Apple and Law Enforcement
Apple always seems to refuse law enforcement requests. Let’s understand why this is bad for Apple… and for Silicon Valley as a whole. Let’s see how this can be resolved.
Stubbornness
While Apple and other “Silicon Valley” companies may be stubborn in reducing encryption strength on phones, reduction of encryption strength isn’t strictly necessary for law enforcement to get what they need out of a phone device. In fact, it doesn’t really make sense to reduce encryption across all phone devices simply so law enforcement can gain access to a small number of computer devices in a small set of criminal cases.
That’s like using a sledgehammer to open a pea. Sure, it works, but not very well. Worse, these legal cases might not even be impacted by what’s found on the device. Making all phones vulnerable to potentially even worse crimes, such as identity theft and stealing money in order to prosecute a smaller number of crimes which might not be impacted by unlocking a phone doesn’t make sense.
There Are Solutions
Apple (and other phone manufacturers) should be required to partner with law enforcement to create a one-use unlocking system for law enforcement use. Federal law could even mandate that any non-law enforcement personnel who attempts to access the law enforcement mode of a phone would be in violation of federal law. Though, policing this might be somewhat difficult. It should be relatively easy to build and implement such one-use system. Such a system will be relatively easy to use (with the correct information) and be equally difficult to hack (without the correct information).
How this enforcement system would work is that Apple (or any phone vendor) would be required to build both law enforcement support web site and a law enforcement mode on the phone for law enforcement use only. This LE support server is naturally authentication protected. A verified law enforcement agent logs into Apple’s LE system and enters key information from/about a specific device along with their own Apple issued law enforcement ID number. Apple could even require law enforcement officers to have access to an iPhone themselves to use FaceID to verify their identity before access.
The device information from an evidence phone may include the iPhone’s IMEI (available on the SIMM tray), ICCID (if available), SEID (if available), serial number, phone number (if available) and then finally a valid federally issued warrant number. Apple’s validation system would then log in to a federal system and validate the warrant number. Once the warrant is validated and provided the required input data specific to the phone all match to the device (along with the Apple’s law enforcement ID), Apple will issue a one-time use unlocking code to the law enforcement agent. This code can then be used one time to unlock the device in Law Enforcement Mode (LEM).
To unlock an evidence device, the agent then boots the phone into LEM (needs to be built by Apple) and then manually enters an Apple-generated code into the phone’s interface along with their law enforcement ID. The law enforcement mode then allows setup and connection to a local WiFi network (if no data network is available), but only after entering a valid code. The code will then be verified by Apple’s servers and then the phone will be temporarily unlocked. Valid entry of a law enforcement code unlocks the device for a period of 24 hours for law enforcement use. There is no “lock out” when entering the wrong code when the phone is in “law enforcement mode” because these codes are far too complex to implement such a system. Though, the phone can reboot out of LEM after a number of wrong attempts. You simply can’t randomly guess these codes by trial and error. They are too complex and lengthy for this.
This specific one-use code allows unlocking the device one time only and only for a period of 24 hours. This means that phone will accept that specific code only once and never accept that specific code again. If law enforcement needs to unlock the phone again, they will have to go through the law enforcement process of having Apple generate a new code using the same input data which would then generate a new code, again, valid for only 24 hours.
A successfully used LE code will suspend all phone screen lock security for a period of 24 hours. This means that the only action need to get into a phone for up to 24 hours (even after having been powered off and back on) is by pressing the home key or swiping up. No touch ID or Face ID is needed when the phone is unlocked during this 24 hour period. This allows for use of this phone by multiple people for gathering evidence, downloading information or as needed by law enforcement. This mode also suspends all security around connecting and trusting iTunes. iTunes will also allow downloading data from the phone without going through its “trust” security. After 24 hours, the phone reboots, deletes LE configuration parameters (such as WiFi networks) and reverts back to its original locked and secured state.
The iPhone will also leave a notification for the owner of the phone that the phone has been unlocked and accessed by law enforcement (much the same as the note left in luggage by the TSA after it has been searched). If the phone still has Internet access, it will contact Apple and inform the Apple ID that the phone has been unlocked and accessed by law enforcement. This Internet notification can be suspended for up to 30 days to allow law enforcement time enough to get what they need before the system notifies the Apple ID owner of access to that device. Though, I’d recommend that Apple notify the owner right away of any access by law enforcement.
