Another iPhone Change to Frustrate the Police

I recently wrote about the new ability to disable the Touch ID login on iPhones. This is important because of a weirdness in current US law that protects people's passcodes from forced disclosure in ways it does not protect actions: being forced to place a thumb on a fingerprint reader.

There's another, more significant, change: iOS now requires a passcode before the phone will establish trust with another device.

In the current system, when you connect your phone to a computer, you're prompted with the question "Trust this computer?" and you can click yes or no. Now you have to enter in your passcode again. That means if the police have an unlocked phone, they can scroll through the phone looking for things but they can't download all of the contents onto a another computer without also knowing the passcode.

More details:

This might be particularly consequential during border searches. The "border search" exception, which allows Customs and Border Protection to search anything going into the country, is a contentious issue when applied electronics. It is somewhat (but not completely) settled law, but that the U.S. government can, without any cause at all (not even "reasonable articulable suspicion", let alone "probable cause"), copy all the contents of my devices when I reenter the country sows deep discomfort in myself and many others. The only legal limitation appears to be a promise not to use this information to connect to remote services. The new iOS feature means that a Customs office can browse through a device -- a time limited exercise -- but not download the full contents.

Posted on September 15, 2017 at 6:28 AM • 40 Comments

Comments

Boiled FrogSeptember 15, 2017 7:13 AM

"Agents looked through just over 8,500 travelers' devices in 2015, jumping to 19,000 in 2016, according to CBP data released in April. This year, agents have already searched nearly 15,000 devices — putting them on track to thumb through 30,000 by the end of 2017."

http://www.businessinsider.com/can-us-border-agents-search-your-phone-at-the-airport-2017-2

Looks like seizing and copying phones is headed for routine practice. So then, it's about turning off the phone before you get in line, burners and encryption. Foreign travelers might be refused entry for any kind of resistance, however.

I assume the excuse for all of this is 'terrorism', but suspect it's really about drug enforcement and well... crime.

ThaumaTechnicianSeptember 15, 2017 7:15 AM

I was always kind of surprised that the trust 'feature/function' was so easy to click through.

More interesting, since this is just software, why wasn't the change implemented years ago?

NickSeptember 15, 2017 7:21 AM

So they can force you to enter the code to unlock the phone (or use touchID), but they cannot force you to enter the code again to trust their copy-device?

meSeptember 15, 2017 7:41 AM

that is a good thing.
i have never been in america but i think that if i will come i will not bring my phone and i don't care how suspicious that might be.
there is my full personall life in it and they can't access my whole life AND COPY IT for no reason.
also seems that they are targetting muslim (or any other not white/"standard" person) or important persons: nasa, journalists.... seeking intelligence informations.seems that they also save the password so the next time they don't even need to ask you it.
i don't tell my password to anyone family included and i should give it to some random person that will copy it without permission and do whatever he wants??? no thanks

also think if some other country decide to copy the america idea and copy everything from american people/other people.

seems also that everyone is trying to giving advices on how to fool them (for example passwords, using other phone, delete and download when on the other side) but everyone forgets that this is simply *wrong* and should not be done in first place.

meSeptember 15, 2017 7:45 AM

i hope that this will make a difference also in law:
-take a look might be ok
-copy everything, analyze everything store it forever it's not acceptable

i think that also "taking a look" is unacceptable. i understand checking your bag to see if you are not bringing knife/weapons/drug...
but phone? how can a phone harm anyone?

0lafSeptember 15, 2017 7:46 AM

With the US apparently heading down a darker road and the President giving at least lip service to supporting forms of torture then the old XKCD cartoon is becoming more relevant all the time...

https://xkcd.com/538/

CallMeLateForSupperSeptember 15, 2017 7:46 AM

"The only legal limitation appears to be a promise not to use this information to connect to remote services."

