Story image

Apple reportedly taking steps to crack down on iPhone unlockers

15 Jun 2018

Apple is reportedly taking a stand against those who use phone unlockers to access data on iPhones.

A report from Reuters this week claims that Apple vows to protect all customers and their devices by changing default iPhone settings to stop USB port communication when the device has been unlocked within the last 60 minutes.

The smaller time window could potentially cut access by as much as 90%, Reuters says.

The change has reportedly been documented in beta versions of iOS 11.4.1 and iOS 12, and Apple says it will eventually be rolled out in a general release.

The move to stop device unlockers comes after pressure from US authorities including the United States FBI to allow full access to the devices.

In 2015 Apple refused to help the FBI unlock an iPhone after a US shooting. The FBI recruited digital forensics company Cellebrite to unlock the device for them, however the conflict and ethics between data privacy and data access has been ongoing.

Hackers and commercial organisations have also seen the potential in iPhone unlockers. Earlier this year researchers from Malwarebytes Labs discovered a US-based firm called GrayShift that produced iPhone unlocking devices, dubbed GrayKey. 

The GrayKey devices, which can sell for up to US$30,000, are essentially boxes that connect two iPhones.  

“An iPhone typically contains all manner of sensitive information: account credentials, names and phone numbers, email messages, text messages, banking account information, even credit card numbers or social security numbers. All of this information, even the most seemingly innocuous, has value on the black market, and can be used to steal your identity, access your online accounts, and steal your money,” explains Malwarebytes researcher Thomas Reed in a blog post from March 2018.

After two minutes the devices disconnect. Within a matter of hours or days, the phones will then display a screen with the passcode and other device information.

Reed warned that such devices would be useful to law enforcement, which in theory could seize innocent people’s devices, access them and search them without consent. In those cases, authorities could be liable for that data’s security, Reed warns.

The unlockers could also be goldmines to criminals wanting to sell them on the black market. The potential for data theft, harvesting and resale is a possible outcome.

“A jailbreak involves using a vulnerability to unlock a phone, giving access to the system that is not normally allowed. What happens to the device once it is released back to its owner? Is it still jailbroken in a non-obvious way? Is it open to remote access that would not normally be possible? Will it be damaged to the point that it really can’t be used as intended anymore, and will need to be replaced? It’s unknown, but any of these are possibilities,” Reed ponders.

“It’s highly likely that these devices will ultimately end up in the hands of agents of an oppressive regime, whether directly from GrayShift or indirectly through the black market,” Reed concludes.

We have contacted an Apple spokesperson for comment.

SecOps: Clear opportunities for powerful collaboration
If there’s one thing security and IT ops professionals should do this year, the words ‘team up’ should be top priority.
Interview: Culture and cloud - the battle for cybersecurity
ESET CTO Juraj Malcho talks about the importance of culture in a cybersecurity strategy and the challenges and benefits of a world in the cloud.
Enterprise cloud deployments being exploited by cybercriminals
A new report has revealed a concerning number of enterprises still believe security is the responsibility of the cloud service provider.
Ping Identity Platform updated with new CX and IT automation
The new versions improve the user and administrative experience, while also aiming to meet enterprise needs to operate quickly and purposefully.
Venafi and nCipher Security partner on machine identity protection
Cryptographic keys serve as machine identities and are the foundation of enterprise information technology systems.
Machine learning is a tool and the bad guys are using it
KPMG NZ’s CIO and ESET’s CTO spoke at a recent cybersecurity conference about how machine learning and data analytics are not to be feared, but used.
Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.