While the dust surrounding the controversy of rushed iOS 13 release settles, we are continuing our research on what has changed in iOS forensics. In this article we’ll review the new policy on USB restrictions and lockdown record expiration in the latest iOS release. We’ll also analyze how these changes affect experts investigating iPhone devices updated to the latest OS release.
The real purpose of the USB restricted mode may not be immediately obvious, and the new enhancements may cause even more confusion. In our view, using USB accessories while the device is locked creates no additional risk to the user’s security and privacy. However, if we assume that this mode is aimed straight at certain forensic extraction and passcode-cracking solutions (such as GrayKey), the target of the USB restriction would be law enforcement agencies.
USB restricted mode made its appearance in iOS 11.4.1 and further enhanced in iOS 12. We posted five articles on the matter; do check them out if you don’t know what this feature is for. We also recommend the original Apple KB article “Using USB accessories with iOS 11.4.1 and later”.
Apple is still to update its iOS Security Guide. The May 2019 version (iOS 12.3) of the Guide defines USB restricted mode as follows.
To improve security while maintaining usability, Touch ID, Face ID, or passcode entry is required to activate data connections via the Lightning, USB, or Smart Connector interface if no data connection has been established recently. This limits the attack surface against physically connected devices such as malicious chargers, while still enabling usage of other accessories within reasonable time constraints. If more than an hour has passed since the iOS device has locked or since an accessory’s data connection has been terminated, the device won’t allow any new data connections to be established until the device is unlocked. During this hour period, only data connections from accessories that have been previously connected to the device while in an unlocked state will be allowed. Attempts by an unknown accessory to open a data connection during this period will disable all accessory data connections over Lighting, USB, and Smart Connector until the device is unlocked again. (Source: iOS Security Guide May 2019 edition, iOS 12.3).
In our research of several devices running iOS 13.1, we figured out the following.
Accessory “pairing”
Apparently, Apple has implemented a method of “pairing” accessories to the iPhone. In order to “pair” a computer, you would need to enter the PIN code on the iPhone; the devices would then exchange cryptographic keys to enable the transfer of data (including pictures). “Pairing” an accessory is a single-sided process that does not require the PIN code and does not involve cryptographic keys. An accessory is “paired” to the iPhone when the user first connects it to the iPhone while the device is unlocked (or by unlocking the iPhone after connecting the accessory). The iPhone will then store information about the “paired” accessory and assign that accessory a “trusted” status.
USB restrictions for “paired” and “new” accessories
In iOS 13, data communications over the USB port (Lightning connection) are restricted after one hour since the device has been locked or since the user disconnects a previously used accessory.
What’s new here is how iOS treats “paired” and “new” USB accessories. If the user attempts to connect a previously paired USB accessory, the connection will be established during the one-hour period.
If, however, the user attempts to connect a new accessory that was not previously “paired” with the iPhone, the USB port will be locked down immediately even if the connection attempt is made within that one-hour period.
Our recommendation from 2018 stands no more
Back in 2018, we published an article “This $39 Device Can Defeat iOS USB Restricted Mode”. The article contained a recommendation that would allow to delay USB restricted mode by connecting a digital accessory to the iPhone during the one hour period. Apparently, this trick only worked for iOS 11.4.1.
In iOS 12, Apple changed the way USB restricted mode worked.
In addition, on iOS 12 if it’s been more than three days since a USB connection has been established, the device will disallow new USB connections immediately after it locks. This is to increase protection for users that don’t often make use of such connections. USB connections are also disabled whenever the device is in a state where it requires a passcode to re-enable biometric authentication. (Source: Apple iOS Security, September 2018).
There was no accessory “pairing” in the original build of iOS 12. In subsequent iOS releases, Apple continued tweaking USB restrictions until it developed the current scheme.
Our current recommendation on USB restrictions
Apple continues its journey, fighting GrayKey and other tools that could break iOS security by extracting information from a locked device or attacking screen lock passcodes. The current implementation makes connecting a “new” accessory to the iPhone counter-productive. There are currently two strategies for transporting the seized iOS devices to the lab.
We don’t know how (or if) the new USB restrictions will affect acquisition attempts with GrayKey and competing products. We do know for certain that these restrictions will make logical acquisition impossible – unless the expert can unlock the iPhone with a passcode or biometrics. Biometric unlocks, however, carry their own share of restrictions; particularly, establishing pairing with a new computer requires entering the screen lock passcode or providing a non-expired lockdown record.
Forensic implications
The one major effect of USB restricted mode affects the ability of forensic experts to perform logical acquisition of iOS devices. This affects not only (and not particularly) those in a possession of a GrayKey unit; on the contrary, once the USB restrictions are activated (and the chance of that is higher than before), one will be unable to pair, connect or extract the device, including but not limited to accessing backups and photos. That, even if one has access to a valid lockdown record.
Lockdown Expiry Rules Explained
We’ve been long in the dark about the exact rules governing the expiration of iTunes pairing records (lockdown files). Lockdown files, otherwise known as pairing records, can be used for logical extraction of iOS devices. A pairing file created on one computer (the user’s) can be used by the expert to pull information from the iOS device – that is, without knowing the PIN code or pressing the user’s finger to unlock the device.
Sometime during the development cycle of iOS 11.3, Apple published Release Notes mentioning that iOS lockdown records will carry an expiry date (we wrote about that here). The currently available iOS Security Guide finally clarifies the life cycle of iOS lockdown records:
The pairing process requires the user to unlock the device and accept the pairing request from the host. In iOS 11 or later, the user is also required to enter their passcode. After the user has done this, the host and device exchange and save 2048-bit RSA public keys. The host is then given a 256-bit key that can unlock an escrow keybag stored on the device (refer to “Escrow keybag” within the Keybags section of this paper). The exchanged keys are used to start an encrypted SSL session, which the device requires before it will send protected data to the host or start a service (iTunes syncing, file transfers, Xcode development, etc.). The device requires connections from a host over Wi-Fi to use this encrypted session for all communication, so it must have been previously paired over USB. Pairing also enables several diagnostic capabilities. In iOS 9, if a pairing record hasn’t been used for more than six months, it expires. This timeframe is shortened to 30 days in iOS 11 or later. (Source: iOS Security Guide May 2019 edition, iOS 12.3).
Mystery solved: the official lifespan of lockdown records is 30 days.