This $39 Device Can Defeat iOS USB Restricted Mode









42





148 Shares

The most spoken thing about iOS 11.4.1 is undoubtedly USB Restricted Mode. This highly controversial feature is apparently built in response to threats created by passcode cracking solutions such as those made by Cellerbrite and Grayshift. On unmanaged devices, the new default behavior is to disable data connectivity of the Lightning connector after one hour since the device was last unlocked, or one hour since the device has been disconnected from a trusted USB accessory. In addition, users can quickly disable the USB port manually by following the S.O.S. mode routine.

Once USB Restricted Mode is engaged on a device, no data communications occur over the Lightning port. A connected computer or accessory will not detect a “smart” device. If anything, an iPhone in USB Restricted Mode acts as a dumb battery pack: in can be charged, but cannot be identified as a smart device. This effectively blocks forensic tools from being able to crack passcodes if the iPhone spent more than one hour locked. Since law enforcement needs time (more than one hour) to transport the seized device to a lab, and then more time to obtain an extraction warrant, USB Restricted Mode seems well designed to block this scenario. Or is it?

We performed several tests, and can now confirm that USB Restricted Mode is maintained through reboots, and persists software restores via Recovery mode. In other words, we have found no obvious way to break USB Restricted Mode once it is already engaged. However, we discovered a workaround, which happens to work exactly as we suggested back in May (this article; scroll down to the “Mitigation” chapter).

This $39 Device Can Fool USB Restricted Mode

According to Apple, iOS 11.4.1 may require users to unlock their passcode-protected iOS devices in order to connect them to a PC, Mac or a USB accessory after one hour since the device has been last unlocked or disconnected from a trusted USB accessory or computer. Some information on the new mode is given in iOS 12 release notes:

To improve security, iOS 12 beta may require you unlock your passcode-protected iPhone, iPad, or iPod touch in order to connect it to a Mac, PC, or USB accessory.

If you use iPod Accessory Protocol (iAP) USB accessories over the Lightning connector (such as CarPlay, assistive devices, charging accessories, or storage carts) or you connect to a Mac or PC you might need to unlock your device to recognize the accessory. If you don’t unlock your device, it won’t communicate with the accessory or computer, and it won’t charge. Note that you don’t need to unlock your device to charge using an Apple USB power adapter.

If a USB accessory isn’t recognized after you unlock your device, disconnect it, unlock your device, and reconnect the accessory.

If you normally use a USB assistive device to enter your passcode, you may allow it to communicate with your device while it is locked by enabling “USB Accessories” in Settings > Face ID/Touch ID & Passcode.

Even more information is available in Apple’s article Using USB accessories with iOS 11.4.1 and later. In this article, Apple states: “Starting with iOS 11.4.1, if you use USB accessories with your iPhone, iPad, or iPod touch, or if you connect your device to a Mac or PC, you might need to unlock your device for it to recognize and use the accessory. Your accessory then remains connected, even if your device is subsequently locked. … If you don’t first unlock your password-protected iOS device—or you haven’t unlocked and connected it to a USB accessory within the past hour—your iOS device won’t communicate with the accessory or computer, and in some cases, it might not charge. You might also see an alert asking you to unlock your device to use accessories.”

What we discovered is that iOS will reset the USB Restrictive Mode countdown timer even if one connects the iPhone to an untrusted USB accessory, one that has never been paired to the iPhone before (well, in fact the accessories do not require pairing at all). In other words, once the police officer seizes an iPhone, he or she would need to immediately connect that iPhone to a compatible USB accessory to prevent USB Restricted Mode lock after one hour. Importantly, this only helps if the iPhone has still not entered USB Restricted Mode.

Most (if not all) USB accessories fit the purpose — for example, Lightning to USB 3 Camera Adapter from Apple:

The official (sic!) Apple Lightning to 3.5mm jack adapter ($9) does not work to defeat USB restrictions; even if works, it does not allow is pass-through charging (and without it, the iPhone may drain its battery, especially if you transport it in a Faraday bag).

We are now waiting for delivery of several non-original (and so much cheaper; the c cheapest one we have found is $2.69 only) adapters from AliExpress and will try with them, too — almost sure that they will work as well. That might me a good idea to develop and manufacture the special Lightning accessory for exactly that purpose, and no extras at all (just power delivery).

