A New $58 Device Can Defeat iOS USB Restricted Mode

Spread the love

New $58 Device Can Defeat iOS USB Restricted Mode

The most spoken thing about iOS 11.4.1 is undoubtedly USB Restricted Mode.


This highly controversial feature is apparently built in response to threats created by

$58 passcode-cracking solutions such as those made by Celebrity and Grayshift.

On unmanaged devices, the new $58 default behavior is to disable data connectivity

of the Lightning connector after one hour since the device was last unlocked, or

one hour since the device has been disconnected from a trusted $58 USB accessory.


In addition, users can quickly disable the USB port manually by following the 

S.O.S. mode routine.

Once USB Restricted Mode is engaged on a device, no data communications occur over

the Lightning port. A connected computer or accessory will not detect a $58 “smart” device.

If anything, an $58 iPhone in USB Restricted Mode acts as a dumb battery pack: it can be

charged but cannot be identified as a smart device. This effectively blocks forensic tools

from being able


to $58 crack passcodes if the iPhone spent more than one hour locked. Since law

enforcement needs

time (more than one hour) to transport the seized device to a lab, and then more

time to obtain

an extraction warrant, USB Restricted Mode seems well designed to block this scenario.

Or is it?

We performed several tests, and can now confirm that USB Restricted Mode is

maintained through


reboots and persists software restores via Recovery mode. In other words, we have found no

the obvious way to break USB Restricted Mode once it is already engaged. However,

we discovered

a workaround, which happens to work exactly as we suggested back in May (this article;


down to the “Mitigation” chapter).

This $58 Device Can Fool USB Restricted Mode

According to Apple, iOS 11.4.1 may require users to unlock their passcode-protected iOS


devices in order to connect them to a PC, Mac or a USB accessory after one hour since the

the device has been last unlocked or disconnected from a trusted USB accessory or computer.

Some information on the new model is given in iOS 12 release notes:


  • To improve security, iOS 12 beta may require you unlock your passcode-protected iPhone, iPad, or iPod touch in order to connect it to a Mac, PC, or a USB accessory.
  • If you use iPod Accessory Protocol (IAP) USB accessories over the Lightning connector (such as CarPlay, assistive devices, charging accessories, or storage carts) or you connect to a Mac or PC you might need to unlock your device to recognize the accessory. If you don’t unlock your device, it won’t communicate with the accessory or computer, and it won’t charge. Note that you don’t need to unlock your device to charge using an Apple USB power adapter.
  • If a USB accessory isn’t recognized after you unlock your device, disconnect it, unlock your device, and reconnect the accessory.
  • If you normally use a USB assistive device to enter your passcode, you may allow it to communicate with your device while it is locked by enabling “USB Accessories” in Settings > Face ID/Touch ID & Passcode.

Even more, information is available in Apple’s article Using USB accessories with iOS 11.4.1 and later.

In this article, Apple states: “Starting with iOS 11.4.1, if you use USB accessories with your

iPhone, iPad,


or iPod touch, or if you connect your device to a Mac or PC, you might need to unlock

your device for

it to recognize and use the accessory. Your accessory then remains connected, even

if your device is

subsequently locked. … If you don’t first unlock your password-protected iOS

device—or you haven’t

unlocked and connected it to a USB accessory within the past hour—your iOS

device won’t


communicate with the accessory or computer, and in some cases, it might not charge.

You might also see an alert asking you to unlock your device to use accessories.”

What we discovered is that iOS will reset the USB Restrictive Mode countdown timer even

if one connects the iPhone to an untrusted USB accessory, one that has never been paired

to the iPhone before (well, in fact, the accessories do not require pairing at all). In other words,

once the police officer seizes an iPhone, he or she would need to immediately connect that


iPhone to a compatible USB accessory to prevent USB Restricted Mode lock after one hour.

Importantly, this only helps if the iPhone has still not entered USB Restricted Mode.

Most (if not all) USB accessories fit the purpose — for example, Lightning to USB 3 Camera Adapter

from Apple:


The official (sic!) Apple Lightning to 3.5mm jack adapter ($9) does not work to defeat USB restrictions;

even if works, it does not allow is pass-through charging (and without it, the iPhone may drain its

battery, especially if you transport it in a Faraday bag).


