
iOS 11.4 to Disable USB Port After 7 Days: What It Means for Mobile Forensics - Artemis2
https://blog.elcomsoft.com/2018/05/ios-11-4-to-disable-usb-port-after-7-days-what-it-means-for-mobile-forensics/
======
davidmr
I’m so unused to seeing a corporation act in the interests of their customers
explicitly counter to the wishes of law enforcement and the intelligence
community that I’m racking my brain trying to think of ulterior motives that
explain why Apple might have this.

Either way, on the surface, I’m quite pleased by this development.

~~~
jkestner
I think it's as simple as: Apple's business is determined much more by end
users than by government regulation. Unlike telecoms or increasingly,
Google/Facebook. And this is amplified by Apple deciding that, as the others
can't follow it, it's a good differentiator to invest in.

~~~
jimmy1
Don't they use Google Cloud for ICloud storage?

~~~
tinus_hn
They use multiple types of cloud storage; the data is encrypted and Google
isn’t processing it, just storing it.

~~~
Klonoar
A common misconception - parts of iCloud data are encrypted at rest, but a
good chunk of it is not. They've indicated they want to get there at various
points in the past, but unless I've missed an update it's not there currently.

~~~
conradev
The files are still encrypted at rest (using convergent encryption) to obscure
their contents from the underlying storage service, but Apple holds the keys:

> Each file is broken into chunks and encrypted by iCloud using AES-128 and a
> key derived from each chunk’s contents that utilizes SHA-256. The keys and
> the file’s metadata are stored by Apple in the user’s iCloud account. The
> encrypted chunks of the file are stored, without any user-identifying
> information, using third-party storage services, such as S3 and Google Cloud
> Platform.

[https://www.apple.com/business/docs/iOS_Security_Guide.pdf](https://www.apple.com/business/docs/iOS_Security_Guide.pdf)
(page 56)

~~~
yborg
>Apple holds the keys

Unless you live in China, in which case Apple _and_ the Chinese government
hold the keys.

~~~
threeseed
We don't know this to be the case.

Unless you some evidence to the contrary ?

~~~
simonh
The Chinese government made Apple hand over control ofiCloud infrastructure in
China to a Chinese company. So those encryption keys stored in iCloud are now
in the hands of aChinese company subject to Chinese government control.

Not exactly an ideal arrangement, but it was likely that or switch off iCloud
in China, or pull out of China completely. Which to be fair Google actually
did.

~~~
threeseed
Again. There is no evidence that has been presented to date that indicates
that hardware keys were given to the Chinese government.

We suspect it may have happened. But nobody actually knows.

------
cromwellian
This seems like it’ll just make police departments go to a judge more often
alleging probable cause immediately, and judges might be more inclined to
grant given the time pressure, thus paradoxically it might end up with more
phones being opportunistically subject to warrants by the police as the
justice system would be given less time for duebl consideration. A “ticking
bomb” tends to produce anti civil liberty behavior on the authorities.

they should have a setting to disable it almost immediately.

I almost never us the data connection on my iPhone usb except for headphones,
yet another downside of losing the audio jack :)

~~~
jrowley
If you're really concerned about people exfiltrating data off your phone via
usb, fill the lightning port with epoxy and just use wireless charging and
bluetooth headphones.

~~~
ScottBev
A determined individual can remove epoxy without damaging the electronics.

~~~
omribahumi
Apple should allow to do this in Software. Make the lockdown mentioned in the
link happen immediately when USB is disconnected, forcing you to retype the
PIN every time.

Could be a cool feature for the privacy concerned crowd.

~~~
bscphil
Unless I'm mistaken, this is the way that Android already works. If you plug
in a locked phone, you must unlock it to get any USB data connection to the
phone. When a phone with a data connection is unplugged, the permissions
immediately reset and you have to unlock the phone again to restart a data
connection.

Not only that, on my Nexus 5x, I have to manually switch from charging mode to
data transfer mode every time (the setting doesn't stick).

Unless I've misunderstood the significance of this change, Android actually
provides much more security since you can't download files off a locked phone,
not even within 7 days.

