Archive 6 min read

Apple, Graylock, And Context

With iOS 12, Apple will reduce the time an iOS device responds to the USB port when locked down to an hour. Having a hard time understanding why that matters to you? It's because it really won't. It is however a gap in the security posture of these devices that Apple is fixing.

Apple, Graylock, And Context

Watch this episode on YouTube.

Reasonably Accurate 馃馃 Transcript

Good morning everybody. How's it going today? Um This episode of mornings with Mark, I want to dive into a story that's been circulating around. It got picked up by the New York Times. I saw it on the verge. Bloomberg's picked it up around Apple and uh how they're blocking law enforcement tools.

Now, let's be clear. A few weeks ago, Lorenzo and Joseph at um motherboard had published um as part of a series um looking at um iphone cracking um and access to mobile devices. They had published this story originally weeks ago.

Um and it's around um the time out for an iphone or an I OS device. Um and how it um stops responding to the USB port after a certain amount of time. So essentially what happens is when your iphone is locked, you can still plug it into a trusted computer um in order to do background synchronization and things like that.

And um in a previous update to I OS 11, um Joseph and Lorenzo had found out that um Apple had changed the time for the USB lockout from never down to a week. Um And that had a potential impact on a tool called gray key from a company called Greylock.

Now, this is a tool that sold the law enforcements to give them a law law enforcement agencies, excuse me around the world to give them access to iphones. Now, it's not obviously endorsed by Apple. It uses vulnerability, it exploits this vulnerability in order to gain access.

And so that vulnerability was that there was a flaw in how the USB port trusted various computers. So Apple had already addressed this by shortening up the time to a week. And with the latest uh builds in I OS 12, it looks like that week is going down to an hour now for the average user, this really doesn't have any impact, right?

Um This doesn't have any major impact for the average user. Um but the stories that are going around now and again, you know, this is originally broken a month ago by my motherboard um or several weeks ago by motherboard.

But now that it's picking up steam in by the A P by Bloomberg, by everybody. Uh in the in the mainstream, the positioning is what I want to talk about. The positioning is that this is an explicit move by Apple to stop law enforcement from getting access to phones incorrect, flat out wrong.

Now, the original report um from motherboard was in the context of law enforcement gaining access because it was part of a larger story, a larger series of posts that looked at the overall um issue of accessing mobile devices um and um vulnerabilities within mobile systems.

So there was a bigger context there. The latest pick up this week is very specifically saying this is a move by Apple to stop law enforcement. I would say that's wholeheartedly incorrect. This move is very much in line with Apple's previous statements, previous positions around trying to make IOS devices as secure as possible.

And I mentioned a little bit earlier that this move to change the time out for trusted USB connections doesn't really impact regular users. And that's critical because it really because of that lack of an impact, that means that they're tightening up the security posture without sacrificing usability.

That's a win for us as IOS users. Now, the fact that there was a third party company that was using a vulnerability that they did not report to Apple in order to profit and happened to have law enforcement as a target that's outside of this.

Yes, that's an interesting fact. And that's unfortunate for law enforcement for that third party company, but for the millions and millions and millions of I OS users, you're safer because of this. What this means is that somebody with malicious intent or with legal intent can't get your device and then access it without you knowing, right, they're closing a vulnerability and this is what we do in software and hardware security all the time.

If there's a vulnerability, we look at it, we fix it, we resolve it so that people are safer and more secure. That's exactly what Apple is doing here. Um, by reducing this time out down to an hour, legitimate users should never see the difference.

Whereas any malicious attempt or any surreptitious uh attempt through legal means, I don't think surreptitious is necessarily the word, but it was fun to say. Um, you know, there's that gray area of law enforcement access. But if law enforcement access is using a security mistake, a vulnerability to gain access.

Well, that's a problem. There's already an approved law enforcement access mechanism for IOS devices. And that's icloud, icloud uh is fully compliant with law enforcement through a judicial order. They will gain access to the icloud account.

A number of cases have highlighted that that's the way forward that that has been successful for evidence gathering. Now, that's not successful in every case. But again, number of cases, law enforcement is having challenges with number of IOS users is massive, right?

So we need to keep it in context and this is where I really kind of took um exception to how things have been reported. I tweeted it out actually, you know, better headline uh for the verge article at least would have been Apple closes security loophole.

Um You know, it's, that's the, the challenge I have with this is being reported as a malicious move from Apple to block law enforcement is dis Um, I can't even speak this morning. This is brutal. Um It's not disingenuous, I'd say, you know what it's borderline because it's not a move by Apple to block that Apple has full cooper with law enforcement as you would expect through icloud.

The difference is they want to make that device as secure as possible. That device goes with us everywhere. It's a massive privacy and security risk for us as users every time they can tighten that security up, we're better off whether or not law enforcement can have access is a different question.

Um And that there are existing legal means in every modern country to get that. Um That's through icloud, that's through a subpoena that's through compelling you to unlock the device. There are mechanisms in place. We don't need to weaken the security of systems to give additional ones.

And in this case, Apple wasn't blocking law enforcement. They were simply fixing a mistake and closing a vulnerability that went unreported and profit by any number of uh law enforcement agencies. So there's a larger question there as well, if law enforcement is supposed to be protecting, what role do they have in um finding vulnerabilities or if they find a v reporting it back to the manufacturer to repair it.

So, um despite my fumbling around my words this morning, despite my inarticulate um uh see even there, despite my inarticulation, um I think the point is, is made uh when mother broke the story a few weeks ago.

It was within a larger context. Unfortunately, the most recent round of uh pick up on this is within a very specific slant. And I don't think it's an appropriate one because this is just apple fixing of vulnerability.

The fact that law enforcement was exploiting that vulnerability, reporting it as an issue. And the fact that law enforcement was relying on an undocumented access is an issue. The fact that there is fully compliant access through other legal means instead of just technical means, that's how law enforcement is going to get the evidence.

And again, you know, for the record, I've said this multiple times, I fully support law enforcement. They should be doing everything they can to gain access to these devices. It's our job as the community, it's our job as citizens to put up the guardrails within which that they should operate for me.

I want devices as secure as physically possible because I take it everywhere. I'm apt to lose it. I'm apt to leave it somewhere. It's apt to be stolen. We want to make sure that that doesn't expose our use our digital lives unnecessarily.

Apple's move to shorten the USB time out. Um and lockout down to an hour is a good one. It's a win for users. Let me know what you think. Hit me up online at marknca in the comments down below or as always by email

Um It's a, it's an interesting question. It's a question that crosses several boundaries. Um I'm interested in hearing your feedback. Let me know. Let's get a discussion started. I hope you're set up for a fantastic day and I'll see you tomorrow.

Read next