How to use the code
When a valid generated Apple law enforcement code is entered into the phone in LEM, the phone calculates the validity of the code based on an internal process that runs on the phone continuously. While the phone is validly being used by its owner, this process will periodically sync with Apple’s LE servers to ensure that an iPhone’s LEM process will work properly should the phone fall into the possession of law enforcement. This information will have to be spelled out and agreed to in Apple’s terms and conditions. Apple’s servers and the phone remain synchronized in the same way as RSA one-time keys remain synchronized (within a small calculable margin of error). Thus, it won’t need to synchronize often.
How to use Law Enforcement Mode
This mode can be brought up by anyone, but to unlock this mode fully, a valid Apple issued law enforcement ID and one-use code must be entered into an iPhone for the mode to unlock and allow setup of a WiFi network. Without entry of an Apple issued law enforcement ID number or because of successive incorrect entries, the phone will reboot out of LEM after a short period time.
Law Enforcement ID
A law enforcement ID must be generated by Apple and these IDs will synchronize to all Apple devices prior to falling under law enforcement possession. To keep this list small, it will remain compressed on the device until LEM successfully activates, at which time the file is decompressed for offline validation use. This means that a nefarious someone can’t simply get into this mode and start mucking about easily to gain entry to a random phone. It also means someone can’t request Apple issue a brand new ID on the spot. Even if Apple were to create a new ID, the phone would take up to 24 hours to synchronize… and that assumes that the phone still has data service (which it probably doesn’t). Without data service, the phone cannot synchronize new IDs. This is the importance of creating these IDs in advance.
Apple will also need to go through a validation process to ensure the law enforcement officer requesting an ID is a valid officer working for a legitimate law enforcement organization. This in-advance validation may require a PDF of the officer’s badge and number, an agency issued ID card and any other agency relevant information to ensure the officer is a valid LE officer or an officer of the court. This requires some effort on the part of Apple.
To get an Apple law enforcement ID, the department needing access must apply for such access with Apple under its law enforcement support site (to be created). Once an Apple law enforcement ID has been issued, within 24 hours the ID will sync to phones, thus activating the use of this ID with the phone’s LEM. These IDs should not be shared outside of any law enforcement department. IDs must be renewed periodically through a simple validation process, otherwise they will expire and fall off of the list. Manufacturers shouldn’t have to manage this list manually.
Such a system is relatively simple to build, but may take time to implement. Apple, however, may not be cool with developing such a law enforcement system on its own time and dime. This is where the government may need to step in and mandate such a law enforcement support system be built by phone manufacturers who insist on using overly strong encryption. While government(s) can legislate that companies reduce their encryption strength on their devices to avoid building a law enforcement system as described, instead I’d strongly recommend that companies be required to build a law enforcement support and unlocking system into their devices should they wish to continue using ever stronger encryption. Why compromise the security of all devices simply for a small number of law enforcement cases? Apple must meet law enforcement somewhere in the middle via technological means.
There is also no reason why Apple and other device manufacturers are denying access to law enforcement agents for phone devices when there are software and technical solutions that can see Apple and other manufacturers cooperate with law enforcement, but yet not “give away the farm”.
I don’t even work for Apple and I designed this functional system in under 30 minutes. There may be other considerations of which I am not aware within iOS or Android, but none of these considerations are insurmountable in this design. Every device that Apple has built can support such a mode. Google should also be required to build a similar system for its Android phones and devices.
Apple is simply not trying.
↩︎
Security Tip: Apple ID locked for security?
This one also doubles as a Rant Time. Having my Apple ID account locked is an issue I face far too often with Apple. Perhaps you do, too? In my case, no one knows my account ID. Yet, I face having to unlock my account frequently because of this issue. I personally think Apple is causing this issue. Let’s explore.
Unlocking an Apple ID
As with far too many things, Apple’s unlocking system is unnecessarily complex and fraught with digital peril after-the-fact… particularly if you enable some of Apple’s more complex security features (i.e., Two Factor authentication).
One of the things Apple hasn’t yet to get correct is properly securing its Apple ID system from intrusion attempts. That doesn’t mean that your account is unsafe. What it means is that your account is unsafe against malicious attacks targeting your account ID. But, there’s an even bigger risk using Apple’s ID system… securing your credentials by using an email address. I’ll come back to this practice a little later.
