The iPhone's New 'USB Restricted Mode' Can Be Bypassed by Cheap Accessories
Apple recently introduced a new feature in iOS 11.4.1 called USB Restricted Mode, which is meant to block devices that can crack the iPhone’s passcodes and unlock them. However, mobile forensics firm Elcomsoft found that this new security feature can be easily bypassed with just about any Lightning port accessory.
iPhone Restricted Mode
Over the past year or so, we’ve seen more companies develop ways to unlock locked iPhones for law enforcement, and chances are we would’ve seen more in the future unless Apple took steps to address this issue.
This is how Apple came up with the USB Restricted Mode, which disables the Lightning port data connection after the iPhone hasn’t been unlocked for seven days. Seven days seems like a significant amount of time, as chances are by the time those seven days pass, law enforcement would have long been able to unlock the device once it’s in their possession.
Some users complained about this online, noting that they’ve never even needed the data connection for their Lightning port to be enabled by default. Apple seems to have listened to some degree, as the USB Restricted Mode is now automatically enabled an hour after the user has last unlocked the phone.
USB Restricted Mode Flaw
Elcomsoft’s initial tests showed that once the USB Restricted Mode is enabled, there’s no way to disable it with forensics tools. However, the company found a flaw in Apple’s new implementation of the USB Restricted Mode.
If an accessory is connected to the iPhone within that one-hour timeframe before the Restricted Mode is enabled, then it will be able to disable the lockdown timer. According to Elcomsoft, even untrusted accessories can do this, and the company believes that it should be able to keep an iPhone unlocked even with $2 iPhone cables from online Chinese stores.
Elcomsoft believes that this is what the police would need to do to bypass iPhone’s new security feature:
Stay On the Cutting Edge: Get the Tom's Hardware Newsletter
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
- Connect the iPhone to a compatible Lightning accessory (such as the official Lightning to USB 3 Camera Adapter).
- Plug external battery pack to the adapter (to avoid iPhone battery drain).
- Place the entire assembly in a Faraday bag.
Elcomsoft explained that this issue with the USB Restricted Mode feature arises from the fact that Apple doesn’t enforce cryptographic authentication for iPhone accessories, except for its own. Because many iPhone accessories lack support for authentication, and because the iPhone connects to them anyway, that means any untrusted device could connect to the iPhone and exploit or bypass certain security features. The only way for Apple to now fix this flaw would be to require authentication of all iPhone accessories, but this likely won’t happen anytime soon.
If Apple does end-up switching to the USB Type-C port for one of its next iPhones, as has been previously rumored, it could use the opportunity to require authentication, too. The USB Promoters Group announced support for USB Type-C authentication back in 2016.
-
jimmysmitty There is always going to be a way around. No software is 100% secure. Even encryption is not 100% although to crack some of the best it takes a massive amount of hardware power.Reply
And the day Apple switches to a universal standard like USB Type-C is the day hell will most likely freeze over. -
InvalidError
It is possible to write 100% secure software - I'm pretty sure I can write a 100% secure 1Hz blinker firmware for an ATtiny8 micro-controller, it'll be as secure as the controller itself can be :)21129969 said:No software is 100% secure.
However, writing 100% secure software becomes increasingly impractical as complexity goes up, especially on platforms that rely on heaps of boilerplate code and an OS that normal developers have no visibility into or control over. -
Mpablo87 Oh! One more useless device. And it will cost you 1000000000000 dollars. I don't like their products.Reply -
ThisIsMe It would actually be easy to fix. Apple just needs to set it to disable peripheral detection as soon as the phone is locked by default. Give the user the option to set a timer if desired. Although I don’t see why many people would have an issue with unlocking their phone before connecting such a device, so I don’t see many people even caring enough to want to disable such a good security measure.Reply -
Giroro Knowing Apple, they'll probably remove physical data pins altogether.Reply
Anyone who wants to transfer data to the phone will need to do so using a proprietary wireless protocol that requires a MacBook and a $75 dongle. -
velocityg4 Apple should just provide options in settings for users. One to only allow authenticated devices and one to never allow any device. Heck, with wireless charging. You should be able to disable the port entirely.Reply
I wouldn’t mind enabling the peripheral connection once a month for encrypted backups in iTunes. -
jasonkaler 21130146 said:I'm pretty sure I can write a 100% secure 1Hz blinker firmware for an ATtiny8 micro-controller, it'll be as secure as the controller itself can be :)
I doubt it. I bet you $100 I'll be able to re-flash your attiny with my own malware, even if you go to the trouble of disabling the reset fuse so that it can't be re-flashed.
A mere 12v to the reset line and the tiny goes blank, ready to accept my own 2Hz blink routine!
The big problem outlined in this article is that apple secured one entry, while leaving a gaping back-door unprotected.
"Lets secure the door and use that as marketing to tell everyone how secure our devices are" while leaving door B wide open.