Apple Finally Shuts Down Security Flaw Used By Phone-Cracking Vendor
from the indiscriminate-protection dept
In a move that will anger law enforcement (but really isn’t about law enforcement), Apple has succeeded in killing an exploit that allowed a third-party vendor to crack iPhones for investigators. A few months ago, Apple announced it was fixing the flaw that allowed products like GrayKey to bypass built-in security features to engage in brute force password guessing. Thomas Brewster of Forbes confirms the fix is finally in.
Multiple sources familiar with the GrayKey tech tell Forbes the device can no longer break the passcodes of any iPhone running iOS 12 or above. On those devices, GrayKey can only do what’s called a “partial extraction,” sources from the forensic community said. That means police using the tool can only draw out unencrypted files and some metadata, such as file sizes and folder structures.
Some in law enforcement may view this as confirmation of their “going dark” complaints and claim that Apple cares more about its customers than it does about fighting crime. As if that was bad thing. Apple should care more about what its customers want and need than government access to locked devices. A security hole is a hole that can be used by everyone who can exploit it. There’s no way to prevent a flaw from being exploited by criminals even if law enforcement agencies find the exploit super-useful.
Grayshift’s products are still somewhat useful, but it’s going to be hard to justify a premium price for a stunted service. This new development might be Grayshift’s fault. Soon after Apple announced one fix for an exploit used by Grayshift, the company bragged it could still crack phones just as easily. This appears to have prompted closer examination of the problem Apple thought it fixed with the first round of patching. The second pass has blunted the exploit’s usefulness, even if it hasn’t made it completely impossible to access some data contained in locked devices.
Even with the fix in play, law enforcement complaints about “darkness” are overblown. There are other technical solutions available, along with a wealth on information stored by third parties and cloud services. The more technical solutions won’t scale, but that’s not really something law enforcement should complain about. Security protections for phone owners shouldn’t be viewed as weapons deployed against law enforcement. Phone manufacturers have an obligation to their customers to protect their personal data, and encryption is just one of the tools deployed to keep customers’ information out of the hands of others. That some of the “others” are cops and investigators is just a side effect of providing solid products and service.
This won’t make government critics of Apple any happier, though. And its closing of security holes is just going to lead to more demands for anti-encryption laws. Very few legislators seem interested in mandating backdoors, so these complaints aren’t gaining any traction. But government agencies like the FBI have endless time and infinite resources, so the calls for backdoors will never completely cease — not as long as there’s a chance a major tragedy might prompt reckless Congressional action.
Apple’s protection of its users is great, but its sincerity should be questioned when it’s willing to put Chinese users’ data where the Chinese government can easily access it. If it wants to be a champion for its customers, it needs to protect all of them, not just the ones it’s currently convenient to protect. When you’ve got to explain why you’re “locking out” US law enforcement but letting a foreign government walk in the front door, you’re doing customer service wrong.
Filed Under: backdoors, cracks, encryption, graykey, iphone, law enforcement
Companies: apple, grayshift
Comments on “Apple Finally Shuts Down Security Flaw Used By Phone-Cracking Vendor”
Obligatory
https://xkcd.com/538/
😉
I don’t put it past the cops to do this anymore, and certainly bad guys have never had a problem with this.
Altruism isn’t a strong suit for corporations. They can make these changes in the US where their sales are protected but failing to meet Chinese government requirements means not playing in their market at all. It’s not hard to see why they made this choice.
Re: Re:
Also, US government is heavy in “people’s rights”. China, not so much. US law enforcement may not be happy but it will likely come to a constitutional battle if they want it to change.
Re: Re: Re:
On paper you have rights. But by making almost everything illegal, it’s impossible to go about your life without committing a crime. It provides a pretext to suspend your rights while the situation at hand (the crime) is dealt with. My husband matched the description of a wanted person. He was pulled over for making a right turn out of a parking lot without coming to a full stop prior to turning.
Re: Re: Constitutional battles
Given the Federalist Society has control over the US Supreme Court, I’m pretty sure we can no longer trust the Constitution of the United States to serve to sustain rights of the public.
Re: Re: Re: Constitutional battles
When trump thinks he can sign an EO that removes the bill of rights then – yeah, stating that there is a problem would be an understatement.
'We'll save you... after we leave you vulnerable.'
If your ability to find, investigate, and prosecute crimes depends on weak security employed by the very people you are supposedly trying to protect then you are doing it very, very wrong.
The general public being better protected should never be something that law enforcement and/or government agencies should be complaining about as it reduces what they have to do in general even if it can make their jobs harder in specific cases.
Re: 'We'll save you... after we leave you vulnerable.'
