On June 13, Apple announced that they will implement a software update to prevent data gathering through a device’s USB port.
With data security becoming an even more important issue, especially with the beginning of the General Data Protection Regulation (GDPR) in the European Union, Apple could be looking to remain ahead of the curve in securing consumer data. The update will add “USB Restricted Mode” as a feature which will disable access to data from the USB port if the phone has been locked for an hour.
Apple does not intend for the update to stifle law enforcement, but noted that the protections are not meant just for U.S. consumer privacy, but for the protection of users in countries where confiscation of phones (both by law enforcement and by bad actors like hackers or thieves) is more prevalent.
Prior to the update, machines could access the port and bypass the password security feature which restricts password guess attempts and erases data, allowing them to run code until the password is obtained and data breached. According to Reuters, companies that produced these devices would sell them for “thousands of dollars but also per-phone pricing as low as $50.”
Two companies, Cellebrite and Greyshift, developed devices which law enforcement, as well as hackers, used to access information from iPhones. The Department of Justice (DOJ) used Cellebrite’s Universal Forensic Extraction Device (UFED) to gain access into the phone of the perpretrator in the 2015 San Bernardino attack.
In that case, the DOJ attempted to crack into the phone with the help of Apple, who refused to help, citing concerns of user privacy in the future. Eventually the DOJ dropped the case and used the UFED instead.
In a statement released with the update announcement Apple said, “we have the greatest respect for law enforcement, and we don’t design our security improvements to frustrate their efforts to do their jobs.”
Apple also released information regarding its communication with law enforcement. 14,098 information requests were received by Apple from the government last year. The company also received 29,000 national security requests under the Foreign Intelligence Surveillance Act (FISA).
Apple is not the only company upping its phone security. Google has also taken steps to update the Android operating system on its phones. Their update prevents the phone from “creating custom firmware updates that could be installed on a phone without the device’s password.”
However, law enforcement is frustrated with Apple’s recent announcement, according to The New York Times. The Indiana State Police’s task force on Internet crimes against children is worried that, without access to phone information, they will not be able to properly manage children’s safety. The State Police said it unlocked 96 iPhones last year, each with a warrant, using Grayshift’s device.
Others, like Matthew Green, professor of cryptography at Johns Hopkins University, were glad to see the update, and Green particularly worried about technology like the Grayshift getting into the wrong hands.