~~~
furky
Yes, the iPhone is the same. You get a ‘Trust this computer?’ prompt which
forces you to unlock the phone first.

The trouble is, this is still a data path that has been opened via USB. This
new change disables the data path altogether and just allows charging via the
USB power pins only - like its a USB battery or USB fan, simply power and
nothing else. Which is pretty neat.

~~~
chipperyman573
Why doesn't the iPhone disable the data transfer pins until unlocked?

~~~
tscs37
Probably because for any decent charging speed (beyond 500mA) you need to talk
to the other side. Atleast per standard.

~~~
chipperyman573
How does Android work around this?

~~~
tscs37
It communicates power needs but nothing else until the user unlocks the phone
and enables data transfer.

------
jrowley
Google's Cached version if you're having issues accessing it:

[http://webcache.googleusercontent.com/search?q=cache:https:/...](http://webcache.googleusercontent.com/search?q=cache:https://blog.elcomsoft.com/2018/05/ios-11-4-to-
disable-usb-port-after-7-days-what-it-means-for-mobile-forensics/)

~~~
mediocrejoker
Is it just me or is the google cache link timing out as well?

~~~
reaperducer
Click "text-only version" in the Google cache header.

------
Zenst
One test I would carry out and well within the remit of geeks and enforcement
- would be a femtocell/base station with a time update (which mobiles accept
blindly if you let them). Forever keep connected devices in a Groundhog day.

That would certainly be the go to test for many I suspect, a tried and tested
hack from days of old, brought into modern times.

~~~
Operyl
They could just as easily use time since boot, which is usually a separate
counter.

~~~
tinus_hn
They could do a lot of things. The question is if they do.

------
parliament32
A step in the right direction, but I'd like to see this interval reduced (12
hours? 1 hour?) or brought down completely (I should have the option to
require an unlock before any connection is established). There's no reasonable
use case where I would want to make a connection while not wanting to unlock
the phone.

~~~
woodrowbarlow
the quote from apple specifically mentions USB _accessories_. i would guess
they have things like headphones in mind, and it's reasonable to expect that
if i have music playing with the screen locked and i connect a pair of
headphones, the playback would switch to the headphones.

7 days still seems much higher than necessary.

~~~
dvcrn
As someone who only uses wireless accessories (including a wireless charger),
I’d love to be able to configure this interval or require it immediately.

------
Ajedi32
How is this different from how Android works, where you have to unlock your
phone and explicitly tell it to connect every time you want to use a USB
connection for anything other than charging?

~~~
xnyanta
The Apple driver creates some sort of cryptographic keypair between the device
and the computer to "remember" that you accepted the connection and not prompt
you to connect in the future.

If this file was recovered from a victim's computer, forensic software can sue
it to bypass the prompt. According to the article, however there is now also a
7-day expiration on these cryptographic keypairs.

~~~
colejohnson66
> If this file was recovered from a victim's computer, forensic software can
> sue it to bypass the prompt.

That typo gave me a good laugh

------
donkeyd
Blog seems to be hugged to death, so I might be uninformed.

What exactly happens after the 7 days? My girlfriend's iPad got blocked on
vacation (bluetooth keyboard in a bag causing random inputs). To get it fixed,
we needed to connect to a computer. Would this mean that if you don't get to a
computer within 7 days it would be essentially be bricked?

~~~
symmitchry
If the device is not unlocked for 7 days, the USB port stops working (for
anything but charging.) It won't brick the device, which can still be unlocked
any time, it just prevents someone from taking more than 7 days to hack open
your phone, via the USB.

edit: so in your case, perhaps yes, you would have been hooped.

~~~
freehunter
I would assume DFU mode would still work to reinstall the OS.

------
sdtransier
Maybe I missed this in the article, but does anyone know if this feature can
be turned off? Or if it's enabled by default?

