ElcomSoft blog

«…Everything you wanted to know about password recovery, data decryption,
mobile & cloud forensics…»


USB Restricted Mode Inside Out

July 12th, 2018 by Vladimir Katalov
  • 13
  •  
  •  
  •  
  •  
  • 1
  •  
  •  
  •  
    14
    Shares

It’s been a lot of hype around the new Apple security measure (USB restricted mode) introduced in iOS 11.4.1. Today we’ll talk about how we tested the new mode, what are the implications, and what we like and dislike about it. If you are new to the topic, consider reading our blog articles first (in chronological order):

To make a long story short: apparently, Apple was unable to identify and patch vulnerabilities allowing to break passcodes. Instead, they got this idea to block USB data connection after a period of time, so no data transfer can even occur after a certain “inactivity” period (keep reading about the definition of “inactivity”). It is somehow similar to how Touch ID/Face ID expire from time to time, so you can only use the passcode if you did not unlock the device for a period of time. Same for USB now.

If you prefer third-party sources over our blog, here is nice article describing that very feature:

Apple’s USB Restricted Mode: how to use your iPhone’s latest security feature

USB restricted mode has initially appeared in iOS 11.3 beta (released back in January 2018), with no official information (just some references in the new MDM settings). There were no user-definable settings. The USB port stopped working after one week. For some reason, this mode was not included into the final 11.3 release, and not iOS 11.4 either.

Late May, iOS 11.4.1 has been introduced, still without mentioning this feature. And just a few days later, iOS 12 beta became available, now with a kind of description of how it works. We started testing USB restricted mode as soon as the first beta of iOS 11.4.1 has appeared, and it was a “black box” testing, see below.

How we tested

As soon as we noticed a new option in the iOS beta, we just had to test what it does. What we first did was locking the phone. Then we tried connecting it to a trusted computer (the one that this phone has been with). Every half an hour or so. And it always worked – iTunes recognized the device, so allowing us to sync or create a new backup. Where the hell are the new restrictions, we thought? Well, may be that’s because the computer is trusted? So we deleted the lockdown/pairing record from the computer and tried again. Same results.

We realized that the fact of connection itself may affect the feature. So we waited for one hour, connected again, and… The iPhone vibrated three times, and displayed a message that it should be unlocked before using an “accessory” (yep, the computer is a kind of accessory).

So we had an idea to connect something else (instead of a PC or Mac), like a real accessory. The results were really interesting.

What we tried

The first accessory we tried was this Lightning to 3.5 mm Headphone Jack Adapter ($9). No effect at all. It works with locked and unlocked devices, streaming audio regardless of when you unlocked the phone.

For most other adapters, the result was the same as for the PC/Mac connection. I mean, if you connect an accessory during the first hour, that resets the countdown timer, and the USB restricted mode is not activated. Here is the list of devices we tested:

We recommend the second one, as it not just disables the mode, but also has a pass-through power connector – so you can keep the device charged (and it is the least expensive of such devices available directly from Apple).

What about third-party accessories? The ones we ordered and tested (sorry for a long and confusing description; you are lucky not to see their Russian translations):

The first three were not recognized by the iPhone as accessories (though they worked, I mean, they did what they were expected to do). In other words, they were useless for gambling with USB restricted mode. And the last one is about the same as Apple’s Lightning to USB Camera Adapter and so it really works.

One user reported that an OTG drive with a Lightning connector works fine as well. The only problem is that it does not have a power connector.

What do we mean by saying “it works”? Just the following: connect that adapter during the first hour after the last device unlock, and you will get an extra hour before USB restricted mode kicks in; or if you keep the adapter connected, that mode will never activate.

On a side note, we also have one counterfeit Lightning to 3.5 mm Headphone Jack Adapter – and it partially works. If you connect and disconnect that adapter, then you get one extra hour. If you keep it connected, then in about three minutes the iPhone says that this accessory is not supported and, well, “disconnects” it – that means after one hours (plus 2 minutes) the restricted mode will kick in.

What we like

First, we really like the idea. Identifying vulnerabilities is a very hard work – you can spend months (or even years) and still miss something. There is absolutely no way to locate and fix all vulnerabilities, you can simply forget it.

