Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Researchers find loophole that extends USB Restricted Mode's hour-long timer

Grayshift's GrayKey iPhone cracking tool. | Source: MalwareBytes

Last updated

Just hours after Apple debuted USB Restricted Mode in its latest iOS 11.4.1 firmware, security researchers discovered an easy to implement workaround that prevents the feature from working as intended.

In testing for months, and released earlier today, USB Restricted Mode is Apple's answer to iPhone intrusion techniques that use third-party software to crack device passcodes.

When enabled, the feature deactivates USB data processes, conducted through an iPhone's Lightning port, when the device remains locked for over an hour. After hitting the predetermined time limit, Lightning is only able to pass power through to iPhone for device charging.

The mechanism disrupts hacking techniques used by criminals, as well as tools like those marketed by digital forensics firm Grayshift, whose GrayKey iPhone unlocking box requires access to an operational USB port.

According to security researchers at ElcomSoft, however, USB Restricted Mode's countdown timer resets when a Lightning accessory like Apple's Lightning to USB 3 Camera adapter is connected to a target iPhone, effectively defeating the security protocol. Even untrusted accessories, or those that have not previously interfaced with an iPhone, can be used to reset the counter.

ElcomSoft is experimenting with unofficial Lightning to USB adapters to see if they, too, can extend the one hour time limit.

The USB accessory procedure is not viable once USB Restricted Mode activates. Through testing, ElcomSoft confirmed a successful lockout is "maintained through reboots, and persists software restores via Recovery mode. In other words, we have found no obvious way to break USB Restricted Mode once it is already engaged."

However, as the firm notes, iPhone owners are constantly picking up, unlocking and using their devices throughout the day, thereby increasing the odds that target hardware can be intercepted within the one hour time limit.

"In other words, once the police officer seizes an iPhone, he or she would need to immediately connect that iPhone to a compatible USB accessory to prevent USB Restricted Mode lock after one hour," ElcomSoft's Oleg Afonin explains in a blog post.

An ideal accessory should include means of transferring power to iPhone, as proper forensics techniques call for a device to be transported in a Faraday bag or similar to prevent communication with cellular networks. This results in extreme battery drain as iPhone ramps up power to its communications stack as it searches for an adequate signal.

Afonin guesses the USB Restricted Mode loophole is the result of an oversight on Apple's part. Defeating (or more accurately postponing the activation of) an otherwise well-thought-out security protocol with readily available consumer products is likely not what Apple had in mind when it created the feature. Still, the workaround exists in both iOS 11.4.1 and the latest iOS 12 beta.

Apple might rectify the issue in a future release, but for now USB Restricted Mode is vulnerable until its preset one hour window closes.



29 Comments

cornchip 11 Years · 1943 comments

Serious question; is USB(C) any more secure? 

(I’m guessing it’s not).

Soli 9 Years · 9981 comments

Afonin guesses the USB Restricted Mode loophole is the result of an oversight on Apple's part. Defeating (or more accurately postponing the activation of) an otherwise well-thought-out security protocol with readily available consumer products is likely not what Apple had in mind when it created the feature.

To me it sounds like it's by design. If Apple made it so that you need to input your password every hour even when using an accessory that would be a bad tradeoff for their customers. Security is great, but not at the expense of a massive inconvenience.

Maybe we'll see Apple's MFi program advance to where the chips in accessories will need to send a unique and encrypted hash that will be stored in a database on the iDevice that you'll have to authenticate the first time you use it. This would help prevent those obtaining your iDevice through other methods from being able to plug in some other accessory—even Apple accessories, like the aforementioned Lightning to USB 3 Camera adapter—not keep the timer from counting down.PS: While I don't see Lightning port going away anytime soon (and even once it does there will still be a diagnostics port like on the Apple Watch) with Qi charging and wireless syncing becoming the norm I wonder if it would behoove Apple to allow users to further disable the Lightning port. I'm guessing this won't happen, but I thought I'd mention it for the sake of security.

tallest skil 14 Years · 43086 comments

When enabled, the feature deactivates USB data processes, conducted through an iPhone's Lightning port, when the device remains locked for over an hour. After hitting the predetermined time limit, Lightning is only able to pass power through to iPhone for device charging.

Let me double-check, but it has deactivated charging on my devices, too. I wonder if that wasn’t just a bug or misinterpretation…

ericthehalfbee 13 Years · 4489 comments

I wouldn’t call it a loophole - sounds like how it’s supposed to work. If you keep connecting your iPhone to accessories the timer should reset. Otherwise you’d be nagged every hour to unlock just to continue your normal routine.

Apparently if you perform the SOS function (which disables TouchID until you enter your passcode - sometimes referred to as “cop mode”) it immediately locks the iPhone AND prevents USB from working.

So those with something to hide (or just don’t want authorities snooping through your iPhone) you can quickly lock out USB.

Seems like an all-round good compromise of security while retaining ease-of-use.

derekcurrie 16 Years · 64 comments

♬♬ Jonathan Zdziarski, where are you? ♪♪♩♩

Are you wasting his time Apple? Isn't figuring out this stuff ahead of time the point of hiring security experts?