What happens in the scenario of a consumer having an old iOS device sitting
around, they forget the passcode, but now can't reset it using iTunes?

~~~
pilif
As far as I understand, there's still the hardware key combination to put the
device into DFU mode. In that mode it can still be connected to and a new
firmware can be written, but no access to the data is possible.

So in order to un-brick an old device sitting around, you put it into DFU mode
(the key combination varies from device to device) and restore it that way.

Of course you don't ever get your data back, but that's totally the expected
behaviour.

~~~
Matt3o12_
Do you have any source for that information? I am very interested in that as
well but couldn't find any information regarding that so far.

I have always thought (though without any source) that they re-flashed the
iPhone by putting it into the DFU mode (and tricking the iPhone bootloader
into accepting their key) and then just brute force the key.

~~~
ghostly_s
There is no scenario which allows re-flashing a device from DFU while
retaining user data. This only appears to work in typical user scenarios
because iCloud or iTunes creates a backup from the unencrypted device as a
first step before flashing it.

------
Havoc
Glad to see Apple is at least trying to protect their users.

~~~
e12e
Sounds like they just patched a glaring security hole, late in the game? I'm
not even sure how useful the "7 days" thing is - it's certainly better than
leaving "permanent" keys on various "once trusted" computers.

But still leaves the window wide open to sneak-and-peek to mirror the drive of
a matchbook left in a hotel room, and then later acquire the phone.

So better than keeping the old behaviour which was obviously broken, I guess?

~~~
acdha
> But still leaves the window wide open to sneak-and-peek to mirror the drive
> of a matchbook left in a hotel room, and then later acquire the phone.

MacBooks have full disk encryption so you’d have to break that, too, but since
we’re talking movie plots rather than real-world risks for most people take a
moment to think about what else they could do with physical access: install a
camera to record passwords, drug your water glass, or simply have someone
demand you unlock it or else. If you’re Jason Bourne you need more than a
consumer OS gives you out of the box.

~~~
e12e
A disgruntled spouse swiping your phone and running up to a awarded hotel room
to hook it up to a trusted macbook protected by your secret "1234" password
isn't exactly Jason Bourne territory. I suppose they might know your phone
passcode as well - all I'm saying is that a phone in general use will have
been unlocked the passed few days, and is likely in proximity to a trusted
device.

Now, we don't know how the greylock stuff works (afaik) - so maybe this will
harden phones against imaging with such tools. And maybe not.

I actually have a hard time seeing how this is: "aimed squarely at police". If
you're picket up at a demonstration or traffic stop - is it really that common
that they won't get to your phone in 7 days? They're only allowed to hold you
for 48 hours or so anyway?

Don't get me wrong 7 is better than forever - but I'd like to see it made
available as a user setting; eg never / 30 seconds etc.

As for this not being available on Android; my impression was that given an
encrypted, locked, Android phone with pin/pw lock and debugging disabled -
you'd need to unlock before being able to access phone data via USB?

Now if debugging is activated, I believe a "trusted computer" (anyone who
holds the keys) can gain access even if the screen is locked?

~~~
acdha
> A disgruntled spouse swiping your phone and running up to a awarded hotel
> room to hook it up to a trusted macbook protected by your secret "1234"
> password isn't exactly Jason Bourne territory.

Think about that from the perspective of a security threat model: what are the
odds that your disgruntled spouse has access to your computer and knows your
laptop password, but doesn't know your phone password? This is an extremely
hard problem to solve since they have all kinds of sensitive information and
access.

> I actually have a hard time seeing how this is: "aimed squarely at police".
> If you're picket up at a demonstration or traffic stop - is it really that
> common that they won't get to your phone in 7 days? They're only allowed to
> hold you for 48 hours or so anyway?

What they're allowed to do and what they actually do are not necessarily the
same. This prevents the case where, say, they've seized phones but haven't
legally compelled the users to unlock them since it means that if an exploit
is discovered in the future it won't be usable against any devices which were
stolen/seized more than a week earlier.

It would also make it hard to do something like seize a bunch of protesters
phones and then attempt to obtain the keys from each person's trusted home
computer which would take more time to do at any significant scale.

It's not a huge game changer but it adds a layer of hardening against certain
attacks. Given the limited downside, that seems like a good thing.

