Grayshift claims it defeated Apple's forthcoming 'USB Restricted Mode' security feature

Grayshift's Graykey device | Source: MalwareBytes

On Wednesday, Apple confirmed USB Restricted Mode will be introduced to consumers in a future version of iOS.

The feature, which has been in testing since iOS 11.3 but is enabled by default in the first iOS 12 beta seed, affords a high level of protection from external brute force attacks by cutting off data connections with USB accessories after a predetermined time period.

Initially, USB Restricted Mode required accessories to be connected to an unlocked device, or prompted users to enter their device passcode, at least once per week. Under current operating protocols, however, that window of opportunity has been reduced to an hour.

In other words, when the feature is active, a passcode is required when attempting to transfer data to or from a USB accessory connected to an iPhone that has not been unlocked within the prescribed one hour time limit.

For law enforcement agencies relying on iPhone unlocking solutions like Grayshift's GrayKey, USB Restricted Mode poses a significant hurdle to accessing a target device. Officials only have an hour to secure a warrant to access the device, attach the USB-based GrayKey tool and perform a brute force attack.

However, according to email correspondence between Grayshift and an unnamed forensics expert seen by Motherboard, the forensics firm has seemingly found a workaround to Apple's solution.

"Grayshift has gone to great lengths to future proof their technology and stated that they have already defeated this security feature in the beta build," the email reads. "Additionally, the GrayKey has built in future capabilities that will begin to be leveraged as time goes on."

Exactly how the company managed to defeat the USB lockdown is unclear. Further details of the supposed workaround are unavailable, though a second person responding to the original email noted Grayshift "addressed" USB Restricted Mode in a recent webinar. Whether that session outlined a successful exploit is also unclear.

Other digital forensics firms are working on similar workarounds. ElcomSoft in May suggested it might be possible to extend USB Restricted Mode's window beyond the hour-long restriction by connecting an iPhone to a paired accessory or computer while it is unlocked. The company added that dedicated hardware could potentially disable the feature completely.

For its part, Apple says the feature is designed to protect its customers from hackers and other ne'er-do-wells, not to stymie legitimate law enforcement investigations.

"We're constantly strengthening the security protections in every Apple product to help customers defend against hackers, identity thieves and intrusions into their personal data," Apple said in a statement provided to AppleInsider. "We have the greatest respect for law enforcement, and we don't design our security improvements to frustrate their efforts to do their jobs."

The feature is, however, useful in preventing unwarranted government access in countries that do not afford consumers the same protections as U.S. laws.