Checklist 215: Seriously Locking Down Your iPhone
This week on the Checklist, we’ll take a look at how you can improve iOS data protection, and we’ll follow up on the macOS Big Sur firewall issue that we discussed a few weeks ago.
Protected iOS data vs “protected” iOS data
When was the last time you totally powered down your iPhone? Whenever that was, that was the last time your data was 100% secure, according to a new study done at Johns Hopkins University.
If you protect your iOS device with a strong passcode, Face ID, or Touch ID, you’re definitely safe from garden-variety hackers and cybercriminals. And when your iPhone has been completely shut down, all of your data is kept in a state known as “Complete Protection”, which means that you need to unlock your device before that data is going to be readable to anyone else (even people with advanced forensic tools).
But the researchers found something troubling: After that first unlock, your iPhone data is stored in a different mode, known as “Protected Until First User Authentication” or “After First Unlock”. And in this state, although your data is still encrypted, the encryption keys needed to unscramble it are stored in your device’s quick access memory. This means that sophisticated attackers may be able to exploit iOS vulnerabilities to access the encryption keys. If that happens, they will then be able to pull readable data from your device.
Unfortunately, this isn’t just theoretical: companies like Cellebrite and Grayshift, which have a history of working with government and law enforcement to circumvent iOS privacy protections, already do this.
Apple, for its part, has responded by saying that its security efforts are focused on thwarting criminals, hackers,and thieves — in other words, the types of threats most users are likely to encounter. iOS device hacks that rely on 0-day vulnerabilities are rare, expensive to develop, and are usually rendered harmless after Apple issues a security patch, which makes them less of a priority for Apple’s security teams. It’s also worth noting that iOS app developers have the option to keep some user data in Complete Protection mode at all times, which can be useful for apps that handle particularly sensitive types of information, such as financial services apps.
That all sounds very reassuring, but unfortunately, we also know that Cellebrite forensic tools have been found for sale on eBay, and that some school districts are purchasing phone hacking devices for use in investigations of students and faculty. If you want to know how to lock down your iPhone as much as possible, we have a few suggestions.
Emergency SOS mode
The iPhone has an Emergency SOS function that can also be used to lock down a phone in a hurry — useful in situations where you think someone may try to physically force you to unlock your device with biometrics. If you hold down the volume up button and the power button for a few seconds, your device will display the Emergency SOS option (but don’t actually swipe on the SOS button unless you really want to call emergency services). Once you’ve done this, even if you cancel out of that screen, your phone can no longer be unlocked without a passcode.
Many device hacking tools rely on guessing passcodes (which is why overly simplistic numeric passcodes are dangerous: 1-1-1-1-1-1 or 1-2-3-4-5-6 is the first thing someone will guess!). To be honest, a good 6-digit numeric passcode is perfectly adequate for most people, but if you want some extra security, create a custom alphanumeric password: something with letters, numbers, and special characters. This is less convenient than a simple numeric passcode, but it’s far stronger, because it’s much harder to guess. To do this, go to Settings > Face ID & Passcode > Change Passcode. After you enter your old passcode, you’ll see the words Enter your new passcode along with the default option of choosing a 6-digit numeric passcode — but if you click on the words Passcode Options, you’ll be presented with a Custom Alphanumeric Code option. Click on this to create your new strong passcode.
Erase data after 10 failed passcode attempts
If you’re worried about someone trying to guess your passcode, you can also configure your iPhone to erase all data after 10 failed login attempts. This setting is what caused so much friction between Apple and the FBI a while back, because it renders many commercial device hacking tools useless: after 10 failed passcode guesses, the device just erases itself. If the authorities get in after that, all they’ll see is an iPhone that has been reset to its factory default condition. Note that if you go with this option you definitely want to have a backup of your data somewhere, so it isn’t lost forever if a child or a bored friend decides to play with your phone. To enable this setting, go to Settings > Face ID & Passcode, and scroll all the way down to find the Erase Data toggle. Toggle this switch to On and your device will auto-erase after 10 failed logins.
So what does this all mean for your security? Is your iPhone data actually protected, or is this Johns Hopkins study something you need to worry about?
For most users, this research doesn’t really change much: the kind of attacks described in the study are only ever used by sophisticated cybercriminals and government agencies. For everyday users concerned with their personal security and privacy, our advice is to focus on the same best practices they always have: use strong passcodes, update your OS in a timely fashion, and only click on links from trusted sources.
Doing the right thing
On Checklist 209, we covered a story about changes in macOS Big Sur that were affecting the functionality of third-party firewalls.
As you’ll recall, outbound firewalls work by filtering network traffic as it’s leaving a computer; this is how they help protect you from, say, a malicious program attempting to “phone home” to its command and control server.
In macOS Big Sur, Apple made some changes that allowed some of its apps to bypass third-party firewall filter rules, the assumption being that Apple’s own applications posed no risk to users. Unfortunately, this turned out to be untrue: Security researcher Patrick Wardle showed how bad guys could piggyback on Apple app processes and sneak malicious traffic through a firewall.
Sounds bad, is bad. But the good news? People who have looked at the macOS 11.2 beta say that these problematic firewall exceptions will be removed in the next version of Big Sur. In other words, Apple appears to be doing the right thing for user security, and at some point in the next month or so, third-party firewalls will once again offer comprehensive protection against outbound malicious traffic.
That’s all for the Checklist this week, but if you’d like to go on learning about security and privacy issues, keep in mind that we have a complete archive of podcast episodes going all the way back to the very first show.