Once your account becomes locked, there are a number of major problems that present. The first immediate problem is that you need to remember your security questions OR face changing your password (assuming standard security). If you use Apple’s two-factor authentication, you face even more problems. If you don’t use two-factor and you’ve forgotten your security questions, you have the option to contact Apple Support to help you with your security question problems to gain access to your account. On the other hand, if you’ve forgotten your security information set up when enabling two-factor, you’re screwed. Apple can’t help you after you have two-factor set up… one of the major reasons I have chosen not to use two-factor at Apple. Two-factor IS more secure, but by using it you risk losing your Apple ID if you lose a tiny bit of information. That risk is far too great. With all of the “ease of use” Apple is known for, its Apple ID system is too overly complex.
The second problem is that once you do manage to get your account unlocked, you are then required to go touch EVERY SINGLE DEVICE that uses your account ID and reenter your password AGAIN. This includes not only every Apple device, but every device utilizing Apple services such as Alexa’s account linking for Apple Music on the Amazon Echo. If you use Apple Music on an Android, you’ll need to go touch that too. It’s not just the locking and unlocking of your account, it’s the immense hassle of signing into your Apple ID on EVERY SINGLE DEVICE. Own an Apple Watch? Own an Apple TV? Own a Home Pod? Own an iPad? Own a MacBook? Use Apple Music on your Android? You’ll need to go to each and every one of these devices and touch them.
On the iPhone, it’s particularly problematic. You’ll be presented with at least 3 login prompts simultaneously all competing with one another on the screen. Later, you’ll be presented with a few more stragglers over the course of 30 minutes or an hour. Apple still can’t seem to figure out how to use a single login panel to authenticate the entire device and all of its services. Instead, it must request passwords for each “thing” separately. So many prompts pop up so fast you have no idea which one is which because none of them are labeled as to which service they are attached. You could even be giving your account ID and password to a random nefarious app on your device. You’d never know. If you own an Apple Watch, you’ll have to re-enter it separately for that device as well. Literally, every single device that uses your Apple ID must be touched after unlocking your Apple ID. Unlike Wi-Fi passwords which you enter once and it’s shared across every device you own, Apple can’t possibly do that with its Apple ID system so that we enter it once and it populates ALL of our devices. No. We must touch each and every device we own.
Worse, if you don’t do go touch each and every one of these devices immediately upon unlocking your account, you risk having your account locked almost immediately by just one of these devices. Apple’s ID system is not forgiving if even one of these devices hasn’t logged in properly after a security lock. You could face being locked out just a few hours later.
So the rant begins…
Using Email Addresses as Network IDs
Here’s a security practice that needs to stop. Apple, I’m l👀king at you! Using email addresses as an ID was the “norm” during the mid-late 00s and is still in common practice throughout much of the Internet industry. It is, however, a practice that needs to end. Email addresses are public entities easily seen, easily found and, most easily, attacked. They are NOT good candidates for use as login identifiers. Login identifiers need to use words, phrases or information that are not generally publicly accessible or known. Yes, people will continue to use their favorite pet’s name or TV show or girlfriend’s name as login IDs. At least that’s only found by asking the person involved. Email addresses are not required when developing login systems. You can use tie the email address to the account via its profile. But, it SHOULD NOT be used as a login identifier.
When an Apple ID account gets continually locked, Apple Support suggests to change the login ID, but that’s not going to change anything. You’re simply moving the crap from one toilet to another. Crap is still crap. The problem is that it still uses an email address and, to reiterate, email addresses are easily seen, found and attacked. What I need is a login ID that’s of my own choosing and is not an email address. This way, random folks can’t go to Apple’s iCloud web site and randomly enter an email address intentionally to lock accounts. If I can choose my own login identifier, unless I give that information out explicitly to someone, it’s not guessable AT ALL and far less likely to be locked out by random folks entering junk into web based Apple’s login panels.
