There’s a new twist in the long-running cat-and-mouse game between Apple and law enforcement.
A new feature, which first emerged in an early beta version of the company’s iPhone and iPad software but never made it to market, has emerged again in the latest beta.
Forensic experts say a pre-release version of iOS 11.4 includes a new feature that requires users to “connect an accessory via lightning connector to the device while unlocked — or enter your device passcode while connected — at least once a week.”
The same feature, called USB Restricted Mode, was first found in a beta version of iOS 11.3 in March, shortly after a new iPhone unlocking tool hit the market — a device called GrayKey, which promises to help law enforcement unlock iPhones in a fraction of the time it usually takes.
The box, small enough to fit in your hand, uses an as-of-yet-unknown exploit that guesses the device’s password again and again — an attack known as brute-forcing — to gain access to the iPhone’s encrypted contents.
Apple introduced its so-called “zero-knowledge encryption” feature in iOS 8 in 2014, meaning only the device owner, and not Apple, can unlock the phone.
Law enforcement have long complained that they need access to locked devices to help with their investigations. But security experts have decried efforts by the government to lobby for backdoors, arguing that hackers could also get that same access and use it for their own gain.
In a blog post, Vladimir Katalov, chief executive at ElcomSoft, a Moscow-based mobile forensics company, said USB Restricted Mode is “aimed squarely at law enforcement.”
Katalov and his fellow forensic expert Oleg Afonin confirmed that their device required a passcode after it was left idle for a week.
“Law enforcement will have at most seven days from the time the device was last unlocked to perform the extraction using any known forensic techniques, be it logical acquisition or passcode recovery via GreyKey or other services,” said the blog post.
“After the seven days elapse, the Lightning port will be disabled,” they said. “Once this happens, you will no longer be able to pair the device to a computer or USB accessory, or use an existing lockdown record, without unlocking the device with a passcode.”
Only charging will work, they say.
But it’s an “open question” if the feature will defeat unlocking services built by GreyShift, which makes the GrayKey device, and rivals like Israel-based firm Cellebrite.
It’s the latest in Apple’s delicate balancing act of affording law enforcement some latitude in gaining access to locked iPhones, while trying to protect the rights of its users.
In recent software iterations, Apple introduced a change shutting down a device’s Touch ID fingerprint sensor after two days. In the US, law enforcement can force you to use your fingerprint or scan your face to access and search your phone. That gives law enforcement long enough to unlock the phone if the person’s finger is available. In some cases, police have used a dead person’s fingerprint to access the contents of their phone.
Apple has proactively contacted law enforcement to help in active investigations, ZDNet has previously reported. In the case of a shooter at a Texas church, Apple “immediately reached out to the FBI after learning from their press conference on Tuesday that investigators were trying to access a mobile phone,” and “offered assistance and said we would expedite our response to any legal process they send us.”
As with any beta software, the final version is subject to change and may or may not have the feature baked in.
An Apple spokesperson did not comment.