New $58 Device Can Defeat iOS USB Restricted Mode
The most spoken thing about iOS 11.4.1 is undoubtedly USB Restricted Mode.
This highly controversial feature is apparently built in response to threats created by
$58 passcode-cracking solutions such as those made by Celebrity and Grayshift.
On unmanaged devices, the new $58 default behavior is to disable data connectivity
of the Lightning connector after one hour since the device was last unlocked, or
one hour since the device has been disconnected from a trusted $58 USB accessory.
In addition, users can quickly disable the USB port manually by following the
S.O.S. mode routine.
Once USB Restricted Mode is engaged on a device, no data communications occur over
the Lightning port. A connected computer or accessory will not detect a $58 “smart” device.
If anything, an $58 iPhone in USB Restricted Mode acts as a dumb battery pack: it can be
charged but cannot be identified as a smart device. This effectively blocks forensic tools
from being able
to $58 crack passcodes if the iPhone spent more than one hour locked. Since law
time (more than one hour) to transport the seized device to a lab, and then more
time to obtain
an extraction warrant, USB Restricted Mode seems well designed to block this scenario.
Or is it?
We performed several tests, and can now confirm that USB Restricted Mode is
reboots and persists software restores via Recovery mode. In other words, we have found no
the obvious way to break USB Restricted Mode once it is already engaged. However,
a workaround, which happens to work exactly as we suggested back in May (this article;
down to the “Mitigation” chapter).
This $58 Device Can Fool USB Restricted Mode
According to Apple, iOS 11.4.1 may require users to unlock their passcode-protected iOS
devices in order to connect them to a PC, Mac or a USB accessory after one hour since the
the device has been last unlocked or disconnected from a trusted USB accessory or computer.
Some information on the new model is given in iOS 12 release notes:
- To improve security, iOS 12 beta may require you unlock your passcode-protected iPhone, iPad, or iPod touch in order to connect it to a Mac, PC, or a USB accessory.
- If you use iPod Accessory Protocol (IAP) USB accessories over the Lightning connector (such as CarPlay, assistive devices, charging accessories, or storage carts) or you connect to a Mac or PC you might need to unlock your device to recognize the accessory. If you don’t unlock your device, it won’t communicate with the accessory or computer, and it won’t charge. Note that you don’t need to unlock your device to charge using an Apple USB power adapter.
- If a USB accessory isn’t recognized after you unlock your device, disconnect it, unlock your device, and reconnect the accessory.
- If you normally use a USB assistive device to enter your passcode, you may allow it to communicate with your device while it is locked by enabling “USB Accessories” in Settings > Face ID/Touch ID & Passcode.
Even more, information is available in Apple’s article Using USB accessories with iOS 11.4.1 and later.
In this article, Apple states: “Starting with iOS 11.4.1, if you use USB accessories with your
or iPod touch, or if you connect your device to a Mac or PC, you might need to unlock
your device for
it to recognize and use the accessory. Your accessory then remains connected, even
if your device is
subsequently locked. … If you don’t first unlock your password-protected iOS
device—or you haven’t
unlocked and connected it to a USB accessory within the past hour—your iOS
communicate with the accessory or computer, and in some cases, it might not charge.
You might also see an alert asking you to unlock your device to use accessories.”
What we discovered is that iOS will reset the USB Restrictive Mode countdown timer even
if one connects the iPhone to an untrusted USB accessory, one that has never been paired
to the iPhone before (well, in fact, the accessories do not require pairing at all). In other words,
once the police officer seizes an iPhone, he or she would need to immediately connect that
iPhone to a compatible USB accessory to prevent USB Restricted Mode lock after one hour.
Importantly, this only helps if the iPhone has still not entered USB Restricted Mode.
Most (if not all) USB accessories fit the purpose — for example, Lightning to USB 3 Camera Adapter
The official (sic!) Apple Lightning to 3.5mm jack adapter ($9) does not work to defeat USB restrictions;
even if works, it does not allow is pass-through charging (and without it, the iPhone may drain its
battery, especially if you transport it in a Faraday bag).
