Apple has enhanced the USB Restricted Mode feature in the first beta of iOS 12, requiring users to unlock their iPhone once an hour to allow data transfers via the Lightning port, in an attempt to protect user data stored on iOS devices from acquisition by unlocking services employed by law enforcement officials.
Grayshift's Graykey device | Source: MalwareBytes
First appearing in betas for iOS 11.3 but became more prominent in the iOS 11.4 beta, USB Restricted Mode in the latest iOS 12 beta requires the iPhone to be unlocked in order for data to be transferred through the Lightning port. According to Motherboard, the mode now prevents USB accessories from being connected if the iPhone hasn't been unlocked in the last hour.
In previous implementations, USB Restricted Mode allowed for locked iOS devices to communicate with USB accessories if the accessory was connected while the device is unlocked, and for the passcode to be entered while connected at least once a week.
The beta releases for iOS 11.4.1 and iOS 12 both have USB Restricted Mode enabled by default, but it can be disabled within the device's Settings app under Touch ID and Passcode.
The change to a one-hour limit means there is an extremely small window of opportunity for government agencies and law enforcement to use unlocking services and tools to acquire data from a device.
Firms like Cellebrite, a forensic security firm allegedly tapped to unlock an iPhone following the San Bernardino shooting, and Grayshift's GrayKey tool typically rely on having physical access to the device. As law enforcement needs to make sure the device has been unlocked within the window, it is now significantly harder to keep the iPhone in a usable state until such forensic tools can be used.
"That pretty much kills GrayKey and Cellebrite, Point3 Security director Ryan Duff advises. "If it actually does what it says and doesn't let any type of data connection happen until it's unlocked, then yes. You can't exploit the device if you can't communicate with it."
While the hour-wide window makes the unlocking process harder, there may still be a workaround. In May, security firm ElcomSoft suggested that connecting the iPhone to a paired accessory or computer while it is unlocked could extend the Restricted Mode window, while centrally-managed hardware may have the mode disabled entirely.
So far, USB Restricted Mode has appeared only in betas and not in full released versions of iOS, so its appearance in the first iOS 12 beta does not necessarily mean the security feature will be usable by the public when the mobile operating system ships.
The details of how Cellebrite and GrayKey can hack into iPhones and iPads are a closely-guarded secret, and though they could be defeated by USB Restricted Mode, it is likely the firms involved have more extreme techniques available as alternative extraction options. For example, a target device could be disassembled to allow direct access to the flash memory for copying data, with the copies then used to attack the device's password.