Apple Finally Shuts Down Security Flaw Used By Phone-Cracking Vendor

from the indiscriminate-protection dept

In a move that will anger law enforcement (but really isn't about law enforcement), Apple has succeeded in killing an exploit that allowed a third-party vendor to crack iPhones for investigators. A few months ago, Apple announced it was fixing the flaw that allowed products like GrayKey to bypass built-in security features to engage in brute force password guessing. Thomas Brewster of Forbes confirms the fix is finally in.

Multiple sources familiar with the GrayKey tech tell Forbes the device can no longer break the passcodes of any iPhone running iOS 12 or above. On those devices, GrayKey can only do what’s called a “partial extraction,” sources from the forensic community said. That means police using the tool can only draw out unencrypted files and some metadata, such as file sizes and folder structures.

Some in law enforcement may view this as confirmation of their "going dark" complaints and claim that Apple cares more about its customers than it does about fighting crime. As if that was bad thing. Apple should care more about what its customers want and need than government access to locked devices. A security hole is a hole that can be used by everyone who can exploit it. There's no way to prevent a flaw from being exploited by criminals even if law enforcement agencies find the exploit super-useful.

Grayshift's products are still somewhat useful, but it's going to be hard to justify a premium price for a stunted service. This new development might be Grayshift's fault. Soon after Apple announced one fix for an exploit used by Grayshift, the company bragged it could still crack phones just as easily. This appears to have prompted closer examination of the problem Apple thought it fixed with the first round of patching. The second pass has blunted the exploit's usefulness, even if it hasn't made it completely impossible to access some data contained in locked devices.

Even with the fix in play, law enforcement complaints about "darkness" are overblown. There are other technical solutions available, along with a wealth on information stored by third parties and cloud services. The more technical solutions won't scale, but that's not really something law enforcement should complain about. Security protections for phone owners shouldn't be viewed as weapons deployed against law enforcement. Phone manufacturers have an obligation to their customers to protect their personal data, and encryption is just one of the tools deployed to keep customers' information out of the hands of others. That some of the "others" are cops and investigators is just a side effect of providing solid products and service.

This won't make government critics of Apple any happier, though. And its closing of security holes is just going to lead to more demands for anti-encryption laws. Very few legislators seem interested in mandating backdoors, so these complaints aren't gaining any traction. But government agencies like the FBI have endless time and infinite resources, so the calls for backdoors will never completely cease -- not as long as there's a chance a major tragedy might prompt reckless Congressional action.

Apple's protection of its users is great, but its sincerity should be questioned when it's willing to put Chinese users' data where the Chinese government can easily access it. If it wants to be a champion for its customers, it needs to protect all of them, not just the ones it's currently convenient to protect. When you've got to explain why you're "locking out" US law enforcement but letting a foreign government walk in the front door, you're doing customer service wrong.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    JoeCool (profile), 29 Oct 2018 @ 11:01am

    Obligatory

    https://xkcd.com/538/

    ;)

    I don't put it past the cops to do this anymore, and certainly bad guys have never had a problem with this.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 29 Oct 2018 @ 11:03am

    If it wants to be a champion for its customers, it needs to protect all of them, not just the ones it's currently convenient to protect.

    Altruism isn't a strong suit for corporations. They can make these changes in the US where their sales are protected but failing to meet Chinese government requirements means not playing in their market at all. It's not hard to see why they made this choice.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 29 Oct 2018 @ 12:03pm

      Re:

      Also, US government is heavy in "people's rights". China, not so much. US law enforcement may not be happy but it will likely come to a constitutional battle if they want it to change.

      reply to this | link to this | view in chronology ]

      • identicon
        Tin-Foil-Hat, 29 Oct 2018 @ 1:46pm

        Re: Re:

        On paper you have rights. But by making almost everything illegal, it's impossible to go about your life without committing a crime. It provides a pretext to suspend your rights while the situation at hand (the crime) is dealt with. My husband matched the description of a wanted person. He was pulled over for making a right turn out of a parking lot without coming to a full stop prior to turning.

        reply to this | link to this | view in chronology ]

      • icon
        Uriel-238 (profile), 29 Oct 2018 @ 3:01pm

        Constitutional battles

        Given the Federalist Society has control over the US Supreme Court, I'm pretty sure we can no longer trust the Constitution of the United States to serve to sustain rights of the public.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 30 Oct 2018 @ 8:07am

          Re: Constitutional battles

          When trump thinks he can sign an EO that removes the bill of rights then - yeah, stating that there is a problem would be an understatement.

          reply to this | link to this | view in chronology ]

  • icon
    That One Guy (profile), 29 Oct 2018 @ 11:14am

    'We'll save you... after we leave you vulnerable.'

    If your ability to find, investigate, and prosecute crimes depends on weak security employed by the very people you are supposedly trying to protect then you are doing it very, very wrong.

    The general public being better protected should never be something that law enforcement and/or government agencies should be complaining about as it reduces what they have to do in general even if it can make their jobs harder in specific cases.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 29 Oct 2018 @ 1:00pm

      Re: 'We'll save you... after we leave you vulnerable.'

      You're assuming that they would "find, investigate, and prosecute crimes" instead of just making up fake stings and fake crimes for easy arrests...which also make for great sound bytes when it comes budget time.

      reply to this | link to this | view in chronology ]

      • icon
        That One Guy (profile), 29 Oct 2018 @ 1:55pm

        Re: Re: 'We'll save you... after we leave you vulnerable.'

        Given that's what they are supposed to be doing(well, prosecution goes to actual prosecutors rather than police, but the first two anyway), and will loudly exclaim is what they are doing, calling them out when they complain that someone else is making the public safer just because it can make their jobs slightly harder seems fitting.

        reply to this | link to this | view in chronology ]

    • identicon
      Tin-Foil-Hat, 29 Oct 2018 @ 1:34pm

      Re: 'We'll save you... after we leave you vulnerable.'