You’re assuming that they would “find, investigate, and prosecute crimes” instead of just making up fake stings and fake crimes for easy arrests…which also make for great sound bytes when it comes budget time.
Re: Re: 'We'll save you... after we leave you vulnerable.'
Given that’s what they are supposed to be doing(well, prosecution goes to actual prosecutors rather than police, but the first two anyway), and will loudly exclaim is what they are doing, calling them out when they complain that someone else is making the public safer just because it can make their jobs slightly harder seems fitting.
Re: 'We'll save you... after we leave you vulnerable.'
Coulda, shoulda, woulda. Everyone knows how things should be but in a police state it’s all about the police. How many agencies and redundant law enforcement agencies do we have? They have to justify their existence somehow. If there isn’t enough crime they’ll generate their own. If there isn’t enough money they’ll steal it. The sinking ship is going to get ugly.
No, “the fix is in” refers to rigging something unfairly to produce a particular result, like a contest, sports match, or an election. Using it in connection with actually repairing a security vulnerability is a very bad misuse of that phrase. You might want to edit that a bit, Tim.
Re: Re:
In this context it is good wordplay to mix the literal and idiomatic versions – I’d let that one stay if I was the editor.
Re: Re:
Given the history of capitalisation (literal/etymological meaning) on this site, I took this title as a palindrome … OK, not a palindrome, but definitely a pun.
No, they're doing "customer" service RIGHT
If they don’t allow the Chinese government access, they don’t get to sell to the Chinese market.
That makes the Chinese government the customer.
If they demand that every iPhone sold in China must have a picture of Chairman Mao on it, Apple will do so – HAPPILY.
"Going dark" remains an advantage.
For one, any vector accessible by the police to crack open private data is also accessible by private hackers and other malicious elements.
And for two law enforcement in the US is no longer in the service of the public but the elite. They should not be trusted with any means to gather data that can be closed.
At a point that law enforcement agencies have established a long history of consistently and fiercely served their functions while preserving the rights of the people should they be trusted again with new means to gather and preserve evidence.
Why not protect Chinese Users? Easy. Money. LOTS AND LOTS of it. One Billion users is worth more then 300 Million Users.
Re: Re:
Because while staging a coup in China could prove massively profitable it would be incredibly risky and would be way out of their capabilities anyway.
US vs China
If they don’t allow the Chinese in, they don’t sell in China. Is it really so hard for you to accept that?
So. Everyone gets the exploit. Right? Even the cops. Also. Won’t the cops having such access also be used against them.
“You cannot trust them. As they could have planted evidence on phone via the exploit.”
And any company that’s international. What’s to keep them from being told o I’ve to China or Russia. Or being told by them to unlock the phone of someone in US military?
out_of_the_blue frothing at the mouth in 3, 2, 1…
Re: Re:
Please stop already.
Re: Re: Re:
and why should he stop? you’ve shown us over and over and I dare say, over that you are perfectly happy to engage in such behavior with a smile on your face and a song in your heart.
“Please stop already”
Oh, we’re just getting started my friend. There’s a new sheriff in town, and his name is Reggie Hammond.
Y’all be cool
Re: Re: Re: Re:
WTF do you get the idea that the “please stop” comment came from blue? Given the history and context involved, it’s fairly clearly a request from a third-party commenter, asking that the person who keeps trying to bait blue into polluting the comment sections with yet more frothing explosions not make the blue problem any worse than it already is.
I’m confident that there are plenty of us who are tired of the continual troll-baiting which such gratuitous invocation of out_of_the_blue represents; I for one have taken up flagging such comments as being trolling in their own right, since previous requests that they no longer be posted seem to have been ignored, and I’ve seen enough of them hidden that I can’t be the only one doing so.
Re: Re: Re: Re:
Yeah, why stop?
Blue’s tears are delicious!
rerere
As Klaus Maria Brandauer put it: “the well of allah – sweet, like tears”
Reply
This is one of the most important posts that I have come across in recent times and I personally am an Apple phone user and this news gives me a relief by thinking that my information will be safe with me. This feels amazing as o no longer have to worry about my secret files to be hacked. Yes, this is against the law but I support the move as it will help to provide the much-needed secrecy. I saw this type of things in a case study at https://penmypaper.com
I think this bug can only fixed when we upgrade the iOS to iOS 12. In the lower versions, the bug still continuous. So Apple should take care of iOS users on iOS 11 or below.
I really like Apple technology, so I was very interested to read this article. And I was pleased with the news that the security defect was eliminated. As for Apple, I’m now writing Problem Solution Essay for the site https://customwritingonline.co.uk about modern technology and companies that are now at the peak of their popularity as Apple for example. So I was very glad to come across this article, information from which I can use in my essay.