Next, we like activation through SOS mode (which is a great idea itself, except for the differences between button combinations in different models). The initial 11.4.1 beta did not have that, but it was added into the second beta. Thanks, Apple!

There is still room for improvements.

Is it a bug? Vulnerability? Oversight?

So “defeating” USB restricted mode is just too simple. Connect the iPhone to a Lightning accessory within one-hour window, and you’ll have forever to transport that iPhone to a safe place. Is this a bug, a vulnerability, or just an oversight? It’s a bit complex, but I think it’s the latter. On June 9th, Apple has published the following article:

Using USB accessories with iOS 11.4.1 and later

If you don’t first unlock your password-protected iOS device—or you haven’t unlocked and connected it to a USB accessory within the past hour—your iOS device won’t communicate with the accessory or computer, and in some cases, it might not charge. You might also see an alert asking you to unlock your device to use accessories.

First, we don’t like the it might not charge part. Seriously, charging may not work? I frequently use several different third-party charges (because I feel the original USB-C charging adapter is grossly overpriced, as well as the official USB-C to Lightning cable), and if some of them will stop working, that’s an epic fail I would say.

Also, “you haven’t unlocked and connected it to a USB accessory within the past hour” is not really clear. And or or? That makes serious difference.

Finally, pay attention to MDM policies. If your device is managed, you have to know the forced settings, and consider the risks.

Anyway, as we also noted, the current implementation is not perfect. It seems that it works exactly as expected, but we are unsure if Apple thought about possible workarounds like the one we described. Or is it just a pure marketing feature, as some of our readers noted? 😉

How it should be implemented

At this point, it is not much that Apple can do without making serious changes to the Lightning protocol (there is not much public info about it, but you can read Accessory Design Guidelines).

However, some adjustments of the new mode are needed to find the right balance between usability and security. Such as the option to adjust the time-out, for example. Some people would definitely want to activate USB restricted mode immediately when the device is locked, while the others may want to give it a week to kick in. Right now there is no such option, just on or off.

Next, there is no such thing as a free lunch “trusted accessory”, like is the case with PC and Mac computers. Otherwise, that would be great to allow only known (already used with the given device) accessories to work when connected.

The simplest solution would be: do NOT activate USB restricted mode when/if an accessory is connected after one hour passed, but please activate USB restriction immediately once the accessory is disconnected – and do not accept the next connected accessory! This is what I call good balance between convenience and security. You can keep the process (of copying the media files or playing video) going, like it works for audio now, but prompt for the passcode if I (or someone else) connect a different accessory. Not really hard to implement.

Other thoughts

Someone commented that one should be able to call up USB restricted mode through Siri (in addition to SOS mode through special button combination). What a great idea! Honestly, I do not remember how to activate SOS (without actually calling 911) on my iPhone X, and I really doubt that many people will recall it in an emergency.

Mobile security is a slippery subject. At the one hand, DEA have to fight drug dealers; and at the other, it’s your privacy.  Mobile security technologies cannot be tied to a particular community. If there is a breach that can be used by the police, it will be used by the criminals as well.

Everyone should be concerned, anyway. We strongly disapprove the “I have nothing to hide” attitude. One should understand all the risks, and one should be able to defend oneself. Not just from the law-enforcement personnel – but also from hackers (I am almost sure they already have access to the GrayKey box).

Conclusion (and how to protect yourself)

Do not use the iPhone! Oh, just kidding 😉 Android-based devices are far less secure (speaking of the screen lock).

If you worry about iPhone passcode cracking tools and technologies, we would recommend you to always use the latest version of iOS. Second, use a strong passcode. 4-digit passcodes are definitely not secure, so use at least 6 digits, or even better, a custom alphanumeric password – that way, whether USB restricted mode is activated or not, you are well protected. The passcode cracking speed is about five passcodes per second (and probably can be improved at least a little bit); if you are good in math, you can easily calculate what passcode complexity is good for you. Just do not use one of the common passwords like “trustno1” 🙂


  • 13
  •  
  •  
  •  
  •  
  • 1
  •  
  •  
  •  
    14
    Shares

Tags: , , ,

Sign up for free ElcomSoft Password Recovery Software newsletter

Comments are closed.