ElcomSoft blog

«…Everything you wanted to know about password recovery, data decryption,
mobile & cloud forensics…»


iOS 12 Beta 5: One Step Forward, Two Steps Back

July 31st, 2018 by Vladimir Katalov
  • 17
  •  
  •  
  •  
  •  
  • 4
  •  
  •  
  •  
    21
    Shares

The release of iOS 11.4.1 marked the introduction of USB restricted mode, a then-new protection scheme disabling USB data pins after one hour. The USB restricted mode was not invincible; in fact, one could circumvent protection by connecting the device to a $39 accessory. While a great improvement on itself, the new mode did not provide sufficient protection. We wished Apple maintained a list of “trusted” or previously connected accessories on the device, allowing only such devices to reset the timer. In this new iOS 12 beta, Apple makes attempts to further “improve” USB restricted mode, yet the quotes about “improving” the system are there on purpose.

We recently covered the whole story starting from iOS 11.3 and up to the then-current iOS 12 beta, but it looks the story is far from the end. I think Apple monitors media coverage including our blog, and takes a note on some of the readers’ comments in an attempt to find the right balance between security and convenience. We even suggested how they could possibly improve the new mode’s implementation, and… iOS 12 Beta 5 (just released) brings another surprise.

iOS 12 beta 5 release notes bring nothing new, and have exactly the same statement about USB restricted mode as the previous betas. We had to test the new build extensively to figure out whether there were any changes to USB restricted mode at all.

During the test, I installed the beta 5 on two test devices (one iPhone SE and one iPhone 6s), locked them and waited for an hour. After that, I attempted to connect an accessory. No surprises: I’ve got a notification that the device has to be unlocked in order to use the accessory. So far, so good.

Then I unlocked the device, locked it again, and immediately (no waiting) connected an accessory. To my surprise, I’ve got the same notification. Does that mean that the accessory is not “trusted” yet? But how is it possible if it does not have a unique ID? Something strange was going on, and we had to find out.

I then unlocked the device one more time, and then connected the accessory while the device was unlocked. No issues. Accessory disconnected, device locked, accessory connected again. Oops! Now it connects! So is it trusted now? Does the device maintain a list of previously connected accessories?

In fact, the answer is “no, but it’s complicated”. Apparently, if you connect an accessory while the iPhone was still unlocked, or connect the iPhone to the computer (trusted or not), then the locked iPhone will accept all accessories during the first one hour, including those that were never attached to it before. What this probably means is Apple added a flag that is raised as soon as any accessory is connected in the phone_is_unlocked state. After that, you can connect anything (any other compatible accessory, or a desktop/laptop, even untrusted) while the iPhone is locked, and that accessory/computer will still prevent the USB restricted mode from activation. Caveat: you must do that during the first hour.

Since this is a beta, the new restriction isn’t perfect. Once you update to iOS 12 beta 5, you can only pull this trick immediately after the update (we tried on multiple devices to confirm). However, if you connect the iPhone to a computer or an accessory while it’s unlocked; if you do this even once, then the new restriction will no longer engage: not after a number of locks/unlocks, and not even after a reboot. Is this a glitch? We don’t know. Considering that this is still a beta, a developer beta for once, we think this might be a bug in the new restriction.

This is the move in the right direction, but it’s way too much or way too little depending on who you ask. If you ask me, as an avid user of Apple ecosystem, I want them to keep trying. I want them to patch vulnerabilities allowing GrayKey to exist. In other words, I want them to make properly secure devices. I know this is much harder to do, but it is the right way to go and, unlike the “improvements” we’re seeing in the fifth developer beta, doing it the right way won’t inconvenience users but will actually add some security.

If you ask the hard-working police officer, you’ll be probably told it’s way too much. We would agree with that statement – if the feature worked as intended, and it just doesn’t. The way it is now, very little, if anything at all, changes from what we see in iOS 11.4.1. If at least one compatible accessory or a PC (trusted or not) is connected to the device while the device has been unlocked, we’re essentially back to iOS 11.4.1 behavior – no matter how many times you lock, unlock or reboot the device afterwards. So what was that, Apple? Seems like a major bug to us.

We will keep our eyes open and continue our testing. We do have a lot of test iPhones running different iOS versions (including betas), as well as all Lightning accessories available on the market, and a bit spare time.

Along with iOS 12 beta 5, Apple Configurator has been updated to version 2.7.1. This is what’s new:

– Preparing supervised devices for management by Configurator now automatically allows USB accessory connections while device is locked
– Configure new supervised-only restriction for iOS 11.4.1: Allow USB accessories while device is locked

So this release allows disabling USB restricted mode when required (typically, in a corporate environment).

Last but not least. Once the iPhone is already in USB restricted mode, it does not charge from the computer (PC or Mac). We have found that bug (?) in earlier betas, but thought that Apple is going to fix it as many users complained. Nope. Here is what Release notes say on charging:

If you don’t unlock your device, it won’t communicate with the accessory or computer, and it won’t charge. Note that you don’t need to unlock your device to charge using an Apple USB power adapter.

Oh yes, Apple’s own power adapter works fine – but why can’t we charge from the computer? Isn’t it easy to block just the data but allow charging?


  • 17
  •  
  •  
  •  
  •  
  • 4
  •  
  •  
  •  
    21
    Shares

Tags: ,

Sign up for free ElcomSoft Password Recovery Software newsletter

Comments are closed.