Apple closes law enforcement loophole for the iPhone
Heather Kelly, CNN Money
(CNN Money) — Apple is about to make it much harder for law enforcement agencies to gain access to information on iPhones.
The company will include a new feature, called USB Restricted Mode, in a future update of its iOS software, which runs on iPhones and iPads.
The feature disables data transfer through the Lightning port one hour after a phone was last locked, preventing popular third-party hacking tools used by law enforcement from accessing the device. The port can still be used for charging.
“We’re constantly strengthening the security protections in every Apple product to help customers defend against hackers, identity thieves and intrusions into their personal data,” Apple said in a statement Wednesday. “We have the greatest respect for law enforcement, and we don’t design our security improvements to frustrate their efforts to do their jobs.”
The update could reignite tensions between Apple and the US government, which wants technology companies to include backdoors — official ways to get around encryption and other security measures — on their devices. Technology companies including Apple have objected to such requests.
Reuters and The New York Times first reported that Apple had confirmed the new feature. Vice’s Motherboard previously reported that Apple was testing the change.
If a law enforcement agency wants to gain access to an iPhone, its options are limited, even with a warrant. The data on the device is encrypted and cannot be pulled off without cooperation from Apple or the phone’s owner — or possibly by using a corpse’s fingerprint.
The FBI and Apple faced off over the issue in court in 2016. The FBI demanded Apple create special software so it could unlock the iPhone belonging to one of the attackers in the San Bernardino shooting in 2015.
Apple didn’t end up building that software. Instead, the FBI purchased a tool from a third-party that let it hack into the device.
The practice has spread in recent years, with law enforcement agencies around the world buying devices that can pull information off a locked phone. Companies including Cellebrite and Grayshift sell the devices, which plug into the Lightning port.
Apple told CNNMoney that its security update, including the Restricted Mode feature, is meant to prevent criminal attacks rather than stymie law enforcement agents investigating cases. The update fixes a vulnerability that could be exploited by bad actors and police alike, the company said.
“There are over 700 million iPhones in the hands of consumers. Patching any and all vulnerabilities as quickly as possible is … the only responsible path to protect the public,” said Alex Rice, co-founder of HackerOne, a firm that helps large companies detect security flaws.
An internet privacy advocate said Apple’s move was a win for the security of all iPhone users.
“Law enforcement is in the golden age of surveillance, with an unprecedented ability to look into every aspect of our lives, and more data available than ever before,” said Kurt Opsahl, deputy executive director at the Electronic Frontier Foundation. “We should not weaken security for millions of innocent users just to keep one exploit working longer.”
The FBI and the Department of Justice declined to comment.
The update will be available in iOS 12, the company’s latest mobile operating system, when it comes out later this year. iOS 12 works on the iPhone 5S and later models.
But Jay Kaplan of cybersecurity firm Synack doesn’t think it will be long before other techniques for getting into iPhones become available. Companies like Cellebrite that have based their business on it are likely to already have other tools stockpiled, he said.
Cellebrite didn’t immediately respond to a request for comment.