Apple Finally Shuts Down Security Flaw Used By Phone-Cracking Vendor
from the indiscriminate-protection dept
In a move that will anger law enforcement (but really isn't about law enforcement), Apple has succeeded in killing an exploit that allowed a third-party vendor to crack iPhones for investigators. A few months ago, Apple announced it was fixing the flaw that allowed products like GrayKey to bypass built-in security features to engage in brute force password guessing. Thomas Brewster of Forbes confirms the fix is finally in.
Multiple sources familiar with the GrayKey tech tell Forbes the device can no longer break the passcodes of any iPhone running iOS 12 or above. On those devices, GrayKey can only do what’s called a “partial extraction,” sources from the forensic community said. That means police using the tool can only draw out unencrypted files and some metadata, such as file sizes and folder structures.
Some in law enforcement may view this as confirmation of their "going dark" complaints and claim that Apple cares more about its customers than it does about fighting crime. As if that was bad thing. Apple should care more about what its customers want and need than government access to locked devices. A security hole is a hole that can be used by everyone who can exploit it. There's no way to prevent a flaw from being exploited by criminals even if law enforcement agencies find the exploit super-useful.
Grayshift's products are still somewhat useful, but it's going to be hard to justify a premium price for a stunted service. This new development might be Grayshift's fault. Soon after Apple announced one fix for an exploit used by Grayshift, the company bragged it could still crack phones just as easily. This appears to have prompted closer examination of the problem Apple thought it fixed with the first round of patching. The second pass has blunted the exploit's usefulness, even if it hasn't made it completely impossible to access some data contained in locked devices.
Even with the fix in play, law enforcement complaints about "darkness" are overblown. There are other technical solutions available, along with a wealth on information stored by third parties and cloud services. The more technical solutions won't scale, but that's not really something law enforcement should complain about. Security protections for phone owners shouldn't be viewed as weapons deployed against law enforcement. Phone manufacturers have an obligation to their customers to protect their personal data, and encryption is just one of the tools deployed to keep customers' information out of the hands of others. That some of the "others" are cops and investigators is just a side effect of providing solid products and service.
This won't make government critics of Apple any happier, though. And its closing of security holes is just going to lead to more demands for anti-encryption laws. Very few legislators seem interested in mandating backdoors, so these complaints aren't gaining any traction. But government agencies like the FBI have endless time and infinite resources, so the calls for backdoors will never completely cease -- not as long as there's a chance a major tragedy might prompt reckless Congressional action.
Apple's protection of its users is great, but its sincerity should be questioned when it's willing to put Chinese users' data where the Chinese government can easily access it. If it wants to be a champion for its customers, it needs to protect all of them, not just the ones it's currently convenient to protect. When you've got to explain why you're "locking out" US law enforcement but letting a foreign government walk in the front door, you're doing customer service wrong.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: backdoors, cracks, encryption, graykey, iphone, law enforcement
Companies: apple, grayshift
Reader Comments
Subscribe: RSS
View by: Time | Thread
Obligatory
;)
I don't put it past the cops to do this anymore, and certainly bad guys have never had a problem with this.
[ link to this | view in chronology ]
Altruism isn't a strong suit for corporations. They can make these changes in the US where their sales are protected but failing to meet Chinese government requirements means not playing in their market at all. It's not hard to see why they made this choice.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Constitutional battles
Given the Federalist Society has control over the US Supreme Court, I'm pretty sure we can no longer trust the Constitution of the United States to serve to sustain rights of the public.
[ link to this | view in chronology ]
Re: Constitutional battles
[ link to this | view in chronology ]
'We'll save you... after we leave you vulnerable.'
If your ability to find, investigate, and prosecute crimes depends on weak security employed by the very people you are supposedly trying to protect then you are doing it very, very wrong.
The general public being better protected should never be something that law enforcement and/or government agencies should be complaining about as it reduces what they have to do in general even if it can make their jobs harder in specific cases.
[ link to this | view in chronology ]
Re: 'We'll save you... after we leave you vulnerable.'
[ link to this | view in chronology ]
Re: Re: 'We'll save you... after we leave you vulnerable.'
Given that's what they are supposed to be doing(well, prosecution goes to actual prosecutors rather than police, but the first two anyway), and will loudly exclaim is what they are doing, calling them out when they complain that someone else is making the public safer just because it can make their jobs slightly harder seems fitting.
[ link to this | view in chronology ]
Re: 'We'll save you... after we leave you vulnerable.'
[ link to this | view in chronology ]
No, “the fix is in” refers to rigging something unfairly to produce a particular result, like a contest, sports match, or an election. Using it in connection with actually repairing a security vulnerability is a very bad misuse of that phrase. You might want to edit that a bit, Tim.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
No, they're doing "customer" service RIGHT
That makes the Chinese government the customer.
If they demand that every iPhone sold in China must have a picture of Chairman Mao on it, Apple will do so - HAPPILY.
[ link to this | view in chronology ]
"Going dark" remains an advantage.
For one, any vector accessible by the police to crack open private data is also accessible by private hackers and other malicious elements.
And for two law enforcement in the US is no longer in the service of the public but the elite. They should not be trusted with any means to gather data that can be closed.
At a point that law enforcement agencies have established a long history of consistently and fiercely served their functions while preserving the rights of the people should they be trusted again with new means to gather and preserve evidence.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
US vs China
[ link to this | view in chronology ]
"You cannot trust them. As they could have planted evidence on phone via the exploit."
And any company that's international. What's to keep them from being told o I've to China or Russia. Or being told by them to unlock the phone of someone in US military?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
"Please stop already"
Oh, we're just getting started my friend. There's a new sheriff in town, and his name is Reggie Hammond.
Y'all be cool
[ link to this | view in chronology ]
Re: Re: Re:
I'm confident that there are plenty of us who are tired of the continual troll-baiting which such gratuitous invocation of out_of_the_blue represents; I for one have taken up flagging such comments as being trolling in their own right, since previous requests that they no longer be posted seem to have been ignored, and I've seen enough of them hidden that I can't be the only one doing so.
[ link to this | view in chronology ]
Re: Re: Re:
Blue's tears are delicious!
[ link to this | view in chronology ]
Re: Re: rerere
[ link to this | view in chronology ]
Reply
[ link to this | view in chronology ]
[ link to this | view in chronology ]
I really like Apple technology, so I was very interested to read this article. And I was pleased with the news that the security defect was eliminated. As for Apple, I'm now writing Problem Solution Essay for the site https://customwritingonline.co.uk about modern technology and companies that are now at the peak of their popularity as Apple for example. So I was very glad to come across this article, information from which I can use in my essay.
[ link to this | view in chronology ]