~~~
e12e
> Think about that from the perspective of a security threat model: what are
> the odds that your disgruntled spouse has access to your computer and knows
> your laptop password, but doesn't know your phone password?

Well, you might not have a password for your desktop - but might have a pin
for your phone.

Or maybe it isn't your spouse, but your kid; they might share the computer -
but not access to the phone?

<ed: i don't really disagree, but I also struggle with the 7 days (and not
quite in the "perfect is the enemy of good"-sense: >

Either way, I'm not sure I understand how 7 days make sense (seems too long,
still).

Seems like either it should be ~14 hours to a day (sync at home every evening)
- or it should be: phone has to be unlocked.

------
csense
The obvious flaw in a time-based lockout is that it needs a trusted
measurement of the current time.

If law enforcement wants to bypass this, the obvious approach would be to just
remove the battery (to remove power from any internal RTC chip) and put the
device in a Faraday cage (to block external time signals like GPS and the cell
network). Then the shutdown clock would literally stop ticking until they turn
it on again.

~~~
OskarS
Security isn't all or nothing. If something isn't "perfect", that doesn't mean
it's useless. What you just described is a shit-ton of work, which most
attackers will not be willing to do (how many police departments have Faraday
cages lying around?).

~~~
DINKDINK
>how many police departments have Faraday cages lying around?

Police departments use Faraday bags to isolate the communications of a device
once they take it into custody. I assume they do this to prevent RemoteWipe()
commands from running from external entities to preserve evidence.

------
tbyehl
Why 7 days? I'd like a feature to never allow any USB communication until I've
unlocked my phone, and then to allow it only for as long as they remain
continuously connected.

Or to activate this feature with 'Emergency Mode' (5 power button presses).

~~~
CodeWriter23
They can't because they deleted the headphone jack. Your earbuds would not
function if Lightning was defaulted to off.

~~~
Rjevski
Not really. They could allow accessory protocols while disabling everything
else. The only sensitive thing we care about is "usbmuxd" or whatever the
protocol for iOS sync & backup is.

~~~
Dylan16807
That's not true, there's the large attack surface of those other protocols to
worry about too.

------
MaikuMori
Can someone explain how it is better than android? When I plug in my android,
only charging works. I need to unlock the phone and enable data to make the
data connection work. There is never trust this computer prompt. I have to do
this always, even when due to bad wire the connection is lost for a split
second.

Some people mentioned that android never shipped this feature and that Apple
is first, but it seems to me that android never had this problem in the first
place.

------
51Cards
There are Kiosk uses of iPads where this could be an issue. Often those
devices are mounted 24/7 inside a secure housing and left on but communicate
with external devices. Now someone will have to reset them once a week.

Edit: thanks for the clarification below. I had the implementation wrong in my
head. And yes, I realize this is a fairly edge use case, just one that affects
my industry.

~~~
djrogers
If they're left on, they should be fine - it's when the device is locked and
idle for 7 days that the port is shut down. Also, I'm not familiar with any
Kiosk type implementations that use lightning for data xfer except POS
devices, and thos would obviously be unlocked whenever they are in use - so
again, no issue.

------
ape4
The time deadline might have some unintended consequences. Maybe law
enforcement will proactively image people's phones early knowing it will be
harder later. eg you are stopped at the airport. A judge may give give quick
search warrants since its "now or never".

------
kiddico
I'm really not a fan of the hardware design choices of apple devices recently,
but the focus on security/privacy might pull me back in.

------
paulsutter
I wish I could just disable the data connection permanently

> Restricted USB Mode requires an iPhone running 11.3 to be unlocked at least
> once every 7 days. Otherwise, the Lightning port will lock down to charge
> only mode. The iPhone or iPad will still charge, but it will no longer
> attempt to establish a data connection. Even the “Trust this computer?”
> prompt will not be displayed once the device is connected to the computer

------
k_sze
I wonder how iOS keeps track of the 7 days in question.

