Posts Tagged ‘USB Restricted Mode’

The checkra1n jailbreak is fantastic. Not only does it work with the latest versions of iOS the other jailbreaks aren’t even available for, but it also allows performing partial data extraction from disabled and locked iPhones even if the passcode is not known. Still, you can encounter some problems if the USB restricted mode has been activated on the device. The latest build of chechra1n is to the rescue.

The USB restricted mode was introduced in iOS 11.4.1, improved in iOS 12 and further strengthened in iOS 13. The USB restrictions are a real headache for iPhone investigators. We’ve discovered a simple yet effective trick to fool it in some cases, but currently it securely protects the iPhones from passcode cracking and BFU (Before First Unlock) extractions. However, there is a trick allowing you to obtain some information from devices with disabled USB interface. Learn how to use this trick with the recently updated iOS Forensic Toolkit.

While the dust surrounding the controversy of rushed iOS 13 release settles, we are continuing our research on what has changed in iOS forensics. In this article we’ll review the new policy on USB restrictions and lockdown record expiration in the latest iOS release. We’ll also analyze how these changes affect experts investigating iPhone devices updated to the latest OS release.

The release of iOS 11.4.1 back in July 2018 introduced USB Restricted Mode, a feature designed to defer passcode cracking tools such as those developed by Cellerbrite and Grayshift. As a reminder, iOS 11.4.1 automatically switches off data connectivity of the Lightning port after one hour since the device was last unlocked, or one hour since the device has been disconnected from a USB accessory or computer. In addition, users could manually disable the USB port by following the S.O.S. mode routine.

The release of iOS 11.4.1 marked the introduction of USB restricted mode, a then-new protection scheme disabling USB data pins after one hour. The USB restricted mode was not invincible; in fact, one could circumvent protection by connecting the device to a $39 accessory. While a great improvement on itself, the new mode did not provide sufficient protection. We wished Apple maintained a list of “trusted” or previously connected accessories on the device, allowing only such devices to reset the timer. In this new iOS 12 beta, Apple makes attempts to further “improve” USB restricted mode, yet the quotes about “improving” the system are there on purpose.

It’s been a lot of hype around the new Apple security measure (USB restricted mode) introduced in iOS 11.4.1. Today we’ll talk about how we tested the new mode, what are the implications, and what we like and dislike about it. If you are new to the topic, consider reading our blog articles first (in chronological order):

The most spoken thing about iOS 11.4.1 is undoubtedly USB Restricted Mode. This highly controversial feature is apparently built in response to threats created by passcode cracking solutions such as those made by Cellerbrite and Grayshift. On unmanaged devices, the new default behavior is to disable data connectivity of the Lightning connector after one hour since the device was last unlocked, or one hour since the device has been disconnected from a trusted USB accessory. In addition, users can quickly disable the USB port manually by following the S.O.S. mode routine.

As we wrote back in May, Apple is toying with the idea of restricting USB access to iOS devices that have not been unlocked for a certain period of time. At the time of publication, our article received a lot of controversial reports. When this mode did not make it into the final build of iOS 11.4, we enjoyed a flow of sarcastic comments from journalists and the makers of passcode cracking toolkits. Well, there we have it: Apple is back on track with iOS 11.4.1 beta including the new, improved and user-configurable USB Restricted Mode.