We are now waiting for delivery of several non-original (and so much cheaper; the c cheapest one
we have found is $2.69 only) adapters from AliExpress and will try with them, too — almost sure
that they will work as well. That might be a good idea to develop and manufacture the special
Lightning accessory for exactly that purpose, and no extras at all (just power delivery).
How to Fool USB Restricted Mode with a USB Accessory
With the release of iOS 11.4.1, the procedure for properly seizing and transporting iPhone
devices may be altered to include a compatible Lightning accessory. Prior to iOS 11.4.1,
isolating the iPhone inside a Faraday bag and connecting it to a battery pack would be
enough to safely transport it to the lab. iOS 11.4.1 adds the need for another dongle setup.
In order to fool USB Restricted Mode, one would need to perform the following steps:
- Connect the iPhone to a compatible Lightning accessory (such as the official Lightning
- to USB 3 Camera Adapter).
- Plug external battery pack to the adapter (to avoid iPhone battery drain).
- Place the entire assembly in a Faraday bag.
According to our tests, this effectively disables USB Restricted Mode countdown timer and allows safely transporting the seized device to the lab.
If you get a message that the device should be unlocked in order to use the accessory
(when you connect it), then USB restricted mode has been activated already, and there
is nothing you can do about that, sorry.
What are the chances that the device is seized within an hour after last unlock? Quite high.
We were not able to find recent stats, but even two years ago an average user unlocked their
iPhone at least 80 times a day.
Why USB Restricted Mode Is So Easily Fooled, and Can Apple Fix It?
So why are we able to fool USB Restricted Mode as easy? Is this an oversight that somehow
slipped through the testing of all the five iOS 11.4.1 betas? Will Apple patch it in iOS 11.4.2 or iOS 12?
While we cannot know for sure, the issue appears to lie in Apple’s Lightning communication protocol.
If the iPhone talks to a computer, the two devices must establish trust by exchanging unique
cryptographic keys. This, however, does not apply to the majority of existing Lightning accessories.
Existing accessories share public keys for trust;
cryptographic keys the way computers do. As a result, before USB Restricted Mode kicks in, an
iPhone can check if the accessory is MFi certified – but that is pretty much it. It appears that there
Can Apple change it in future versions of iOS? To us, it seems highly unlikely simply because of
those accessories to establish connectivity without requiring an unlock – but that’s about all
we can think of.
USB Restricted Mode on Managed Devices
Below are Apple Configurator 2.7.1 Developer Preview Beta Notes:
– Configure USB Restricted Mode in the profile editor
– Preparing a supervised device but not enrolling it in MDM will disable USB Restricted
Mode on the device to make it easier to continue to manage it using Configurator
The Controversy Around USB Restricted Mode
that this new feature (as well as several security updates disabling Touch ID/Face ID in certain circumstances)
Our opinion remains unchanged: if there is an unpatched vulnerability, it will be exploited by the
bad guys sooner or later. USB Restricted Mode, while not addressing the root cause of the problem,
is a perfectly viable band-aid that ‘fixes’ the issue for most without inconveniencing the average user
all that much. Those who oppose this Apple’s move can simply disable the feature on their own phones,
or do a radical step and to Android.
We’ve seen rumors about Grayshift being able to defeat protection provided by USB Restricted Mode.
While this allows
breaking 4-digit passcodes in a reasonable time (about two months worst-case scenario), 6-digit
passcodes already make little sense to attack unless one has a custom dictionary, and 6 digits are
the default length for the passcode suggested by iOS.
- US: FBI’s Encryption Statistics Inflated
- Cops May Unlock iPhones Without a Warrant to Beat Apple’s New Security Feature
The ability to postpone USB Restricted Mode by connecting the iPhone to an untrusted USB
the accessory is probably nothing more than an oversight. We don’t know if this behavior is here to stay,
or if Apple will change it in the near future. According to our tests, both iOS 11.4.1 and iOS 12 beta 2
exhibit similar behavior; however, this can change in subsequent versions of iOS.
PLEASE REMEMBER TO LIKE & SHARE THIS POST
381 total views, 4 views today