A new feature in iOS 11.4.1, which Apple released earlier this week, is designed to protect against unwanted intrusions through the iPhone’s Lightning Port. However, the protection may be weak at best.
The feature, called “USB Restricted Mode,” disables data transfer through the Lightning Port after an hour of inactivity.
A password-protected iOS device that has not been unlocked and connected to a USB accessory within the past hour will not communicate with an accessory or computer, and in some cases might not charge, according to Apple. Users might see a message directing them to unlock the device to use accessories.
One possible use for USB Restricted Mode could be to foil passcode-cracking solutions made by companies like Cellebrite and Grayshift, which reportedly have been used by law enforcement authorities to crack iPhones.
Users can turn off the USB Restricted Mode capability if they desire to do so.
Thwarting Data Port Intruders
Although the Lightning port may be a sweet spot for law enforcement, USB Restricted Mode has a broader purpose than protecting users from police probes, maintained Will Strafach, president of Sudo Security Group, an iOS security company in Greenwich, Connecticut.
“Exploits and vulnerabilities can be seized on by anyone,” he told BlueHillco. “Criminals may want to steal data from the device or wipe it, so this mode is for mitigation of any kind of USB-based vulnerability.”
USB Restricted Mode is “first and foremost” designed to protect its users’ phones and data, maintained Andrew Blaich, head of device intelligence at Lookout, a maker of mobile security products in San Francisco.
“Law enforcement has recently been using new tools, such as GrayKey, to guess the passcode of a device to access it,” he told BlueHillco.
However, the vulnerabilities and technical bypasses used by GrayKey — and by solutions from Cellebrite and others — are still unknown, he pointed out.
The code GrayKey uses to break the passcode on an iPhone is a closely held secret, but it appears to load through the Lightning Port.
“So Apple’s idea is to make a user enter a passcode after an hour. Otherwise the Lightning Port can only be used for power,” said Sudo’s Strafach.
“Without a data connection, there’s no way to communicate with the data services running on the phone, so there’s no way to access any vulnerabilities on the phone,” he explained.
“Instead of trying to address individual vulnerabilities, Apple is addressing a whole class of vulnerabilities that need the data link to be exploited,” Strafach pointed out.
“That’s smart,” he said. “It’s taking a long-term outlook on vulnerabilities. Rather than squashing vulnerabilities as they come up, they’re taking a proactive approach and mitigating the method by which these vulnerabilities are exploited.”
Breaking Restricted Mode
Once USB Restricted Mode is engaged, it appears to be impossible to break, so the key to foiling the security measure is to prevent it from engaging.
Oleg Afonin, a security researcher at ElcomSoft, has described exactly how to do that in an online post.
“What we discovered is that iOS will reset the USB Restrictive Mode countdown timer even if one connects the iPhone to an untrusted USB accessory, one that has never been [connected] to the iPhone before,” he wrote.
If USB Restricted Mode hasn’t been engaged, a police officer can seize an iPhone and immediately connect a compatible USB accessory to prevent the USB Restricted Mode lock from engaging after one hour, he explained. Then the device can be taken to a location where a passcode cracker can be used.
What’s the likelihood that a phone hasn’t been unlocked within an hour of it being seized by a law enforcement agent? Quite high, according to Afonin, who noted the average user unlocks a phone around 80 times a day.
Apple did not respond to our request to comment for this story.
“Nothing is a silver bullet,” warned Lookout’s Blaich.
“There is no perfect solution, but it’s best to assume that if someone has physical access to your phone, they will eventually be able to find a way to get in,” he said. “So users need to remember to use a strong passcode to minimize unintended access when they lose possession of their device.”