Apple's iOS 11.4 update with 'USB Restricted Mode' may defeat tools like GrayKey

Posted:
in iPhone
The iOS 11.4 beta contains a new feature called USB Restricted Mode, designed to defeat physical data access by third parties -- possibly with forensic firms like Grayshift and Cellebrite in mind.

GrayKey device. | Source: MalwareBytes
GrayKey device. | Source: MalwareBytes


"To improve security, for a locked iOS device to communicate with USB accessories you must connect an accessory via Lightning connector to the device while unlocked -- or enter your device passcode while connected -- at least once a week," reads Apple documentation highlighted by security firm ElcomSoft. The feature actually made an appearance in iOS 11.3 betas, but like AirPlay 2 was removed from the finished code.

The change blocks use of the Lightning port for anything but charging if a device is left untouched for seven days. An iPhone or iPad will even refuse to sync with computer running iTunes until iOS is unlocked with a passcode.

USB Restricted Mode may be intended to impose a seven-day window on when digital forensics specialists like Grayshift can break into a device, at least using any simple techniques. Those firms will often employ a "lockdown" record from a suspect's computer to create a local backup of iPhone data, skipping passcode entry.

iOS 11 already has some restrictions on lockdown records, namely automatic expiration, and full-disk encryption that renders them useless if a device is rebooted. The 11.3 update shrank the life of iTunes pairing records to seven days.

ElcomSoft suggested that connecting a device to a paired accessory or computer could extend the Restricted Mode window, and centrally-managed hardware may already have that mode disabled.

"If the phone was seized while it was still powered on, and kept powered on in the meanwhile, than the chance of successfully connecting the phone to a computer for the purpose of making a local backup will depend on whether or not the expert has access to a non-expired lockdown file (pairing record)," ElcomSoft elaborated. "If, however, the phone is delivered in a powered-off state, and the passcode is not known, the chance of successful extraction is slim at best."

The exact details of the hacking techniques used by Cellebrite and Grayshift's GrayKey have been kept secret, so it's possible they may still work after iOS 11.4 is released. The companies could however resort to more extreme methods to get at data, such as removing the flash memory from the devices, copying them, and using the copies to attack the password.
«1

Comments

  • Reply 1 of 27
    how about sending a 50KV burst back down the line if a device like a GrayKey is detected?

    Ok, I'm only joking but there has to be some defence that IOS could employ after all, the device is essentially being hacked. Even if it is to do a security level storage wipe, user configurable naturally. All it should leave are Cat Videos. :)
    edited May 8 peterhartradarthekatmac_dogStrangeDaysolswatto_cobra
  • Reply 2 of 27
    MplsPMplsP Posts: 457member
    Well, if you really want to troll the cops, you could have it leave a video of Dunkin Donuts burning down...

    Good to hear that APple is trying to address the issue, but this strikes me as a bit of a work-around patch rather than fixing the hole itself and tells me they still don’t know exactly how the hack is being executed. (Or at least didn’t when 11.4 was being written)
    DAalsethmac_dogwatto_cobralostkiwi
  • Reply 3 of 27
    nunzynunzy Posts: 307member
    If you care about security, the iPhone is your only choice.
    caladanianlolliverspinnydwatto_cobrajbdragonlostkiwi
  • Reply 4 of 27
    airnerdairnerd Posts: 513member
    Can they go a step further and have a toggle that prevents any data connection via USB?   I'm not a power user, but I can't remember the last time I connected my phone to anything to transfer data.  Everything is cloud based (backup, sync, etc), AirDrop,  or just email/imessaged as far as I know.  

    Then again I have nothing of interest to law enforcement.  
    jony0olsrandominternetpersonlolliverGeorgeBMacspinnydwatto_cobraadm1
  • Reply 5 of 27
    DAalsethDAalseth Posts: 153member
    airnerd said:
    Then again I have nothing of interest to law enforcement.  
    Dat you teenk you have notink of interest is suspicious. Ve are eenterestet in everytink.
    rotateleftbytemac_dogmuthuk_vanalingambonobobStrangeDaysjony0olscornchipaegeanGeorgeBMac
  • Reply 6 of 27
    macxpressmacxpress Posts: 4,338member
    airnerd said:
    Can they go a step further and have a toggle that prevents any data connection via USB?   I'm not a power user, but I can't remember the last time I connected my phone to anything to transfer data.  Everything is cloud based (backup, sync, etc), AirDrop,  or just email/imessaged as far as I know.  

    Then again I have nothing of interest to law enforcement.  
    Were not quite there yet. Yes, a lot of things are in the cloud, but there are situations where it doesn't work and you need to plug in. I for example have a 2012 Mac Pro and AirDrop is not supported so I have to plug in and I don't store every single photo in iCloud. We still have people out there with these types of situations. 