Oh, and make no mistake, it’s not people on an iPhone or iPad doing this. It’s people going to Apple’s web site and doing it there. There is no other place where it can be happening. And yet, we unsuspecting users are penalized by having to spend a half an hour finding and reentering passwords on all our devices because someone spent 5 minutes at Apple’s web site entering random information incorrectly 3 times. Less than 5 minutes worth of effort triggers at least 30 minutes of work unlocking the account and reentering passwords on many devices and services. And then there are the stragglers that continue to prompt for at least an hour or two after… all because Apple refuses to secure its own web site login panels from this activity. This is not my problem Apple, it’s yours. You need to fix your shit and that’s something I absolutely cannot do for you.
Notifications
Apple prides itself on building its push notification system, yet it can’t even use it to alert users of potential unusual activity on its very own Apple IDs. If someone is incorrectly trying passwords on a web site, they know where this vector is. So then, tell me about it, Apple. Send me an alert that someone is trying to log into the Apple Store or the iCloud.net site. Inform me that my ID is being used in a place that seems suspect. You know the IP address where the user is coming from. Alert me. Google does. You can, too.
Additionally, Apple stores absolutely NO information about bad login attempts. If you attempt to contact Apple Support about your account activity, they don’t have access. They can’t even tell you what triggered your Account ID lock. This level of information is the absolute bare minimum a company using centralized login IDs must offer to its users. If Apple can’t even bother to help you find out why and where your account was locked, why would you trust Apple to store your information? Apple puts all its cards on its functionality side, but it can’t put a single card on this side of the security fence? What the hell, Apple?
Apple Locking Accounts
I also firmly believe that Apple is intentionally locking accounts. When these lockouts occur, it’s not me doing it. I’m not out there entering my account credentials incorrectly. It’s not my devices, either. My devices ALL have my correct password setup. This means that either someone has guessed my email address or, more likely, Apple is intentionally locking the account. I firmly believe Apple is intentionally doing this internally and it’s not incorrect password attempts at all. The more it happens, the more I believe Apple is forcing this. I don’t know why they would want to do this, but I do believe they are. Maybe it’s a disgruntled employee who just randomly feels the need to screw with Apple’s users?
Apple’s Response
I’ve called Apple Support at least twice regarding this issue and gotten absolutely nowhere. They can’t and, more importantly, won’t help with this issue. They claim to have no access to security logs. They can’t determine where, when or why an account was locked. In fact, I do believe Apple does have access to this information, but I believe Apple Support has been told not to provide any information.
If Apple Support can’t give this information, then this information should be offered through the Apple ID account site (appleid.apple.com). This site should contain not only the ability to manage your Apple ID, it should also store and offer security information for when and where your ID was used (and where the account was used when it locked). Yet, Apple offers NOTHING. Not a single thing. You can log into this site, but there are no tools offered to the user. Apple exposes nothing about my account use to me. Google, on the other hand, is very transparent. So transparent, in fact, that they send “unusual activity” alerts whenever your ID is used in an unusual way. Google errors on the side of over-communication. Yet, Apple hasn’t done shit in this area and errors on the side of absolute ZERO communication.
Get your act together Apple. Your Apple ID system sucks. Figure it out!
↩︎
How to iCloud unlock an iPad or iPhone?
A lot of people seem to be asking this question. So, let’s explore if there are any solutions to the iCloud unlock problem.
Apple’s iCloud Lock: What is it?
Let’s examine what exactly is an iCloud lock. When you use an iPhone or iPad, a big part of that experience is using iCloud. You may not even know it. You may not know how much iCloud you are actually using (which is how Apple likes it) as it is heavily integrated into every Apple device. The iCloud service uses your Apple ID to gain access. Your Apple ID consists of your username (an email address) and a password. You can enable extended security features like two factor authentication, but for simplicity, I will discuss devices using only a standard login ID and password… nothing fancy.
iCloud is Apple’s cloud network services layer that support service synchronization between devices like calendaring, email contacts, phone data, iMessage, iCloud Drive, Apple Music, iTunes Playlists, etc. As long as your Apple ID remains logged into these services, you will have access to the same data across all of your devices. Note, your devices don’t have to use iCloud at all. You can disable it and not use any of it. However, Apple makes it terribly convenient to use iCloud’s services including such features as Find my iPhone, which allows you to lock or erase your iPhone if it’s ever lost or stolen.
One feature that automatically comes along for the ride when using iCloud services is an iCloud lock. If you have ever logged your iPhone or iPad into iCloud, your device is now locked to your Apple ID. This means that if it’s ever lost or stolen, no one can use your device because it is locked to your iCloud Apple ID and locked to Find my iPhone for that user (which I believe is now enabled by default upon logging into iCloud).
