Story image

Apple reportedly taking steps to crack down on iPhone unlockers

15 Jun 2018

Apple is reportedly taking a stand against those who use phone unlockers to access data on iPhones.

A report from Reuters this week claims that Apple vows to protect all customers and their devices by changing default iPhone settings to stop USB port communication when the device has been unlocked within the last 60 minutes.

The smaller time window could potentially cut access by as much as 90%, Reuters says.

The change has reportedly been documented in beta versions of iOS 11.4.1 and iOS 12, and Apple says it will eventually be rolled out in a general release.

The move to stop device unlockers comes after pressure from US authorities including the United States FBI to allow full access to the devices.

In 2015 Apple refused to help the FBI unlock an iPhone after a US shooting. The FBI recruited digital forensics company Cellebrite to unlock the device for them, however the conflict and ethics between data privacy and data access has been ongoing.

Hackers and commercial organisations have also seen the potential in iPhone unlockers. Earlier this year researchers from Malwarebytes Labs discovered a US-based firm called GrayShift that produced iPhone unlocking devices, dubbed GrayKey. 

The GrayKey devices, which can sell for up to US$30,000, are essentially boxes that connect two iPhones.  

“An iPhone typically contains all manner of sensitive information: account credentials, names and phone numbers, email messages, text messages, banking account information, even credit card numbers or social security numbers. All of this information, even the most seemingly innocuous, has value on the black market, and can be used to steal your identity, access your online accounts, and steal your money,” explains Malwarebytes researcher Thomas Reed in a blog post from March 2018.

After two minutes the devices disconnect. Within a matter of hours or days, the phones will then display a screen with the passcode and other device information.

Reed warned that such devices would be useful to law enforcement, which in theory could seize innocent people’s devices, access them and search them without consent. In those cases, authorities could be liable for that data’s security, Reed warns.

The unlockers could also be goldmines to criminals wanting to sell them on the black market. The potential for data theft, harvesting and resale is a possible outcome.

“A jailbreak involves using a vulnerability to unlock a phone, giving access to the system that is not normally allowed. What happens to the device once it is released back to its owner? Is it still jailbroken in a non-obvious way? Is it open to remote access that would not normally be possible? Will it be damaged to the point that it really can’t be used as intended anymore, and will need to be replaced? It’s unknown, but any of these are possibilities,” Reed ponders.

“It’s highly likely that these devices will ultimately end up in the hands of agents of an oppressive regime, whether directly from GrayShift or indirectly through the black market,” Reed concludes.

We have contacted an Apple spokesperson for comment.

ESET researchers break down latest arsenal of the infamous Sednit group
At the end of August 2018, the Sednit group launched a spear-phishing email campaign, in which it distributed shortened URLs that delivered first-stage Zebrocy components.
Container survey shows adoption accelerating while security concerns remain top of mind
The report features insights from over 500 IT professionals.
Google 'will do better' after G Suite passwords exposed since 2005
Fourteen years is a long time for sensitive information like usernames and passwords to be sitting ducks, unencrypted and at risk of theft and corruption.
Who's watching you? 
With privacy an increasing concern amongst the public, users should be more aware than ever of what personal data companies hold.
Fake apps on Google Play scamming users out of cryptocurrency
Fake cryptocurrency apps on Google Play have been discovered to be phishing and scamming users out of cryptocurrency, according to a new report from ESET.
Managing data to comply with privacy regulations - Micro Focus
It’s crucial for organisations to be able to access, understand, and accurately classify the data they have so they know how to treat it.
Hackbusters! Reviewing 90 days of cybersecurity incident response cases
While there are occasionally very advanced new threats, these are massively outnumbered by common-or-garden email fraud, ransomware attacks and well-worn old exploits.
SEGA turns to Palo Alto Networks for cybersecurity protection
When one of the world’s largest video game pioneers wanted to strengthen its IT defences against cyber threats, it started with firewalls and real-time threat intelligence from Palo Alto Networks.