    That being said, I see a day where Apple removes the Lightning jack completely. The internet will probably explode when it happens (literally stop working), but its bound to happen eventually.
    lolliverGeorgeBMacairnerd
  • Reply 7 of 27
    Don't forget that the USB connection is also used for tethering. I use it when roaming quite a bit. Using the USB connection also keeps the phone charged.
    I've found that the USB tethering is more reliable than WiFi.

    MplsPdeminsdjony0baconstang
  • Reply 8 of 27
    sandorsandor Posts: 434member
    airnerd said:
    Can they go a step further and have a toggle that prevents any data connection via USB?   I'm not a power user, but I can't remember the last time I connected my phone to anything to transfer data.  Everything is cloud based (backup, sync, etc), AirDrop,  or just email/imessaged as far as I know.  

    Then again I have nothing of interest to law enforcement.  

    Just remember the words of the theologian Martin Niemöller after his release from Dachau... paraphrased...

    They put them in camps, but Communists, who cares about them? They opposed religion.
    Incurables? Perhaps they do cost society too much.
    Trade Unions.
    Social Democrats.
    Jews.
    The Church does not concern itself with politics.

    A bit overstated, airnerd, but I think we all need occasional reminders of the slippery slope that can happen with federal forces on denizens.
    lollivercgWerksGeorgeBMac
  • Reply 9 of 27
    lovemnlovemn Posts: 22member
    Apple can make devices without a lightening connector. Use a charging pad to recharge and AirPods for listening or communicating. 
    lolliver
  • Reply 10 of 27
    MplsPMplsP Posts: 457member
    airnerd said:
    Can they go a step further and have a toggle that prevents any data connection via USB?   I'm not a power user, but I can't remember the last time I connected my phone to anything to transfer data.  Everything is cloud based (backup, sync, etc), AirDrop,  or just email/imessaged as far as I know.  

    Then again I have nothing of interest to law enforcement.  
    We’re really nowhere near that point. The majority of users only use their lightning port for charging, but there are many other uses - keyboards, headphones (maybe they will get rid of the lightning port and put the ‘outdated’ headphone jack back in?) CarPlay, screen mirroring devices, and countless other 3rd party accessories. Removing the port would make any future iphone instantly incompatible with all of these. 

    Besides, removing the lightning port assumes that wireless connections are both more reliable and more secure than hardwired connections and I dont’ think one can make that argument.
    chasmbaconstang
  • Reply 11 of 27
    mknelsonmknelson Posts: 184member
    "The change blocks use of the Lightning port for anything but charging if a device is left untouched for seven days."

    Does that "anything" include the headphone adapter?
  • Reply 12 of 27
    smileydudesmileydude Posts: 108member
    mknelson said:
    "The change blocks use of the Lightning port for anything but charging if a device is left untouched for seven days."

    Does that "anything" include the headphone adapter?
    It should, but that won't cause any problems for users in practice.  You're almost certainly going to unlock your phone so you can start playing music/podcasts/videos/whatever.  Since the phone will be unlocked, the Lightning port will be unlocked for the headphone adapter that was just plugged in.
    MplsP said:
    airnerd said:
    Can they go a step further and have a toggle that prevents any data connection via USB?   I'm not a power user, but I can't remember the last time I connected my phone to anything to transfer data.  Everything is cloud based (backup, sync, etc), AirDrop,  or just email/imessaged as far as I know.  

    Then again I have nothing of interest to law enforcement.  
    We’re really nowhere near that point. The majority of users only use their lightning port for charging, but there are many other uses - keyboards, headphones (maybe they will get rid of the lightning port and put the ‘outdated’ headphone jack back in?) CarPlay, screen mirroring devices, and countless other 3rd party accessories. Removing the port would make any future iphone instantly incompatible with all of these. 

    Besides, removing the lightning port assumes that wireless connections are both more reliable and more secure than hardwired connections and I dont’ think one can make that argument.
    The original poster didn't ask for Apple to completely disable data connection via USB, just to have a toggle in Settings to disable it.  That definitely should be something that Apple does.  Even better, give us a way to set the USB connection to either Disabled, Normal, Ask, where Normal is how it behaves today and Ask always prompts the user before allowing the connection.  That would help increase security for users that typically only use their Lightning ports for charging while not interfering with other use cases.
    cgWerksbaconstang
  • Reply 13 of 27
    sandorsandor Posts: 434member
    mknelson said:
    "The change blocks use of the Lightning port for anything but charging if a device is left untouched for seven days."

