Despite Apple’s Privacy Pledge, Police Can Still Pull Data Off a Locked iPhone

  

A reminder to iPhone owners cheering Apple’s latest privacy win: Just because Apple will no longer help police to turn your smartphone inside out doesn’t mean it can prevent them from vivisecting the device on their own.

On Wednesday evening Apple made news with a strongly worded statement about how it protects users’ data from government requests. And the page noted at least one serious change in that privacy stance: No longer will Apple aid law enforcement or intelligence agencies in cracking its users’ passcodes to access their email, photos, or other mobile data. That’s a 180-degree flip from its previous offer to police, which demanded only that they provide the device to Apple with a warrant to have its secrets extracted.

In fact, Apple claims that the new scheme now makes Apple not only unwilling, but unable to open users’ locked phones for law enforcement. “Unlike our competitors, Apple cannot bypass your passcode and therefore cannot access [your personal] data,” reads the new policy. “So it’s not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS 8.”

But as the media and privacy activists congratulated Apple on that new resistance to government snooping, iOS forensics expert Jonathan Zdziarski offered a word of caution for the millions of users clamoring to preorder the iPhone 6 and upgrade to iOS 8. In many cases, he points out, the police can still grab and offload sensitive data from your locked iPhone without Apple’s help, even in iOS 8. All they need, he says, is your powered-on phone and access to a computer you’ve previously used to move data onto and off of it.

“I am quite impressed, Mr. Cook! That took courage,” Zdziarski wrote in a blog post. “But it does not mean that your data is beyond law enforcement’s reach.”

Just after Apple’s announcement, Zdziarski confirmed with his own forensics software that he was still able to pull from a device running iOS 8 practically all of its third-party application data — that means sensitive content from Twitter, Facebook, Instagram, Web browsers, and more — as well as photos and video. The attack he used impersonates a trusted computer to which a user has previously connected the phone; it takes advantage of the same mechanisms that allow users to siphon data off a device with programs like iTunes and iPhoto without entering the gadget’s passcode.

“I can do it; I’m sure the guys in suits in the governments can do it,” says Zdziarski, who has trained law enforcement in iOS forensic techniques in the past. “And I’m sure that there are at least three or four commercial tools that can still do this, too.” Zdziarski said he has yet to test those commercial forensics tools to know which ones might still be capable of the data-siphoning trick, but he speculated that software from the firms Cellebrite and Oxygen were likely candidates.

The data siphoning trick has important limitations: It requires a “pairing record,” a unique key that can be found only on a computer with which the target device has shared data in the past. That means police, intelligence agents, or hackers hoping to use the technique would have to either plant malware on a user’s machine to access the pairing record or simply grab the target’s computer along with her mobile device. The targeted user would also have to have unlocked her iOS device since last turning it on — freshly restarted devices aren’t vulnerable to the attack, Zdziarski says. Even using the siphoning trick, aside from photos, none of the data that Zdziarski managed to retrieve contradicts Apple’s new promises of protection. He couldn’t access emails, call records, or other native iOS applications.

Still, he posits that the data-dumping method could be used by police who seize all of a suspect’s electronics from his home, or by airport security agents who grab the user’s phone and laptop and extract their data with commercial tools. To actually receive the benefit of iOS 8’s new resistance to law enforcement data dumps, he suggests users should encrypt their hard drives to protect their pairing record and power off their phone and PC before going through airport checkpoints.

Apple deserves credit for serious security improvements in iOS 8, Zdziarski says. He points to a talk he gave at the HOPE hacker conference in June about multiple vulnerabilities in the iPhone that allowed someone with physical access to offload its data. With iOS’s updates, Apple has quietly killed all of those techniques — except the ability to pull third-party data, photos, and video with a pairing record. He says Apple likely neglected to fix this last hole because it would have complicated iOS devices’ interactions with programs like iTunes and iPhoto.

“They’ve fixed so many different security holes, but this one is still there,” Zdziarski says.

Apple didn’t immediately respond to a request for comment on the remaining data vulnerability Zdziarski describes.

To be fair, Apple didn’t claim in its new privacy statement that its phone was impervious to law enforcement data extraction — only that the company wouldn’t unlock iPhones and iPads on the government’s behalf. And that’s already a far bolder stance than Google takes, willingly unlocking any device for law enforcement that uses its pattern-based unlock mechanism, says Chris Soghoian, principal technologist for the ACLU. He argues that Apple’s new focus on privacy has likely been driven by a year of pressure following the revelations of Edward Snowden, capped off by the embarrassing iCloud hack that revealed a trove of celebrities’ nude photos earlier this month.

“It seems clear that Apple is trying to compete on privacy and security …Android is looking worse and worse by comparison,” he says. “This is Apple’s way of saying they’re drawing a line in the sand.”

But Zdziarski warns that despite that strengthening line, Apple users shouldn’t become complacent.

“The biggest mistake consumers can ever make in this situation is to assume that the information on their device is completely safe from the police,” he says. “Even with iOS 8’s big improvements, assume the data on your mobile device could potentially be accessed, and act accordingly.”