The way I read the WaPo article, that limitation is mere policy, is not codified in law and therefore is not a "legal limitation". When/if DHS wants to increase its intrusiveness, it can just re-write policy. Even if the current limitation were codified in law, a squawk by DHS, to Congress, could get the law changed.

Vesselin BontchevSeptember 15, 2017 7:54 AM

Does backing up the pone to the cloud require a PIN? Otherwise the cops can tell the unlocked phone to backup there and take the results from Apple, since the backups aren't end-to-end encrypted.

matteoSeptember 15, 2017 8:01 AM

@Vesselin Bontchev:
i'm not iphone expert but to backup in icloud you need icloud/apple account credentials not the phone pin code.
you probably can't use your own credentials before you disassociated the phone from the current account (using the credentials).
anyway this is not going to stop cbp from abusing your rights, they can just force you to give also any other credential needed.

matteoSeptember 15, 2017 8:03 AM

This situation where you have to give away all your data and passwords is the proof that encryption can be banned. (at least for the good guys)

Boiled FrogSeptember 15, 2017 8:11 AM

Taking a step back, increased seizing and searching of phones (because: Security) is another mark against biometrics. I would guess they are now doomed to the role of: User ID only.

(Encrypted) Passwords as passwords, in the USA, are still golden. For awhile.

Of course, non-citizens have no rights at all, and should take precautions if they are concerned about this. To the government's advantage, the vast majority of people don't know or care about this stuff at all.

MichaelSeptember 15, 2017 9:06 AM

Only a clumsy ignorant terrorist would be caught at the border search with the availability of the cloud, or even a private encrypted Server to download things from once in US.

I think Bruce's comment on Security Theater is correct.

For a Terrorist who is coordinating actions, acquiring information, then his devices might have useful information. Likely he is already in US, or target country.

SteveSeptember 15, 2017 9:47 AM

". . . but they can't download all of the contents onto a another computer without also knowing the passcode."

. . . or having access to the built in back door. Or a rubber hose.

EvanSeptember 15, 2017 10:22 AM

It's not so much security theater as it is security as a policy decoy (need a better term for this) - the purpose is to enable a federal law enforcement agency to collect deep data on people. Spies, terrorists, drug smugglers, etc won't have incriminating stuff on devices they bring over the border regardless, so it's only for having future leverage on people and state-supported industrial espionage.

boogSeptember 15, 2017 11:34 AM

@me:

seems also that everyone is trying to giving advices on how to fool them... but everyone forgets that this is simply *wrong* and should not be done in first place

I don't think that people are forgetting that this is wrong - the problem is that they can and will do it regardless. The advice is how to not let them do it BECAUSE it's wrong.

Stuart LynneSeptember 15, 2017 11:45 AM

Ensure your iPhone is backed up in the cloud, do a restore to factory settings, link to a different (and benign) account to restore (presumably with benign social media accounts etc.)

Customs can review this as much as they like.

Once through customers reverse the process and restore your actual account.

This process is slightly time consuming, but if you don't want customs looking at what is on your phone this will accomplish it.

Hat Trick HenrySeptember 15, 2017 12:02 PM

@Nick:

I tend to forget my passcode every time I approach the TSA and I tend to remember it every time I leave the airport...

@Bruce

It's about time they required the passcode for this!

Sancho_PSeptember 15, 2017 1:03 PM

A sensible comment at lawfareblog, I appreciate that.
It may take years but I hope that finally “my (IP) property” will remain my property until we end up in front of an independent judge.
Innocent means innocent, until formally charged.

The ”Change to Frustrate the Police” (@Bruce) is a disqualifying MSM statement.
No, it is a relieve for the innocent user. Bravos Tim Cook!

@Vesselin Bontchev

To access Apple Cloud they’d need a warrant, that would be OK if …
.. if they have to inform me about about the reason and procedure.
What I can’t stand is cowardly hide behind a smokescreen and doing shady businesses.
"Who will guard the guards themselves?"

