it's not encrypted before it goes over the wire?!? HAHA. I'm not doing anything wrong, just out of principle it's no one else's business so I intentionally obstruct. I go to great lengths. ie. DNS? encrypted and tunneled, ISP DNS spying can eat me. etc.

Also, 1A law protects my right to communicate in any language I choose, even if the police don't understand it. I do agree though that corporate/business requirements and protections are different from individuals. Even if they were just as strong I would still do so. Nobody cares as much about your own privacy as you do, so I don't leave it up to anyone else.

 

[lcpiper]

I said I (as in me not they) speak in AES 256, not a company speaks in AEs 256. You honestly think I store anything of more importance than the current weather on a third party service if it's not encrypted before it goes over the wire?!? HAHA. I'm not doing anything wrong, just out of principle it's no one else's business so I intentionally obstruct. I go to great lengths. ie. DNS? encrypted and tunneled, ISP DNS spying can eat me. etc.

Also, 1A law protects my right to communicate in any language I choose, even if the police don't understand it. I do agree though that corporate/business requirements and protections are different from individuals. Even if they were just as strong I would still do so. Nobody cares as much about your own privacy as you do, so I don't leave it up to anyone else.

Ah, then we are mostly in agreement.

 

[Mchart]

If that were the case this hack wouldn't exist for LE. And the boston bombers phone wouldn't have been a big deal.

I have nothing stored in the cloud, all to cloud crap turned off. Apple may be saving identifiable info without me knowing and if so, shame on them. I set my password to wipe the phone after 10 tries and hope for the best if it's ever taken or stolen. No fingerprint or face recog. Course stolen and taken have the same meaning when it comes to law enforcement against you with your property.

The phone backup is encrypted on the cloud so even with a warrant they’d have to know your password to break it.

The other iCloud items aren’t though.

 

[MacLeod]

Actually, after completely reading your post, I have to amend mine.

I think you and I are pretty close on this. I also find that your statements are correct. I am guilty of reading things into your statement that you didn't actually say, like an incorrect assumption. I'm going to leave what I said just to keep things from being confusing.


Original reply:
This isn't right either, if they see you commit a crime, exigent circumstances, there is no legal requirement for a warrant to search your person, your vehicle, or your possessions. When it comes to your phone, I think this one is still being fought over and truthfully I forget exactly where the courts are on it. If I remember correctly I think they last ruled that your phone is more sensitive and requires more protections. But saying they can't search you or any of your shit is just patently false unless you are saying this under the presumption that you didn't do anything to warrant these actions.

Yeah I could've been more clear on this. If I walk up to you on the street and arrest you for an outstanding warrant or because I just saw you buy some crack, yes I can search everything on you because you're now in my custody and not free. However, I can't break into your phone, that would still require a search warrant. I can search your pockets, wallet and say your backpack but that's it and those are mainly for security purposes to make sure you're not carrying any weapons or illegal drugs that you could bring into the jail. You ain't gonna have a weapon you can shoot me with inside your iPhone.

Now if I just walk up to you on the street without any probable cause (witness you selling crack) or reasonable suspicion (loitering around a closed liquor store at 1AM) I can't insist on searching your shit. I can pat you down for weapons but I can't go digging into your pocket without your consent or probable cause.

At no point that I can think of, can a cop just walk up to you and force you to unlock your phone. Maybe if you've got the deactivation codes for a bomb that's about to go off then maybe but even then, it's gonna have to pass muster when it gets in front of a judge at the suppression hearing.