This also means that any recipient of such an iCloud locked device cannot use that device as their own without first disassociating that device from the previous Apple ID. This lock type is known as an iCloud lock. This type of Apple lock is separate from a phone carrier lock which limits with which carriers a phone can be used. Don’t confuse or conflate the two.
I should further qualify what “use your device” actually means after an iCloud lock is in place. A thief cannot clean off your device and then log it into their own Apple ID and use the phone for themselves. Because the phone is iCloud locked to your account, it’s locked to your account forever (or until you manually disassociate it). This means that unless you explicitly remove the association between your Apple ID and that specific device, no one can use that device again on Apple’s network. The best a would-be thief can do with your stolen phone is open it up and break it down for limited parts. Or, they can sell the iCloud locked device to an unsuspecting buyer before the buyer has a chance to notice that it’s iCloud locked.
Buying Used Devices
If you’re thinking of buying a used iPhone from an individual or any online business who is not Apple and because the iCloud lock is an implicit and automatic feature enabled simply by using iCloud services, you will always need to ask any seller if the device is iCloud unlocked before you pay. Or, more specifically, you will need to ask if the previous owner of the device has logged out and removed the device from Find my iPhone services and all other iCloud and Apple ID services. If this action has not been performed, then the device will remain iCloud locked to that specific Apple ID. You should also avoid the purchase and look for a reputable seller.
What this means to you as a would-be buyer of used Apple product is that you need to check for this problem immediately before you walk away from the seller. If the battery on the device is dead, walk away from the sale. If you’re buying a device sight unseen over the Internet, you should be extremely wary before clicking ‘Submit’. In fact, I’d recommend not buying used Apple equipment from eBay or Craigslist because of how easy it is to buy bricked equipment and lose your money. Anything you buy from Apple shouldn’t be a problem. Anything you buy from a random third party, particularly if they’re in China, might be a scam.
Can iCloud Lock be Removed?
Technically yes, but none of the solutions are terribly easy or in some cases practical. Here is a possible list of solutions:
1) This one requires technical skills, equipment and repair of the device. With this solution, you must take the device apart, unsolder a flash RAM chip, reflash it with a new serial number, then reassemble the unit.
Pros: This will fix the iPad or iPhone and allow it to work
Cons: May not work forever if Apple notices the faked and changed serial number. If the soldering job was performed poorly, the device hardware could fail.
Let’s watch a video of this one in action:
2) Ask the original owner of the device, if you know who they are, to disassociate the iDevice from their account. This will unlock it.
Pros: Makes the device 100% functional. No soldering.
Cons: Requires knowing the original owner and asking them to disassociate the device.
3) Contact Apple with your original purchase receipt and give Apple all of the necessary information from the device. Ask them to remove the iCloud lock. They can iCloud unlock the device if they so choose and if they deem your device purchase as valid.
Pros: Makes the device 100% functional.
Cons: Unlocking Apple devices through Apple Support can be difficult, if not impossible. Your mileage may vary.
4) Replace the logic board in the iPad / iPhone with one from another. Again, this one requires repair knowledge, tools, experience and necessary parts.
Pros: May restore most functionality to the device.
Cons: Certain features, like the touch ID button and other internal systems may not work 100% after a logic board replacement.
As you can see, none of these are particularly easy, but none are all that impossible either. If you’re not comfortable cracking open your gear, you might need to ask a repair center if they can do any of this for you. However, reflashing a new serial number might raise eyebrows at some repair centers with the assumption that your device is stolen. Be careful when asking a repair center to perform #1 above for you.
iCloud Locking
It seems that the reason the iCloud Lock came into existence is to thwart thieves. Unfortunately, it doesn’t actually solve that problem. Instead, it creates a whole new set of consumer problems. Now, not only are would-be thieves stealing iPads still, they’re selling these devices iCloud locked to unsuspecting buyers and scamming them out of their money. The thieves don’t care. The only thing this feature does is screw used device consumers out of their money.
Thieves
That Apple thought they could stop thievery by implementing the iCloud lock shows just how idealistically naïve Apple’s technical team really is. Instead, they created a whole new scamming market for iCloud locked Apple devices. In fact, the whole reason this article exists is to explain this problem.