      Coulda, shoulda, woulda. Everyone knows how things should be but in a police state it's all about the police. How many agencies and redundant law enforcement agencies do we have? They have to justify their existence somehow. If there isn't enough crime they'll generate their own. If there isn't enough money they'll steal it. The sinking ship is going to get ugly.

      reply to this | link to this | view in chronology ]

  • identicon
    cpt kangarooski, 29 Oct 2018 @ 11:18am

    Thomas Brewster of Forbes confirms the fix is finally in.

    No, “the fix is in” refers to rigging something unfairly to produce a particular result, like a contest, sports match, or an election. Using it in connection with actually repairing a security vulnerability is a very bad misuse of that phrase. You might want to edit that a bit, Tim.

    reply to this | link to this | view in chronology ]

    • icon
      Gary (profile), 29 Oct 2018 @ 11:57am

      Re:

      In this context it is good wordplay to mix the literal and idiomatic versions - I'd let that one stay if I was the editor.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 29 Oct 2018 @ 12:27pm

      Re:

      Given the history of capitalisation (literal/etymological meaning) on this site, I took this title as a palindrome ... OK, not a palindrome, but definitely a pun.

      reply to this | link to this | view in chronology ]

  • icon
    Bamboo Harvester (profile), 29 Oct 2018 @ 11:19am

    No, they're doing "customer" service RIGHT

    If they don't allow the Chinese government access, they don't get to sell to the Chinese market.

    That makes the Chinese government the customer.

    If they demand that every iPhone sold in China must have a picture of Chairman Mao on it, Apple will do so - HAPPILY.

    reply to this | link to this | view in chronology ]

  • icon
    Uriel-238 (profile), 29 Oct 2018 @ 11:53am

    "Going dark" remains an advantage.

    For one, any vector accessible by the police to crack open private data is also accessible by private hackers and other malicious elements.

    And for two law enforcement in the US is no longer in the service of the public but the elite. They should not be trusted with any means to gather data that can be closed.

    At a point that law enforcement agencies have established a long history of consistently and fiercely served their functions while preserving the rights of the people should they be trusted again with new means to gather and preserve evidence.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 29 Oct 2018 @ 12:04pm

    Why not protect Chinese Users? Easy. Money. LOTS AND LOTS of it. One Billion users is worth more then 300 Million Users.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 29 Oct 2018 @ 8:50pm

      Re:

      Because while staging a coup in China could prove massively profitable it would be incredibly risky and would be way out of their capabilities anyway.

      reply to this | link to this | view in chronology ]

  • identicon
    stine, 29 Oct 2018 @ 2:33pm

    US vs China

    If they don't allow the Chinese in, they don't sell in China. Is it really so hard for you to accept that?

    reply to this | link to this | view in chronology ]

  • identicon
    Kitsune 106, 29 Oct 2018 @ 4:27pm

    So. Everyone gets the exploit. Right? Even the cops. Also. Won't the cops having such access also be used against them.


    "You cannot trust them. As they could have planted evidence on phone via the exploit."


    And any company that's international. What's to keep them from being told o I've to China or Russia. Or being told by them to unlock the phone of someone in US military?

    reply to this | link to this | view in chronology ]

  • This comment has been flagged by the community. Click here to show it
    identicon
    Anonymous Coward, 29 Oct 2018 @ 7:08pm

    out_of_the_blue frothing at the mouth in 3, 2, 1...

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 29 Oct 2018 @ 8:02pm

      Re:

      Please stop already.

      reply to this | link to this | view in chronology ]

      • icon
        techboycorp (profile), 30 Oct 2018 @ 8:01am

        Re: Re:

        and why should he stop? you've shown us over and over and I dare say, over that you are perfectly happy to engage in such behavior with a smile on your face and a song in your heart.

        "Please stop already"

        Oh, we're just getting started my friend. There's a new sheriff in town, and his name is Reggie Hammond.

        Y'all be cool

        reply to this | link to this | view in chronology ]

        • icon
          The Wanderer (profile), 30 Oct 2018 @ 8:51am

          Re: Re: Re:

          WTF do you get the idea that the "please stop" comment came from blue? Given the history and context involved, it's fairly clearly a request from a third-party commenter, asking that the person who keeps trying to bait blue into polluting the comment sections with yet more frothing explosions not make the blue problem any worse than it already is.

          I'm confident that there are plenty of us who are tired of the continual troll-baiting which such gratuitous invocation of out_of_the_blue represents; I for one have taken up flagging such comments as being trolling in their own right, since previous requests that they no longer be posted seem to have been ignored, and I've seen enough of them hidden that I can't be the only one doing so.

          reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 30 Oct 2018 @ 10:53pm

          Re: Re: Re:

          Yeah, why stop?

          Blue's tears are delicious!

          reply to this | link to this | view in chronology ]

  • icon
    techboycorp (profile), 31 Oct 2018 @ 7:06am

    Re: Re: rerere

    As Klaus Maria Brandauer put it: "the well of allah - sweet, like tears"

    reply to this | link to this | view in chronology ]

  • icon
    yelenahopper (profile), 31 Oct 2018 @ 10:37pm

    Reply

    This is one of the most important posts that I have come across in recent times and I personally am an Apple phone user and this news gives me a relief by thinking that my information will be safe with me. This feels amazing as o no longer have to worry about my secret files to be hacked. Yes, this is against the law but I support the move as it will help to provide the much-needed secrecy. I saw this type of things in a case study at https://penmypaper.com

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Insider Shop - Show Your Support!

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories

Close

Email This

This feature is only available to registered users. Register or sign in to use it.