For an iOS device still connected to the internet or to a mobile phone
network, I presume it will periodically make an NTP request or get the
date/time from the mobile phone carrier, to adjust its clock. What if those
requests are MITM'ed?

~~~
lathiat
Though that's kind of a good question, GENERALLY speaking you should use
"monotonic" timers for this sort of thing which don't have that problem.
They're based on a system time which doesn't change.

Of course, that's no guarantee.. this is done wrong in a lot of places all the
time. But I would expect Apple to get this sort of basic thing right in their
security code. Hopefully :)

------
vbezhenar
Is it known how those greykey devices even work? AFAIK iOS blocks many
consecutive attempts to enter pin, so brute force would take too much time. It
seems that greykey device can bypass this restriction using USB. Why Apple
didn't just patch this vulnerability instead of disabling USB?

~~~
pageandrew
To patch the vulnerability, they need to be aware of the vulnerability. An
individual who possessed such a vulnerability would likely be more inclined to
go into business for themselves (such as the hackers that helped the FBI crack
the San Bernardino iPhone, or the Israeli firm Celebrate) than hand it over to
Apple for a one time fee. Although I imagine that Apple would probably pay
pretty well for it.

IIRC these sort of vulnerabilities don't totally bypass the phone's lock
mechanism, but rather disable the pin code attempt delay and allow
bruteforcing of the pin code via software.

~~~
45h34jh53k4j
One time fee? Apple don't pay for such things. Possibly why there is a black
market for iOS exploits.

~~~
chrisfinazzo
The bounty security program (announced at BlackHat 2016) was created to deal
with these kinds of scenarios. They will pay depending on the severity of the
bug and the affected subsystem.

Of course, now that this mechanism exists, I'm just waiting for Apple to sue
GreyKey and Cellebrite out of existence, confiscate all the devices, and
charge the founders with aiding industrial espionage or overreach related to
pursuing terrorism.

(I'd also like to see the same thing happen with the NRA, but alas that
doesn't seem to be in the cards for the current circus in Washington)

The difference between more legit researchers and these guys is that they will
work with anybody as long as they cut a check. Real R&D has more scruples than
to do that.

~~~
MichaelGG
As much as I dislike this Israeli firm how have they done anything illegal?
Hacking a device in your physical possession should not be illegal. Your
comment about the NRA makes me think you're just being hyperbolic here?

~~~
dogma1138
Celebrite is actually the better of those out there, while they do sell their
data acquisition terminals to LEO in bulk their "unlock services" are done in
person by their staff with a court order for each case (including multiple
court orders in some jurisdiction when different datasets on the phone are
protected separately by law).

~~~
chrisfinazzo
It makes me extremely nervous to see that a third party can even create this
capability. If I had a say, I would just tell these guys this level of access
to low level code just isn't possible for third parties.

As odd as it might be, I trust Apple more because they don't want my data and
aren't enabling methods for other people to acquire it.

On aome level, this back and forth on encryption is an endless cat and mouse
charade, but the fundamental assumption behind cryptographic security is
absolute.

"You can't outlaw math"

~~~
MichaelGG
What are you talking about? You want to make it so that a company like Apple
can just draw arbitrary bounds and say "no messing around beyond this point"
and have that be internationally, legally, enforced?