For the former owner of an iPad which was stolen, there’s likely no hope of ever getting it back. The iCloud lock feature does nothing to identify the thief or return stolen property to its rightful owner. The iCloud lock simply makes it a tiny nuisance to the thief and would-be scammer. As long as they can get $100 or $200 for selling an iCloud locked iPad, they don’t care if it’s iCloud locked. In fact, the fact that this feature exists makes no difference at all to a thief.
It may reduce the “value” of the stolen property some, but not enough to worry about. If it was five finger discounted, then any money had is money gained, even if it’s a smaller amount than anticipated. For thieves, the iCloud lock does absolutely nothing to stop thievery.
Buyers
Here’s the place where the iCloud lock technology hurts the most. Instead of thwarting would-be thieves, it ends up placing the burden of the iCloud lock squarely on the consumer. If you are considering buying a used device, which should be a simple straightforward transaction, you now have to worry about whether the device is iCloud locked.
It also means that buying an iPhone or iPad used could scam you out of your money if you’re not careful. It’s very easy to buy these used devices sight unseen from online sellers. Yet, when you get the box open, you may find the device is iCloud locked to an existing Apple ID. At that point, unless you’re willing to jump through one of the four hoops listed above, you may have just been scammed.
If you can’t return the device, then you’re out money. The only organization that stands to benefit from the iCloud lock is Apple and that’s only because they’ll claim you should have bought your device new from them. If this is Apple’s attempt at thwarting or reducing used hardware sales, it doesn’t seem to be working. For the consumer, the iCloud lock seems intent on harming consumer satisfaction for device purchases of used Apple equipment… a market that Apple should want to exist because it helps them sell more software product (their highest grossing product).
Sellers
For actually honest sellers, an iCloud lock makes selling used iPad and iPhone devices a small problem. For unscrupulous sellers, then there is no problem here at all. An honest seller must make sure that the device has been disassociated from its former Apple ID before putting the item up for sale. If an honest seller doesn’t know the original owner and the device is locked, it should not be sold. For the unscrupulous sellers, the situation then becomes the scammer selling locked gear and potentially trafficking stolen goods.
It should be said that it is naturally assumed that an iCloud locked device is stolen. It makes sense. If the owner had really wanted the item sold as used, they would have removed the device from iCloud services… except that Apple doesn’t make this process at all easy to understand.
Here’s where Apple fails would-be sellers. Apple doesn’t make it perfectly clear that selling the device requires removing the Apple ID information fully and completely from the device. Even wiping the device doesn’t always do this as there are many silent errors in the reset process. Many owners think that doing a wipe and reset of the device is enough to iCloud unlock the device. It isn’t.
As a would-be seller and before wiping it, you must go into your iPad or iPhone and manually remove the device from Find my iPhone and log the phone out of all Apple ID services. This includes not only logging it out of iCloud, but also logging out out of iTunes and Email and every other place where Apple requires you to enter your Apple ID credentials. Because iOS requires logging in multiple times separately to each of these services, you must log out of these services separately on the device. Then, wipe the device. Even after all of that, you should double check Find my iPhone from another device to make sure the old device no longer shows up there. In fact, you should walk through the setup process once to the point where it asks you for your Apple ID to confirm the device is not locked to your Apple ID.
This is where it’s easy to sell a device thinking you’ve cleared it all out, but you actually haven’t. It also means that this device was legitimately sold as used, but wasn’t properly removed from iCloud implying that it’s now stolen. Instead, Apple needs to offer a ‘Prep for Resell’ setting in Settings. This means this setting will not only wipe the device in the end, but it will also 100% ensure an iCloud unlock of the device and log it out of all logged Apple ID services. This setting will truly wipe the device clean as though it were an unregistered, brand new device. If it’s phone device, it should also carrier unlock the phone so that it can accept a SIM card from any carrier.
Apple makes it very easy to set up brand new devices, but Apple makes it equally difficult to properly clear off a device for resale. Apple should make this part a whole lot easier for would-be sellers. If need be, maybe Apple needs to sell a reseller toolkit to scan and ensure devices are not only iCloud unlocked, but run diagnostic checks to ensure they are worthy of being sold.
If you like what you’ve read, please leave a comment below and give me your feedback.
↩︎
Random Thoughts - Randocity! 
leave a comment