Security Researchers Find Vulnerability in Apple’s USB Restricted Mode for iOS Devices
Security researchers claim to have discovered a loophole that bypasses USB Restricted Mode, Apple’s latest anti-hacking feature in iOS 12 beta and iOS 11.4.1, which was released on Monday.
USB Restricted Mode is designed to make iPhones and iPads immune to certain hacking techniques that use a USB connection to download data through the Lightning connector to crack the passcode.
iOS 11.4.1 and iOS 12 prevent this by default by disabling data access to the Lightning port if it’s been more than an hour since the iOS device was last unlocked. Users can also quickly disable the USB connection manually by engaging Emergency SOS mode.
However, researchers at cybersecurity firm ElcomSoft claim to have discovered a loophole that resets the one-hour counter. The bypass technique involves connecting a USB accessory into the Lightning port of the iOS device, which prevents USB Restricted Mode from locking after one hour.
ElcomSoft’s Oleg Afonin explained the technique in a blog post:
What we discovered is that iOS will reset the USB Restrictive Mode countdown timer even if one connects the iPhone to an untrusted USB accessory, one that has never been paired to the iPhone before (well, in fact the accessories do not require pairing at all). In other words, once the police officer seizes an iPhone, he or she would need to immediately connect that iPhone to a compatible USB accessory to prevent USB Restricted Mode lock after one hour. Importantly, this only helps if the iPhone has still not entered USB Restricted Mode.
According to Afonin, Apple’s own $39 Lightning to USB 3 Camera Adapter can be used to reset the counter. Researchers are currently testing a mix of official and third-party adapters to see what else works with the bypass technique.
Afonin notes that ElcomSoft found no obvious way to break USB Restricted Mode once it has been engaged, suggesting the vulnerability is, in his words, “probably nothing more than an oversight” on Apple’s part. Still, at present its existence provides a potential avenue for law enforcement or other potentially malicious actors to prevent USB Restricted Mode from activating shortly after seizure.
Both iOS 11.4.1 and iOS 12 beta 2 are said to exhibit the same behavior when exploiting the loophole. However, expect this to change in subsequent versions of iOS – Apple continually works on strengthening security protections and addressing iPhone vulnerabilities as quickly as possible to defend against hackers.
Apple reportedly introduced USB restrictions to disable commercial passcode cracking tools like GrayKey. Afonin cites rumors that the newer GrayShift tool is able to defeat the protection provided by USB Restricted Mode, but the research community has yet to see firm evidence confirming this.
Related Roundups: iOS 11, iOS 12Tag: Apple security
Discuss this article in our forums