ThaumaTechnicianSeptember 15, 2017 1:22 PM

I'm also surprised, since this is just software, why haven't we heard of someone infecting the police forces' phone-snarfing equipment?

Have they figured out how to 100%-safely read a USB device?

Clive RobinsonSeptember 15, 2017 2:37 PM

A couple of technical things to think about...

Flash ROM is difficult to erase reliably and at best it's a slow process, mainly because of the way it is used to correct for errors etc. Thus unless you know for certain and beyond all doubt that all writes of data are encrypted and there is likewise no way to recover the key then you should assume that some if not all data will be recoverable by a suitably in depth forensic analysis.

Which further raises the question as to if you trust the OS of the device the Flash ROM is on, and if it has wireless communications any Over The Air (OTA) updates to the device OS, applications or SIM if it has one? The answer to this should be "NO" if you are at all security conscious, which means you should assume the device will reveal all about what has ever gone on/through it.

The second thing to consider is "do you ever use the USB port for data?" If the answer is "no" it's not that difficult to open the device up and with a soldering iron lift one of the series resistors on the data lines.

If you do so then the USB port will still work for charging but be of no use for copying data into or out of the device.

TimHSeptember 15, 2017 2:51 PM

@Clive: Actually "Flash ROM is difficult to erase reliably" isn't true. Flash ROM is just an eraseable memory device. The problem is that the Flash ROM is coupled with a controller which provides interface conversion (to USB, SATA etc) and wear management. It's the wear management function that makes true erase difficult, because the memory addresses on the outside no longer reflect the ROM addressing.

I'd word this as "Consumer Flash memory devices are difficult to erase reliably"...

paranoia destroys yaSeptember 15, 2017 5:50 PM

@ThaumaTechnician

Maybe someone may try infecting stealing everyone else's information back that was gathered by the police.

who would you believeSeptember 15, 2017 7:24 PM

I'd be willing to bet the add-on service package that promises to detect breaches in snooping devices is 'cost-prohibited' for most customers

OldFishSeptember 15, 2017 8:45 PM

@Clive

When all flash data are encrypted then secure erasure consists of trashing the keys.

hermanSeptember 16, 2017 8:33 AM

So, pretty soon, if you would arrive at a border post and have no self incriminating devices or data, then you will be incarcerated on suspicion of being a terrorist or criminal master mind and kept locked up indefinitely, until you admit to something they want you to admit to, so that you can at least get a judge to give you a time limited sentence for whatever it is that you didn't actually do...

Clive RobinsonSeptember 16, 2017 9:12 AM

@ OldFish,

When all flash data are encrypted then secure erasure consists of trashing the keys.

That's supposed to be the way it works, but often it is not.

Even "trashing keys" can be difficult when the design / usability is not carefully thought out.

Then there is the issue of the "crypto mode" when using any random access storage medium. It's worse with Flash because it uses "rolling writes" for wear leveling etc. Thus if the mode in use is similar to a stream cipher, you could easily end up with a plaintext file encrypted as two time spaced files with only minor differences that can then leak information.

It's a hard problem to solve and you may end up playing against the best attackers.

albertSeptember 16, 2017 10:29 AM

@Clive,
"...The second thing to consider is "do you ever use the USB port for data?" If the answer is "no" it's not that difficult to open the device up and with a soldering iron lift one of the series resistors on the data lines...."

Wouldn't the USB port be 'safer' than cloud storage?

Lifting the resistors will work, but is easily detectable. A skilled tech could probably replace the resistors with dummy ones. Also, what happens if the resistors are zero ohms? Does USB still work? They could easily be added outside the phone.

. .. . .. --- ....

MikeASeptember 16, 2017 11:08 AM

Possibly related, I was recently told that the latest iTunes no longer lets you manage Apps on your computer and sync them to the iOS device. I assumed this is part of Frog Boiling to get users to eventually accept that they can only backup to iCloud. The advantage to Apple is huge, as even "purchased" Apps, _and_ all the data they produce, will then need to be effectively rented from Apple, in perpetuity.

