The iPhone's New 'USB Restricted Mode' Can Be Bypassed by Cheap Accessories

Apple recently introduced a new feature in iOS 11.4.1 called USB Restricted Mode, which is meant to block devices that can crack the iPhone’s passcodes and unlock them. However, mobile forensics firm Elcomsoft found that this new security feature can be easily bypassed with just about any Lightning port accessory.

iPhone Restricted Mode

Over the past year or so, we’ve seen more companies develop ways to unlock locked iPhones for law enforcement, and chances are we would’ve seen more in the future unless Apple took steps to address this issue.

This is how Apple came up with the USB Restricted Mode, which disables the Lightning port data connection after the iPhone hasn’t been unlocked for seven days. Seven days seems like a significant amount of time, as chances are by the time those seven days pass, law enforcement would have long been able to unlock the device once it’s in their possession.

Some users complained about this online, noting that they’ve never even needed the data connection for their Lightning port to be enabled by default.  Apple seems to have listened to some degree, as the USB Restricted Mode is now automatically enabled an hour after the user has last unlocked the phone.

USB Restricted Mode Flaw

Elcomsoft’s initial tests showed that once the USB Restricted Mode is enabled, there’s no way to disable it with forensics tools. However, the company found a flaw in Apple’s new implementation of the USB Restricted Mode.

If an accessory is connected to the iPhone within that one-hour timeframe before the Restricted Mode is enabled, then it will be able to disable the lockdown timer. According to Elcomsoft, even untrusted accessories can do this, and the company believes that it should be able to keep an iPhone unlocked even with $2 iPhone cables from online Chinese stores.

Elcomsoft believes that this is what the police would need to do to bypass iPhone’s new security feature:

  1. Connect the iPhone to a compatible Lightning accessory (such as the official Lightning to USB 3 Camera Adapter).
  2. Plug external battery pack to the adapter (to avoid iPhone battery drain).
  3. Place the entire assembly in a Faraday bag.

Elcomsoft explained that this issue with the USB Restricted Mode feature arises from the fact that Apple doesn’t enforce cryptographic authentication for iPhone accessories, except for its own. Because many iPhone accessories lack support for authentication, and because the iPhone connects to them anyway, that means any untrusted device could connect to the iPhone and exploit or bypass certain security features. The only way for Apple to now fix this flaw would be to require authentication of all iPhone accessories, but this likely won’t happen anytime soon.

If Apple does end-up switching to the USB Type-C port for one of its next iPhones, as has been previously rumored, it could use the opportunity to require authentication, too. The USB Promoters Group announced support for USB Type-C authentication back in 2016.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • jimmysmitty
    There is always going to be a way around. No software is 100% secure. Even encryption is not 100% although to crack some of the best it takes a massive amount of hardware power.

    And the day Apple switches to a universal standard like USB Type-C is the day hell will most likely freeze over.
  • InvalidError
    21129969 said:
    No software is 100% secure.
    It is possible to write 100% secure software - I'm pretty sure I can write a 100% secure 1Hz blinker firmware for an ATtiny8 micro-controller, it'll be as secure as the controller itself can be :)

    However, writing 100% secure software becomes increasingly impractical as complexity goes up, especially on platforms that rely on heaps of boilerplate code and an OS that normal developers have no visibility into or control over.
  • Mpablo87
    Oh! One more useless device. And it will cost you 1000000000000 dollars. I don't like their products.
  • ThisIsMe
    It would actually be easy to fix. Apple just needs to set it to disable peripheral detection as soon as the phone is locked by default. Give the user the option to set a timer if desired. Although I don’t see why many people would have an issue with unlocking their phone before connecting such a device, so I don’t see many people even caring enough to want to disable such a good security measure.
  • Giroro
    Knowing Apple, they'll probably remove physical data pins altogether.
    Anyone who wants to transfer data to the phone will need to do so using a proprietary wireless protocol that requires a MacBook and a $75 dongle.
  • velocityg4
    Apple should just provide options in settings for users. One to only allow authenticated devices and one to never allow any device. Heck, with wireless charging. You should be able to disable the port entirely.

    I wouldn’t mind enabling the peripheral connection once a month for encrypted backups in iTunes.
  • jasonkaler
    21130146 said:
    I'm pretty sure I can write a 100% secure 1Hz blinker firmware for an ATtiny8 micro-controller, it'll be as secure as the controller itself can be :)

    I doubt it. I bet you $100 I'll be able to re-flash your attiny with my own malware, even if you go to the trouble of disabling the reset fuse so that it can't be re-flashed.
    A mere 12v to the reset line and the tiny goes blank, ready to accept my own 2Hz blink routine!

    The big problem outlined in this article is that apple secured one entry, while leaving a gaping back-door unprotected.
    "Lets secure the door and use that as marketing to tell everyone how secure our devices are" while leaving door B wide open.