Just as Apple rolled out its new USB Restricted Mode security feature in an OS update, Monday, researchers said that they have already found a workaround.
USB Restricted Mode, released as part of iOS 11.4.1, had removed an iPhone USB access feature, so that an hour after the iPhone has been locked, the phone’s Lightning port (its charging and data port) will automatically lock.
However, researchers at ElcomSoft said that connecting an iPhone to a Lightning accessory – or even an untrusted USB accessory – will reset the USB Restricted Mode countdown timer, as long as the iPhone has still not entered USB Restricted Mode.
“The ability to postpone USB Restricted Mode by connecting the iPhone to an untrusted USB accessory is probably nothing more than an oversight,” Oleg Afonin, researcher with ElcomSoft, said in a post. “We don’t know if this behavior is here to stay, or if Apple will change it in near future. According to our tests, both iOS 11.4.1 and iOS 12 beta 2 exhibit similar behavior; however, this can change in subsequent versions of iOS.”
Apple has not yet responded to a request for comment from Threatpost on the new report.
In order to work around the USB Restricted Mode, Afonin said that he connected an iPhone to a compatible Lightning accessory – in his case Apple’s Lightning to USB 3 Camera Adapter.
After plugging an external battery pack to the adapter to avoid iPhone battery drain, he then placed the iPhone in a Faraday bag – or an enclosure used to block electromagnetic fields.
“According to our tests, this effectively disables USB Restricted Mode countdown timer, and allows safely transporting the seized device to the lab,” he said.
There are drawbacks to Afonin’s method. He said that some adapters, including the Apple Lightning to 3.5mm jack adapter, do not work to defeat USB restrictions. And, if the iPhone has already entered USB Restricted Mode, the trick ultimately does not work: “If you get a message that the device should be unlocked in order to use the accessory (when you connect it), then USB restricted mode has been activated already, and there is nothing you can do about that, sorry,” he said.
The USB Restricted Mode feature was welcomed by privacy and security advocates because it blocked off several devices – some used by federal law enforcement agencies – that have been designed to hack into iPhones via the Lightning port.
Afonin said the newly-discovered trick could help law enforcement in some cases. “In other words, once the police officer seizes an iPhone, he or she would need to immediately connect that iPhone to a compatible USB accessory to prevent USB Restricted Mode lock after one hour,” he said.
One such device, called the GrayKey box, has been known to unlock iPhones using the Lightning port to install software that cracks the passcode of an iOS device. Reports have found that several federal agencies – such as the FBI – have used the device, made by a company called Grayshift, to unlock up-to-date iPhones.
Grayshift has claimed that it found a workaround to Apple’s solution, according to a report by Motherboard in June.
However, Afonin stressed that regardless of any workaround, the USB Restricted Mode means that devices such as GrayKey and others are now “limited to slow recovery rates.”
“At this point, these are nothing more than just rumors; the company’s official policy is never issuing comments about pre-release software,” he said. “Either way, since iOS 11.4, the speed of GrayKey (and probably its competitors) is limited to slow recovery rates of one passcode in 10 minutes. While this allows breaking 4-digit passcodes in reasonable time (about two months worst-case scenario), 6-digit passcodes already make little sense to attack unless one has a custom dictionary, and 6 digits is the default length for the passcode suggested by iOS.”