We got that with the DMCA and DRM modules, phone unlocking, and console
rooting.

~~~
chrisfinazzo
Companies can write nigh-any clause into their EULA or T&C and people
generally have little recourse. There still seems to be enough wiggle room
legally because they control the platform. Some places (think EU) fight this,
but I don't think it's in any way settled at this point.

They've done this in the past in subtle ways - cautioning developers about
using private API, which they reserve the right to change at any time, thus
breaking applications. For a practical example, Google "Apple kext signing
certificate". It's not simply a matter of paying $99 and off you go, the
barrier to entry is higher.

There have also been no-so-subtle warnings - see Charlie Miller's blacklisting
- that even a proof of concept for a bug is not allowed because it could get
out in the open and cause widespread damage.

> We got that with the DMCA and DRM modules, phone unlocking, and console
> rooting.

Record labels had little choice and needed to ditch these restrictions in
order to have a viable business. TV studios, cellular providers, and console
makers fight to this day to preserve these limits as a means of competitive
differentiation.

I'm not saying I agree with it, but that is still largely the reality we have
to deal with.

------
exabrial
I fear this is really only going to have the reverse effect, instead of
carefully examining whether or not 4th Amndment protections apply, "Out of an
abundance of caution", courts will immediately seize and decrypt your phone.

Not to nitpick, but I wish these things were opt-in. For instance, I don't
really care if I've restarted my mac and have to use my password again to log
in, I'd rather use my fingerprint. I just need to prevent casual attackers,
there is _literally nothing_ on here that needs to be protected with fort-knox
level security.

------
blueseaadmin
Two ideas:

What about paired hardware? Imagine buying an iPhone and pairing it with your
charger and they share keys. Any other charger used would immediately wipe the
phone. There could be settings to tweak this.

what about wiping the phone if it has not been logged into a certain amount of
time with a certain password (not normal PIN)?

The current crop of phone busters completely bypasses the 10 wrong pin and
wipe option. The idea is to immediately wipe the phone without using Find my
iPhone (defeated with airplane mode).

~~~
icebraining
_What about paired hardware? Imagine buying an iPhone and pairing it with your
charger and they share keys. Any other charger used would immediately wipe the
phone. There could be settings to tweak this._

Open the phone, plug charger directly to battery.

~~~
blueseaadmin
Disable that function.

~~~
icebraining
What function? I'm talking about physically opening the hardware and sticking
two cables to the battery connections.

------
plussed_reader
Can I still kick the device into recovery mode with a cable after 7 days with
this mode? Or would I have to unlock the device to re-enable recovery mode?

~~~
Operyl
DFU mode is a key combo on the device, so yes, you’d be fine.

------
jld
Say a user drops their phone in a desk drawer and goes on an 8 day hiking
trip.

He/she comes back and can't remember their passcode. Is the phone now a brick?

~~~
KallDrexx
I would imagine that "disable USB port" doesn't mean it completely disables
the power lanes, only stops responding on the data lanes. So when you come
back from your 8 day trip you charge your phone, log in, and theoretically ios
would re-enable the USB port once successfully logged in.

~~~
PuffinBlue
Not sure why you're being downvoted, you're correct and it's stated in the
article that if you unlock with a passcode after 7 days the USB port begins to
respond again.

Apple isn't going to design a feature that bricks a device after 7 days. It
really simple:

1) No unlock for 7 days = USB turned off.

2) Unlock phone any time after 7 days (lets imagine unlocking at 12 days) and
USB turns on.

3) Charging remains active at all times.

Simple.

~~~
TheForumTroll
>He/she comes back and can't remember their passcode.

>2) Unlock phone any time after 7 days

?!?

------
nneonneo
To me, it feels like Apple is trying to figure out how GreyKey and Cellebrite
are getting in - and patching every vector they can think of in the meantime.
I suspect that if law enforcement agencies are suddenly told they have to
unlock new Apple devices within 7 days of acquisition, Apple will find out and
can infer that the exploits have (e.g.) something to do with USB accessory
access.

------
mdeslaur
Can a device still be wiped when this happens? I'm wondering how to recycle or
recover locked devices if the USB port is disabled...

~~~
wstuartcl
The assumption is that the correct passcode will remove the usb shutoff. If
you fail to enter the passcode in the required amount of times, you get a
wipe. Many of the law enforcement ways to access these devices rely on the USB
port being active to root the phone or reset it in a way that allows
faster/more passcode attempts (or by simply letting it sit on a shelf for
months or years until a known exploit allows access via usb.

------
post_break
Will this cause warrants to be rushed through and much more often? Just to get
the phone unlocked in case something is in there, even if there may be no
burden of proof. Better to overnight it to a facility with a tool to unlock it
and sign off on a quick warrant.

------
dwighttk
Why seven days? How about 24 hours? Or even better if the device is locked I
have to unlock it to use the port for anything besides charging (and it can
then lock on its usual schedule)

------
kevin_b_er
This doesn't quite sound as amazing as a first look, because this is not a
full "data connectivity" kill. Data connectivity is always required whenever
people use headphones due to headphone jack removal.

