Apple Finally Shuts Down Security Flaw Used By Phone-Cracking Vendor

from the indiscriminate-protection dept

In a move that will anger law enforcement (but really isn’t about law enforcement), Apple has succeeded in killing an exploit that allowed a third-party vendor to crack iPhones for investigators. A few months ago, Apple announced it was fixing the flaw that allowed products like GrayKey to bypass built-in security features to engage in brute force password guessing. Thomas Brewster of Forbes confirms the fix is finally in.

Multiple sources familiar with the GrayKey tech tell Forbes the device can no longer break the passcodes of any iPhone running iOS 12 or above. On those devices, GrayKey can only do what’s called a “partial extraction,” sources from the forensic community said. That means police using the tool can only draw out unencrypted files and some metadata, such as file sizes and folder structures.

Some in law enforcement may view this as confirmation of their “going dark” complaints and claim that Apple cares more about its customers than it does about fighting crime. As if that was bad thing. Apple should care more about what its customers want and need than government access to locked devices. A security hole is a hole that can be used by everyone who can exploit it. There’s no way to prevent a flaw from being exploited by criminals even if law enforcement agencies find the exploit super-useful.

Grayshift’s products are still somewhat useful, but it’s going to be hard to justify a premium price for a stunted service. This new development might be Grayshift’s fault. Soon after Apple announced one fix for an exploit used by Grayshift, the company bragged it could still crack phones just as easily. This appears to have prompted closer examination of the problem Apple thought it fixed with the first round of patching. The second pass has blunted the exploit’s usefulness, even if it hasn’t made it completely impossible to access some data contained in locked devices.

Even with the fix in play, law enforcement complaints about “darkness” are overblown. There are other technical solutions available, along with a wealth on information stored by third parties and cloud services. The more technical solutions won’t scale, but that’s not really something law enforcement should complain about. Security protections for phone owners shouldn’t be viewed as weapons deployed against law enforcement. Phone manufacturers have an obligation to their customers to protect their personal data, and encryption is just one of the tools deployed to keep customers’ information out of the hands of others. That some of the “others” are cops and investigators is just a side effect of providing solid products and service.

This won’t make government critics of Apple any happier, though. And its closing of security holes is just going to lead to more demands for anti-encryption laws. Very few legislators seem interested in mandating backdoors, so these complaints aren’t gaining any traction. But government agencies like the FBI have endless time and infinite resources, so the calls for backdoors will never completely cease — not as long as there’s a chance a major tragedy might prompt reckless Congressional action.

Apple’s protection of its users is great, but its sincerity should be questioned when it’s willing to put Chinese users’ data where the Chinese government can easily access it. If it wants to be a champion for its customers, it needs to protect all of them, not just the ones it’s currently convenient to protect. When you’ve got to explain why you’re “locking out” US law enforcement but letting a foreign government walk in the front door, you’re doing customer service wrong.

Filed Under: , , , , ,
Companies: apple, grayshift

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Apple Finally Shuts Down Security Flaw Used By Phone-Cracking Vendor”

Subscribe: RSS Leave a comment
Anonymous Coward says:

If it wants to be a champion for its customers, it needs to protect all of them, not just the ones it’s currently convenient to protect.

Altruism isn’t a strong suit for corporations. They can make these changes in the US where their sales are protected but failing to meet Chinese government requirements means not playing in their market at all. It’s not hard to see why they made this choice.

Tin-Foil-Hat says:

Re: Re: Re:

On paper you have rights. But by making almost everything illegal, it’s impossible to go about your life without committing a crime. It provides a pretext to suspend your rights while the situation at hand (the crime) is dealt with. My husband matched the description of a wanted person. He was pulled over for making a right turn out of a parking lot without coming to a full stop prior to turning.

That One Guy (profile) says:

'We'll save you... after we leave you vulnerable.'

If your ability to find, investigate, and prosecute crimes depends on weak security employed by the very people you are supposedly trying to protect then you are doing it very, very wrong.

The general public being better protected should never be something that law enforcement and/or government agencies should be complaining about as it reduces what they have to do in general even if it can make their jobs harder in specific cases.

That One Guy (profile) says:

Re: Re: 'We'll save you... after we leave you vulnerable.'

Given that’s what they are supposed to be doing(well, prosecution goes to actual prosecutors rather than police, but the first two anyway), and will loudly exclaim is what they are doing, calling them out when they complain that someone else is making the public safer just because it can make their jobs slightly harder seems fitting.

Tin-Foil-Hat says:

Re: 'We'll save you... after we leave you vulnerable.'

Coulda, shoulda, woulda. Everyone knows how things should be but in a police state it’s all about the police. How many agencies and redundant law enforcement agencies do we have? They have to justify their existence somehow. If there isn’t enough crime they’ll generate their own. If there isn’t enough money they’ll steal it. The sinking ship is going to get ugly.

cpt kangarooski says:

Thomas Brewster of Forbes confirms the fix is finally in.

No, “the fix is in” refers to rigging something unfairly to produce a particular result, like a contest, sports match, or an election. Using it in connection with actually repairing a security vulnerability is a very bad misuse of that phrase. You might want to edit that a bit, Tim.

Uriel-238 (profile) says:

"Going dark" remains an advantage.

For one, any vector accessible by the police to crack open private data is also accessible by private hackers and other malicious elements.

And for two law enforcement in the US is no longer in the service of the public but the elite. They should not be trusted with any means to gather data that can be closed.

At a point that law enforcement agencies have established a long history of consistently and fiercely served their functions while preserving the rights of the people should they be trusted again with new means to gather and preserve evidence.

Kitsune 106 says:

So. Everyone gets the exploit. Right? Even the cops. Also. Won’t the cops having such access also be used against them.

“You cannot trust them. As they could have planted evidence on phone via the exploit.”

And any company that’s international. What’s to keep them from being told o I’ve to China or Russia. Or being told by them to unlock the phone of someone in US military?

techboycorp (profile) says:

Re: Re: Re:

and why should he stop? you’ve shown us over and over and I dare say, over that you are perfectly happy to engage in such behavior with a smile on your face and a song in your heart.

“Please stop already”

Oh, we’re just getting started my friend. There’s a new sheriff in town, and his name is Reggie Hammond.

Y’all be cool

The Wanderer (profile) says:

Re: Re: Re: Re:

WTF do you get the idea that the “please stop” comment came from blue? Given the history and context involved, it’s fairly clearly a request from a third-party commenter, asking that the person who keeps trying to bait blue into polluting the comment sections with yet more frothing explosions not make the blue problem any worse than it already is.

I’m confident that there are plenty of us who are tired of the continual troll-baiting which such gratuitous invocation of out_of_the_blue represents; I for one have taken up flagging such comments as being trolling in their own right, since previous requests that they no longer be posted seem to have been ignored, and I’ve seen enough of them hidden that I can’t be the only one doing so.

yelenahopper (profile) says:


This is one of the most important posts that I have come across in recent times and I personally am an Apple phone user and this news gives me a relief by thinking that my information will be safe with me. This feels amazing as o no longer have to worry about my secret files to be hacked. Yes, this is against the law but I support the move as it will help to provide the much-needed secrecy. I saw this type of things in a case study at

EmilyBarnet (profile) says:

I really like Apple technology, so I was very interested to read this article. And I was pleased with the news that the security defect was eliminated. As for Apple, I’m now writing Problem Solution Essay for the site about modern technology and companies that are now at the peak of their popularity as Apple for example. So I was very glad to come across this article, information from which I can use in my essay.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...