So much for the dystopian view. But is there any security upside to this path (for consumers, the upside for Apple is obvious)?

Clive RobinsonSeptember 16, 2017 1:09 PM

@ Albert,

Also, what happens if the resistors are zero ohms? Does USB still work?

If they are the "in series" resistors yes, their purpose is generally to be "sacrificial" in a protection circuit. That is it's easier to check and replace a burnt out series resistor than it is a BGA or quad flatpack IC.?

The only way the Dumb Hick Slaves could get it to work would be to take the phone to a technician who would need to replace them.

Whilst it's not fool proof security it will indicate if they are serious about getting in your phone, rather than just "making motions" on the little people just because they or there bosses get their jollies that way.

Any way the DHS or US Customs are not my problem any longer. For medical reasons I'm nolonger supposed to fly, and there is nothing in the US I'd want to spend the price and time on a ship to go and see any more.

albertSeptember 17, 2017 12:33 PM

@Clive,

I was hoping to 'have my cake and eat it too'. Of course the resisters could be replaced or simply jumpered out. Easier would be to fry the I/F IC. Only a very dedicated actor would want to replace ICs just for USB access.

Maybe one could reverse the data lines (like inside the connector) and use a special cable for personal access?

. .. . .. --- ....

RachelSeptember 17, 2017 1:10 PM

@Albert

note that it is recommended never to plug a smart phone directly into a pc, whether for charging or data. Unless one wants their computer owned. Thus rendering Clives advice quite helpful. And , removing usb data access to phone significantly reduces the phone attack surface generally
I am at a complete loss to comprehend why anyone wants to endorse apples exploitation by paying a small fortune for something that can be so easily lost, broken, stolen. i am just bewildered why anyone would willingly give apple money. just say no. have they made the world a better place?

SteveSeptember 18, 2017 4:24 PM

I power off my phone before I exit the plane. I turn it on again after I clear customs. TouchID is never an option, as a passcode is required on phone startup.

G33kp0w3rSeptember 19, 2017 12:43 AM

Is it not an option to wipe my phone as soon as I am questioned at the border? Then I don't mind they see "everything" on it, but would I be held or treated poorly? Even if I can't risk unlocking it I can have Siri tell my wife to wipe the phone, even after it's out of my hands with my watch. I would not penalized for throwing away weapons at security. Could I be penalized for protecting my privacy?

Zero room for complacencySeptember 20, 2017 1:47 AM

If one checks the information the U.S. Customs and Border Protection provide, there are details on how they can detain devices which would be mailed to the address the owner provided.

☺ one poster advertising position for a spy agency showed a technician working with soldering irons!

Who?September 20, 2017 4:42 AM

Apple is one of the corporations that collaborate with the NSA in the PRISM project. Period.

C U AnonSeptember 20, 2017 6:03 AM

@Zero room:

CBP provide, there are details on how they can detain devices which would be mailed to the address the owner provided.

Yus, just so it can get "lost in the post" as an excuse for their PPP and the fact somebody did not like the look of your face, the way you stood, that you can breath without having your mouth gaping or they could not find juicy p0rn etc to pass onto their friends...

one poster advertising position for a spy agency showed a technician working with soldering irons!

Yeah well it might be "tech training" the question is of course about "fine motor skills" they exhibit. If they have them then the journyman gets a desk job doing a bit of chip lifting. If not to good they get a field position using the soldering iron after a bit of shirt lifting for thermorectal interogation. Or if those motor skills are realy bad they have to put up with the "wrench" of the XKCD way.

aSeptember 30, 2017 9:56 PM

Except that's not how border interactions work. They don't ask you to enter your passcode on your own. They want you to give or draw your unlock code so that they can use it themselves.

PPOctober 12, 2017 10:40 AM

Remember! In the US, the data belongs to the ones who store it. “Enjoy your stay”. Forget! “Ephemeral conversation” is a thing of the past.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.