~~~
mediocrejoker
How do we know this feature doesn't also disable the headphones-over-usb if
the phone hasn't been unlocked in a week? I don't think that would be a
problem for most users either.

~~~
floatingatoll
You can install iOS 11.4 beta and find out one way or the other; it doesn’t
seem like anyone has done so yet, and since no one thought to do so before
today’s post, no one will know for 7 days assuming they start today.

------
rad_gruchalski
403 Forbidden in Germany.

~~~
CodeWriter23
[https://webcache.googleusercontent.com/search?q=cache:NNgpuV...](https://webcache.googleusercontent.com/search?q=cache:NNgpuVhqeM8J:https://blog.elcomsoft.com/2018/05/ios-11-4-to-
disable-usb-port-after-7-days-what-it-means-for-mobile-
forensics/+&cd=1&hl=en&ct=clnk&gl=us)

------
jiveturkey
i suspect this will be a net negative. now that law enforcement has a time
limit, graybox sales will flourish, and law enforcement will access your phone
ASAP before collecting other evidence. then the phone evidence itself will
give them the clues they want and they’ll get the warrant after the fact. or
the court may even be complicit and issue a warrant without enough supporting
evidence due to the risk of evidence destruction.

------
x0054
Why 7 days though. It's should disable within 2 hours at most, and users
should have the option to disable USB when ever the phone is locked.

------
gaius
Why 7 days? 24 hours should be enough - who connects devices but doesn’t
unlock in that time? Can’t think of a scenario for that.

------
nottorp
Like everyone else, I'm curious how you recover your forgotten pass code after
7 days.

Also, what happens if you don't use a passcode?

~~~
saagarjha
> I'm curious how you recover your forgotten pass code after 7 days

You don't. If you've lost your passcode, you can't get it back.

------
linarism
Is there any security reason someone would purchase a security-focused Android
phone (Blackphone, Blackberry) over an iPhone?

~~~
devcpp
Hardened kernel (e.g Coppherhead OS), custom open-source ROM to disable all
telemetry and audit the code (among others), FOSS APK provider (f-droid),
disabling online tracking (AdAway, AFWall), full filesystem access. iPhone
hardly has any of this.

Note that this is true of any bootloader-unlocked Android phone, not just
security-focused ones.

~~~
tpush
Very telling that this is downvoted.

~~~
rphlx
In general HN has a strong bias toward Apple over Android RE: security. Many
of the points are entirely valid, but it's also true that some important
advantages on the Android side (such as those listed above) as often
understated or overlooked here.

For me, a closed-source OS is a dealbreaker on its own, regardless of any
other major HW or SW advantages.

------
qntty
Why not 7 hours or 7 minutes or immediately?

~~~
ovao
Well, why not 7 days?

~~~
qntty
The advantage of a smaller time period is obvious: if 7 days is secure, then 7
hours is more secure.

But presumably there's a good reason they chose that number, I'm just
wondering why that might be.

~~~
jonknee
It seems a reasonable default, but would be nice if there was a custom setting
for a shorter time frame.

------
jlebrech
I'm pretty sure they can just remove the chip and dump the contents.

------
sli
Kind of amazing seeing this story right next to the Google Duplex story.

------
Animats
Why should it even be enabled if you're not logged on?

------
eulers__number
this is why I will never use google pixel tho I will still be forced to use
gmail, search, and Youtube because of its conveniences, hopefully in the
future something new that comes out that has mathematical open source
decentralized form of censorship-proof algorithms will come out

------
billabul
if the device time is synced from elsewhere maybe one could spoof a ntpd
server and provide a time in the past?

~~~
adrianmonk
And/or spoof a cell tower.

