Apple confirmed on Wednesday that the next version of its iPhone and the iPad operating system will close a security hole that law enforcement has used to crack into otherwise secure devices that belong to criminal suspects and targets of security operations worldwide. The company will include a new feature, called USB Restricted Mode, in a future update of its iOS software.
The feature disables data transfer through the Lightning port one hour after a phone was last locked, preventing popular third-party hacking tools used by law enforcement from accessing the device. The port can still be used for charging.”We’re constantly strengthening the security protections in every Apple product to help customers defend against hackers, identity thieves and intrusions into their personal data,” Apple said in a statement Wednesday. “We have the greatest respect for law enforcement, and we don’t design our security improvements to frustrate their efforts to do their jobs.”
Such a change would hinder law enforcement officials, who have typically been opening locked iPhones by connecting another device running special software to the port, often days or even months after the smartphone was last unlocked. News of Apple’s planned software update has begun spreading through security blogs and law enforcement circles — and many in investigative agencies are infuriated.
But privacy advocates said Apple would be right to fix a security flaw that has become easier and cheaper to exploit. “This is a really big vulnerability in Apple’s phones,” said Matthew D. Green, a professor of cryptography at Johns Hopkins University. A Grayshift device sitting on a desk at a police station, he said, “could very easily leak out into the world.”
Apple and Google, which make the software in nearly all of the world’s smartphones, began encrypting their mobile software by default in 2014. Encryption scrambles data to make it unreadable until accessed with a special key, often a password. That frustrated police and prosecutors who could not pull data from smartphones, even with a warrant.
The friction came into public view after the F.B.I. could not access the iPhone of a gunman who, along with his wife, killed 14 people in San Bernardino, Calif., in late 2015. A federal judge ordered Apple to figure out how to open the phone, prompting Timothy D. Cook, Apple’s chief executive, to respond with a blistering 1,100-word letter that said the company refused to compromise its users’ privacy. “The implications of the government’s demands are chilling,” he wrote.
The two sides fought in court for a month. Then the F.B.I. abruptly announced that it had found an undisclosed group to get into the phone, paying at least $1.3 million because the hacking techniques were not common then. An inspector general’s report this year suggested the F.B.I. should have exhausted more options before it took Apple to court.
Since then, two main companies have helped law enforcement hack into iPhones: Cellebrite, an Israeli forensics firm purchased by Japan’s Sun Corporation in 2006, and Grayshift, which was founded by a former Apple engineer in 2016. Law enforcement officials said they generally send iPhones to Cellebrite to unlock, with each phone costing several thousand dollars to open. In March, Grayshift began selling a $15,000 GrayKey device that the police can use to unlock iPhones themselves.