Since Apple locked down its iPhones three years ago with encryption that even the company itself can’t break, it has been in a cold war with the cops—one that has occasionally turned hot. Exhibit A: its legal standoff with the FBI over the seized iPhone of San Bernadino killer Syed Rizwan Farook. Now, 18 months after that showdown, Apple is adding yet more features that are designed to guard your digital privacy from anyone who nabs your iPhone—whether it’s a mugger on the street or the policeman who just threw you in jail.
Security researchers and forensic analysts who’ve seen early developer versions of iOS 11, expected to be announced at Apple’s launch event tomorrow, say its new features include tweaks designed to make extracting the data from a seized phone far more difficult without the phone’s six-digit passcode. And while those changes seem aimed at protecting iPhone users’ data from run-of-the-mill thieves and snooping boyfriends, it could also mark another escalation in Apple’s tensions with law enforcement officials and customs agents who want the ability to extract data wholesale from the phones of criminal suspects and travelers at the border.
From the perspective of those government agents, “this will be a major pain in the ass,” says Nicholas Weaver, a security researcher at the International Computer Science Institute at the University of California at Berkeley. “Apple wants to live in a world where the phone in your hands is super valuable, but in anyone else’s hands is a brick…If that messes up police’s and customs’ forensic dumps? So what. The benefits outweigh the harm.”
A Less Promiscuous Port
According to a blog post from Russian forensics software firm Elcomsoft on Thursday, Apple has made at least two significant changes to iOS 11 that will create new hurdles for those trying to access the innards of a seized iPhone. First, they’ve added a crucial step to the process of moving a phone’s contents to a forensic analyst’s desktop computer, a change that could significantly reduce the amount of data police can access on seized phones—even if they manage to confiscate them in an unlocked state.
In recent versions of iOS, any iPhone plugged into an unfamiliar computer would ask the user if he or she was willing to trust that new machine before exchanging any data with it. That meant if cops or border agents were able to seize an unlocked iPhone or compel its owner to unlock a locked one with a finger on its TouchID sensor, they could simply plug it into a desktop via a cable in its lightning port, choose to trust the new machine with a tap, and upload its contents using forensic software like Elcomsoft or Cellebrite. (That’s particularly important because courts have found criminal suspects can’t plead the Fifth Amendment and refuse to offer their fingerprints, as they sometimes can with a password or passcode.)
But in iOS 11, iPhones will not only require a tap to trust a new computer, but the phone’s passcode, too. That means even if forensic analysts do seize a phone while it’s unlocked or use its owner’s finger to unlock it, they still need a passcode to offload its data to a program where it can be analyzed wholesale. They can still flip through the data on the phone itself. But if the owner refuses to divulge the passcode, they can’t use forensic tools to access its data in the far more digestible format for analysis known as SQLite. “There’s a huge amount of data that can’t be effectively analyzed if you have to look at it manually,” says Vladimir Katalov, Elcomsoft’s co-founder. “On my phone, I have more than 100,000 messages and several thousand call logs. The manual review of that data is not possible.”
More importantly, the SQLite databases that forensic tools can pull from phones often include supposedly deleted messages from iMessage, Whatsapp, and Viber, says Katalov. “Even after you’ve deleted it, records of the data is still there,” Katalov says. But without the kind of database access gained by copying the phone’s data to a PC, investigators will have no way to recover those potentially hidden gems of evidence.
Just as key, argues Berkeley’s Weaver, will be how that passcode requirement changes the iPhone’s security during a border crossing: Customs and Border Protection agents can take advantage of a bizarre loophole in the fourth amendment to search Americans’ devices at the border without even obtaining a warrant. For past versions of iOS, that’s meant they could take your phone, copy its contents to their own computer, and analyze that private data at their leisure. Now, they can only look at a phone’s data manually on the spot, while you’re physically present at the border, or by taking the more drastic step of seizing the device. “Customs is going to hate this,” says Weaver. “And to be honest, good riddance.”
Sending Out An S.O.S.
Apple’s developer beta for iOS 11 also reveals a more straightforward protection against searches of a seized iPhone, too, in the form of a new iOS feature called “S.O.S. mode.” Tap the phone’s home button five times, and it will launch a new lockscreen with options to make an emergency call or offer up the owner’s emergency medical information. But that S.O.S. mode also silently disables TouchID, requiring a passcode to unlock the phone. That feature could be used to prevent someone from using the owner’s finger to unlock their phone while they’re sleeping or otherwise incapacitated, for instance. But it also provides a quick way to disable TouchID before, say, police kick in your door or pull you out of a car and arrest you. (Powering the device off works too, though it may be slightly slower.)
Apple declined to comment ahead of its Tuesday launch event. But both of the new security changes may have less to do with Apple tightening the screws on law enforcement than with another new feature expected in the iPhone 8: face recognition. As Facebook chief security officer Alex Stamos hinted in a tweet Friday, unlocking your iPhone by showing it your face may not be a terribly secure method of authentication, given that your face sits out in plain view and can easily be photographed or accessed by police. Disabling that feature (along with TouchID) and falling back on requiring a passcode in some situations where the phone is likely to be out of the user’s control could serve as a smart way to balance the convenience of facial recognition against the privacy risks it creates. “This is a case where they can increase security without negatively impacting usability, against real-world threats people face,” Weaver adds.
In other words, unlocking your phone with your face or finger may be slick, but when that phone is out of your hands you may be glad those aren’t the only features protecting your secrets.