How to Fool USB Restricted Mode with a USB Accessory

With the release of iOS 11.4.1, the procedure for properly seizing and transporting iPhone devices may be altered to include a compatible Lightning accessory. Prior to iOS 11.4.1, isolating the iPhone inside a Faraday bag and connecting it to a battery pack would be enough to safely transport it to the lab. iOS 11.4.1 adds the need for another dongle setup. In order to fool USB Restricted Mode, one would need to perform the following steps:

Connect the iPhone to a compatible Lightning accessory (such as the official Lightning to USB 3 Camera Adapter). Plug external battery pack to the adapter (to avoid iPhone battery drain). Place the entire assembly in a Faraday bag.

According to our tests, this effectively disables USB Restricted Mode countdown timer, and allows safely transporting the seized device to the lab.

If you get a message that the device should be unlocked in order to use the accessory (when you connect it), then USB restricted mode has been activated already, and there is nothing you can do about that, sorry.

What are the chances that the device is seized within in hour after last unlock? Quite high. We were not able to find recent stats, but even two years ago an average user unlocked their iPhone at least 80 times a day.

Why USB Restricted Mode Is So Easily Fooled, and Can Apple Fix It?

So why are we able to fool USB Restricted Mode as easy? Is this an oversight that somehow slipped through the testing of all the five iOS 11.4.1 betas? Will Apple patch it in iOS 11.4.2 or iOS 12?

While we cannot know for sure, the issue appears to lie in Apple’s Lightning communication protocol. If the iPhone talks to a computer, the two devices must establish trust by exchanging unique cryptographic keys. This, however, does not apply to the majority of existing Lightning accessories. Existing accessories share public keys for trust; many of them are simply not designed to exchange cryptographic keys the way computers do. As a result, before USB Restricted Mode kicks in, an iPhone can check if the accessory is MFi certified – but that is pretty much it. It appears that there are no key pairs to be exchanged, and this is probably by design.

Can Apple change it in future versions of iOS? To us, it seems highly unlikely simply because of the humongous amount of MFi devices that aren’t designed to support such a change. Theoretically, iOS could remember which devices were connected to the iPhone, and only allow those accessories to establish connectivity without requiring an unlock – but that’s about all we can think of.

USB Restricted Mode on Managed Devices

According to Apple, on supervised devices that are not enrolled into MDM, USB Restricted Mode is disabled by default. Below are Apple Configurator 2.7.1 Developer Preview Beta Notes:

What’s New

– Configure USB Restricted Mode in profile editor

– Preparing a supervised device but not enrolling it in MDM will disable USB Restricted Mode on the device to make it easier to continue to manage it using Configurator

The Controversy Around USB Restricted Mode

The whole issue of USB restrictions was met with lots of controversy. It is widely speculated that this new feature (as well as several security updates disabling Touch ID/Face ID in certain circumstances) is aimed directly at law enforcement, particularly those using GrayKey to break device passcodes. Our opinion remains unchanged: if there is an unpatched vulnerability, it will be exploited by the bad guys sooner or later. USB Restricted Mode, while not addressing the root cause of the problem, is a perfectly viable band aid that ‘fixes’ the issue for most without inconveniencing the average user all that much. Those who oppose this Apple’s move can simply disable the feature on their own phones, or do a radical step and to Android.

We’ve seen rumors about Grayshift being able to defeat protection provided by USB Restricted Mode. At this point, these are nothing more than just rumors; the company’s official policy is never issuing comments about pre-release software. With iOS 11.4.1 just released, we’ll have to wait to see if the new security measure can be defeated. Either way, since iOS 11.4, the speed of GrayKey (and probably its competitors) is limited to slow recovery rates of one passcode in 10 minutes. While this allows breaking 4-digit passcodes in reasonable time (about two months worst-case scenario), 6-digit passcodes already make little sense to attack unless one has a custom dictionary, and 6 digits is the default length for the passcode suggested by iOS.

Our Thoughts

The ability to postpone USB Restricted Mode by connecting the iPhone to an untrusted USB accessory is probably nothing more than an oversight. We don’t know if this behavior is here to stay, or if Apple will change it in near future. According to our tests, both iOS 11.4.1 and iOS 12 beta 2 exhibit similar behavior; however, this can change in subsequent versions of iOS.