Apple Inc said Wednesday it will change its iPhone settings to undercut the most popular means for law enforcement to break into the devices.
The company told Reuters it was aiming to protect customers in countries where police seize phones at will and all users from the risk that the attack technique will leak to spies and criminals.
The privacy standard-bearer of the tech industry said it will change the default settings in the iPhone operating system to cut off communication through the USB port when the phone has not been unlocked in the past hour. That port is how machines made by forensic companies GrayShift, Cellebrite and others connect and get around the security provisions that limit how many password guesses can be made before the device freezes them out or erases data.
These companies have marketed their machines to law enforcement in multiple countries this year, offering the machines themselves for thousands of dollars but also per-phone pricing as low as $50.
Apple representatives said the change in settings will protect customers in countries where law enforcement seizes and tries to crack phones with fewer legal restrictions than under U.S. law. They also noted that criminals, spies and unscrupulous people often can use the same techniques to extract sensitive information from a phone. Some of the methods most prized by intelligence agencies have been leaked on the internet.
“We’re constantly strengthening the security protections in every Apple product to help customers defend against hackers, identity thieves and intrusions into their personal data,” Apple said in a prepared statement. “We have the greatest respect for law enforcement, and we don’t design our security improvements to frustrate their efforts to do their jobs.”
The switch had been documented in beta versions of iOS 11.4.1 and iOS12, and Apple told Reuters it will be made permanent in a forthcoming general release.
Apple said that after it learned of techniques being used against iPhones, it reviewed the operating system code and made a number of improvements to the security. It also decided to simply alter the setting, a cruder way of preventing most of the potential access by unfriendly parties.
Time limit
With the new settings, police or hackers will typically have an hour or less to get a phone to a cracking machine. In practical terms, that could cut access by as much as 90 percent, security researchers estimate.
In theory, the change could also spur sales of cracking devices, as law enforcement looks to get more forensic machines closer to where seizures occur.
Either way, researchers and police vendors will find new ways to break into phones, and Apple will then look to patch those vulnerabilities.
The latest step could draw criticism from American police departments, the FBI, and perhaps the U.S. Justice Department, where officials have recently renewed an on-again, off-again campaign for legislation or other extraordinary means of forcing technology companies to maintain access to their users’ communications.
Apple has been the most prominent opponent of those demands.
In 2016, it went to court to fight an order that it break into an iPhone 5c used by a terrorist killer in San Bernardino.
…