Roger Fingas
The iOS 11.4 beta contains a new feature called USB Restricted Mode, designed to defeat physical data access by third parties — possibly with forensic firms like Grayshift and Cellebrite in mind.
"To improve security, for a locked iOS device to communicate with USB accessories you must connect an accessory via Lightning connector to the device while unlocked — or enter your device passcode while connected — at least once a week," reads Apple documentation highlighted by security firm ElcomSoft. The feature actually made an appearance in iOS 11.3 betas, but like AirPlay 2 was removed from the finished code.
The change blocks use of the Lightning port for anything but charging if a device is left untouched for seven days. An iPhone or iPad will even refuse to sync with computer running iTunes until iOS is unlocked with a passcode.
USB Restricted Mode may be intended to impose a seven-day window on when digital forensics specialists like Grayshift can break into a device, at least using any simple techniques. Those firms will often employ a "lockdown" record from a suspect's computer to create a local backup of iPhone data, skipping passcode entry.
iOS 11 already has some restrictions on lockdown records, namely automatic expiration, and full-disk encryption that renders them useless if a device is rebooted. The 11.3 update shrank the life of iTunes pairing records to seven days.
ElcomSoft suggested that connecting a device to a paired accessory or computer could extend the Restricted Mode window, and centrally-managed hardware may already have that mode disabled.
"If the phone was seized while it was still powered on, and kept powered on in the meanwhile, than the chance of successfully connecting the phone to a computer for the purpose of making a local backup will depend on whether or not the expert has access to a non-expired lockdown file (pairing record)," ElcomSoft elaborated. "If, however, the phone is delivered in a powered-off state, and the passcode is not known, the chance of successful extraction is slim at best."
The exact details of the hacking techniques used by Cellebrite and Grayshift's GrayKey have been kept secret, so it's possible they may still work after iOS 11.4 is released. The companies could however resort to more extreme methods to get at data, such as removing the flash memory from the devices, copying them, and using the copies to attack the password.
Chip Loder
Christine McKee
Malcolm Owen
William Gallagher
AppleInsider Staff
Andrew Orr
Amber Neely
27 Comments
how about sending a 50KV burst back down the line if a device like a GrayKey is detected?
Ok, I'm only joking but there has to be some defence that IOS could employ after all, the device is essentially being hacked. Even if it is to do a security level storage wipe, user configurable naturally. All it should leave are Cat Videos. :)
Well, if you really want to troll the cops, you could have it leave a video of Dunkin Donuts burning down...
Good to hear that APple is trying to address the issue, but this strikes me as a bit of a work-around patch rather than fixing the hole itself and tells me they still don’t know exactly how the hack is being executed. (Or at least didn’t when 11.4 was being written)
If you care about security, the iPhone is your only choice.
Can they go a step further and have a toggle that prevents any data connection via USB? I'm not a power user, but I can't remember the last time I connected my phone to anything to transfer data. Everything is cloud based (backup, sync, etc), AirDrop, or just email/imessaged as far as I know.
Then again I have nothing of interest to law enforcement.