We are now waiting for delivery of several non-original (and so much cheaper; the c cheapest one

we have found is $2.69 only) adapters from AliExpress and will try with them, too — almost sure

that they will work as well. That might be a good idea to develop and manufacture the special


Lightning accessory for exactly that purpose, and no extras at all (just power delivery).

How to Fool USB Restricted Mode with a USB Accessory

With the release of iOS 11.4.1, the procedure for properly seizing and transporting iPhone

devices may be altered to include a compatible Lightning accessory. Prior to iOS 11.4.1,


isolating the iPhone inside a Faraday bag and connecting it to a battery pack would be

enough to safely transport it to the lab. iOS 11.4.1 adds the need for another dongle setup.

In order to fool USB Restricted Mode, one would need to perform the following steps:

  1. Connect the iPhone to a compatible Lightning accessory (such as the official Lightning
  2. to USB 3 Camera Adapter).
  3. Plug external battery pack to the adapter (to avoid iPhone battery drain).
  4. Place the entire assembly in a Faraday bag.

According to our tests, this effectively disables USB Restricted Mode countdown timer and allows safely transporting the seized device to the lab.

If you get a message that the device should be unlocked in order to use the accessory

(when you connect it), then USB restricted mode has been activated already, and there

is nothing you can do about that, sorry.

What are the chances that the device is seized within an hour after last unlock? Quite high.

We were not able to find recent stats, but even two years ago an average user unlocked their

iPhone at least 80 times a day.


Why USB Restricted Mode Is So Easily Fooled, and Can Apple Fix It?

So why are we able to fool USB Restricted Mode as easy? Is this an oversight that somehow

slipped through the testing of all the five iOS 11.4.1 betas? Will Apple patch it in iOS 11.4.2 or iOS 12?

While we cannot know for sure, the issue appears to lie in Apple’s Lightning communication protocol.

If the iPhone talks to a computer, the two devices must establish trust by exchanging unique

cryptographic keys. This, however, does not apply to the majority of existing Lightning accessories.

Existing accessories share public keys for trust; 

cryptographic keys the way computers do. As a result, before USB Restricted Mode kicks in, an

iPhone can check if the accessory is MFi certified – but that is pretty much it. It appears that there

Can Apple change it in future versions of iOS? To us, it seems highly unlikely simply because of

those accessories to establish connectivity without requiring an unlock – but that’s about all


we can think of.

USB Restricted Mode on Managed Devices

Below are Apple Configurator 2.7.1 Developer Preview Beta Notes:

What’s New

– Configure USB Restricted Mode in the profile editor
– Preparing a supervised device but not enrolling it in MDM will disable USB Restricted

Mode on the device to make it easier to continue to manage it using Configurator

The Controversy Around USB Restricted Mode


that this new feature (as well as several security updates disabling Touch ID/Face ID in certain circumstances)


Our opinion remains unchanged: if there is an unpatched vulnerability, it will be exploited by the

bad guys sooner or later. USB Restricted Mode, while not addressing the root cause of the problem,

is a perfectly viable band-aid that ‘fixes’ the issue for most without inconveniencing the average user

all that much. Those who oppose this Apple’s move can simply disable the feature on their own phones,

or do a radical step and to Android.

We’ve seen rumors about Grayshift being able to defeat protection provided by USB Restricted Mode.


While this allows

breaking 4-digit passcodes in a reasonable time (about two months worst-case scenario), 6-digit

passcodes already make little sense to attack unless one has a custom dictionary, and 6 digits are

the default length for the passcode suggested by iOS.

Our Thoughts

The ability to postpone USB Restricted Mode by connecting the iPhone to an untrusted USB

the accessory is probably nothing more than an oversight. We don’t know if this behavior is here to stay,

or if Apple will change it in the near future. According to our tests, both iOS 11.4.1 and iOS 12 beta 2

exhibit similar behavior; however, this can change in subsequent versions of iOS.




381 total views, 4 views today