If they are careful with their implementation, they could protect against it.
The naive way is to store the time of last unlock and simply compare that
against the current time, but there are other ways:

(1) Once 7 days elapses, set a flag that can only be cleared by unlocking the
device, and check that flag in addition to the time.

(2) If there is an internal hardware clock that isn't synced to real time,
just count relative to that clock. You don't need to know absolute time to
check how long it has been since last unlock.

~~~
acdha
> (2) If there is an internal hardware clock that isn't synced to real time,
> just count relative to that clock.

This is known as a montonic clock and it’s been built in to most hardware for
exactly this reason. Mach, Linux, etc. have encouraged use for anything where
things like leap seconds or time changes aren’t desirable.

~~~
adrianmonk
Minor point of clarification, but I meant something slightly different than a
monotonic clock, hence why I said hardware clock.

For the approach I described, a clock would need to keep ticking while the
system is powered off or in various power-saving modes. And it shouldn't get
reset at boot time. Not all monotonic clocks have both these properties.
(Obviously iPhone isn't Linux, but one example is that Linux's CLOCK_MONOTONIC
seems to lack both properties, and its CLOCK_BOOTTIME seems to lack the second
one.)

Though if you have a clock that resets at boot, you can work around that by
disabling USB data on bootup and not enabling it until first unlock.

~~~
acdha
On Linux, I believe what you’re looking for is CLOCK_MONOTONIC_RAW but that’ll
also depend on your particular hardware and its security.

On iOS, I’m not sure it matters for the reason you mentioned: at least on my
devices I don’t see hotplug events until the device has been unlocked once.

------
gruez
How is this relevant when law enforcement can buy a $15k device that unlocks
the phone?

~~~
KenanSulayman
Because "GrayKey" is using USB which won't work if USB is ... turned off.

------
atonse
Does this mean that companies will now try to exploit the USB/Lightning driver
to gain access?

The cat and mouse game continues.

~~~
xnyanta
I don't thin there would really be anything to exploit because it sounds like
the data lines in the actual usb connection are turned off and only the power
lines remain enabled to allow for charging.

~~~
atonse
But they're still disabled at a software level.

~~~
bialpio
But how will you influence that said software if there's no way for you to
talk to the device? This closes one exploitable avenue after 7 days - now
attackers need to find something else.

------
samfisher83
You could just pull the flash chip and image it. You would need to figure out
how to get the key, but pulling the flash chip and reading it doesn't look too
hard if you can use a heat gun. If you lived in Shenzhen you could go the
market and buy a flash reader.

Strange Parts is youtube channel where the guy does this.

[https://www.youtube.com/watch?v=rHP-
OPXK2ig](https://www.youtube.com/watch?v=rHP-OPXK2ig)

~~~
stefan_
The PIN or any other user secret can't decrypt the contents of the flash chip.
So turning the device off and removing the flash just makes it infinitely more
difficult.

~~~
samfisher83
Why would make it any more difficult? You can just put the chip in place after
you are done.

~~~
bialpio
I guess because now you have no way of exploiting any bugs that might've been
exploitable. Within 7 days the phone will still try to talk to others
connected to its port, after 7 days it'll just charge. I assume that "power
off" will also disable data over the port until the phone gets unlocked?

------
wstuartcl
...

Every 6 days from point of collection: Place phone in caged room. Turn on your
cell phone network interceptor device. Set interceptor's network time to
device collection time. boot phone, await for it to update network time from
cell interceptor.

...

So many edge cases/ways to defeat this that need to be handled.

~~~
kstrauser
Type "uptime" in your computer. Change the date. Run "uptime" again and note
that it is the appropriate amount of time longer than the first report, even
though the date is different.

It's not always useful to assume that engineers will miss even the most
obvious workarounds.

------
john37386
I would like to read this article but, the website doesn't load. I guess it's
not optimized to front page HN.

May I suggest to loadtest your website or article before posting it?

[https://ddostest.me/load-test/](https://ddostest.me/load-test/)

