Apple’s New ‘USB Restricted Mode’ is Very Easy to Hack
Apple’s new USB Restricted Mode, which dropped with the iOS 11.4.1 release yesterday, may not be as secure as previously thought.
According to a new report from The Verge, USB Restricted Mode, a new iOS feature that protects unauthorized access of the data on your iOS device, has a glaring omission that would make it quite easy for someone to beat in many scenarios.
The feature, introduced in iOS 11.4.1 and iOS 12 beta 2, is supposed to make the data on your iPhone safe even if someone can physically access it. One hour after the phone’s last been unlocked, it enters USB Restricted Mode, which disables data access to its Lightning port, preventing access from devices like the Graykey.
However, USB Restricted Mode is not foolproof. Security researchers at ElcomSoft point out that connecting a USB accessory inside the 1-hour window restarts the clock. That includes something like Apple’s own Lightning to USB 3 Camera Adapter. That said, this isn’t a huge vulnerability—ElcomSoft even theorizes that it’s just an oversight.
Elcomsoft’s Oleg Afonin explains:
…once the police officer seizes an iPhone, he or she would need to immediately connect that iPhone to a compatible USB accessory to prevent USB Restricted Mode lock after one hour. Importantly, this only helps if the iPhone has still not entered USB Restricted Mode.
Not only does it require law enforcement to act quickly and to have the requisite hardware on hand, but it only works within the window: once USB Restricted Mode has kicked in, you can’t undo it without the passcode. Users can also manually enable USB Restricted Mode by triggering the SOS mode—holding an iPhone’s sleep/wake button and either volume button. That forces the phone to require a passcode.
With a power-transferring accessory, police — or other hackers — have a fairly straightforward means of accessing a seized iOS 11.4.1 device. They can connect the Lightning accessory, tether an external battery for power, place everything in a Faraday bag so the phone cannot be reached wirelessly, then transport it to the location of a Cellebrite or Grayshift hacking solution for immediate processing.
“With the release of iOS 11.4.1, the procedure for properly seizing and transporting iPhone devices may be altered to include a compatible Lightning accessory. Prior to iOS 11.4.1, isolating the iPhone inside a Faraday bag and connecting it to a battery pack would be enough to safely transport it to the lab,” Afonin concludes.