    Does that "anything" include the headphone adapter?
    It should, but that won't cause any problems for users in practice.  You're almost certainly going to unlock your phone so you can start playing music/podcasts/videos/whatever.  Since the phone will be unlocked, the Lightning port will be unlocked for the headphone adapter that was just plugged in.
    MplsP said:
    airnerd said:
    Can they go a step further and have a toggle that prevents any data connection via USB?   I'm not a power user, but I can't remember the last time I connected my phone to anything to transfer data.  Everything is cloud based (backup, sync, etc), AirDrop,  or just email/imessaged as far as I know.  

    Then again I have nothing of interest to law enforcement.  
    We’re really nowhere near that point. The majority of users only use their lightning port for charging, but there are many other uses - keyboards, headphones (maybe they will get rid of the lightning port and put the ‘outdated’ headphone jack back in?) CarPlay, screen mirroring devices, and countless other 3rd party accessories. Removing the port would make any future iphone instantly incompatible with all of these. 

    Besides, removing the lightning port assumes that wireless connections are both more reliable and more secure than hardwired connections and I dont’ think one can make that argument.
    The original poster didn't ask for Apple to completely disable data connection via USB, just to have a toggle in Settings to disable it.  That definitely should be something that Apple does.  Even better, give us a way to set the USB connection to either Disabled, Normal, Ask, where Normal is how it behaves today and Ask always prompts the user before allowing the connection.  That would help increase security for users that typically only use their Lightning ports for charging while not interfering with other use cases.

    Almost how you can log into the BIOS & enable/disable every port on a computer? And set a BIOS password.
    Yes. That works well for sneaker-net security in a medical/finance/business setting :)
  • Reply 14 of 27
    chasmchasm Posts: 573member
    Seven days is entirely too generous IMO. LIke with TouchID/FaceID itself, 48 hours seems like a fair-enough window to me. I hope Apple won a promise from a certain misadministration not to push the issue if they gave them a seven-day window.
    cornchipcgWerkslostkiwi
  • Reply 15 of 27
    davidwdavidw Posts: 928member
    chasm said:
    Seven days is entirely too generous IMO. LIke with TouchID/FaceID itself, 48 hours seems like a fair-enough window to me. I hope Apple won a promise from a certain misadministration not to push the issue if they gave them a seven-day window.
    Maybe the 7 day window is Apple way of discouraging the use of a 4 alphanumeric, case sensitive, pass code, as those pass codes can be hacked in about 7 days. By having the USB disabled after 7 days of the iPhone being locked, even if the USB is being used to transmit data during that 7 day window, it would almost be impossible to hack a 6 alphanumeric, case sensitive, pass code. If Apple were to have the USB disabled after just 48 hours, iPhone and iPad users might be tempted to use a 4 alphanumeric case sensitive pass code since it's very unlikely to be hacked in only 2 days. Apple rather users use at least a 6 alphanumeric, case sensitive, pass code, at all times.

    I'm assuming that the hackers have already reached the limit of how fast one can input the pass code using the USB, as there's a limit to how fast data can be transmitted through the USB.

    One also has to remember that it takes time for law enforcement to set up the iPhone for hacking. Not to mention the time it takes to get a search warrant. If the government agency involve don't have the proper equipment in place at the time they take possession of the iPhone, they might end up losing days from that 7 day USB lock out window and end up having only 3 or 4 days to try to hack in. I assuming most local law enforcement offices don't have the proper set up and must get the iPhone to the nearest FBI office with the proper set up, in order to hack the iPhone. Plus I don't think the FBI is going to stop everything just to hack into some drug dealer's iPhone for a local police. Its only the high profile cases that will get the FBI immediate attention. So for the average iPhone and iPad users, the 7 day USB lock out window is not as long as it seems as their iPhone or iPad would most likely be sitting in the evidence room for more than 7 days, if they were arrested and charged with a low profile crime.  
    spinnydbaconstanglostkiwi
  • Reply 16 of 27
    mattinozmattinoz Posts: 840member
    MplsP said:
    airnerd said:
    Can they go a step further and have a toggle that prevents any data connection via USB?   I'm not a power user, but I can't remember the last time I connected my phone to anything to transfer data.  Everything is cloud based (backup, sync, etc), AirDrop,  or just email/imessaged as far as I know.  

    Then again I have nothing of interest to law enforcement.  
    We’re really nowhere near that point. The majority of users only use their lightning port for charging, but there are many other uses - keyboards, headphones (maybe they will get rid of the lightning port and put the ‘outdated’ headphone jack back in?) CarPlay, screen mirroring devices, and countless other 3rd party accessories. Removing the port would make any future iphone instantly incompatible with all of these. 

    Besides, removing the lightning port assumes that wireless connections are both more reliable and more secure than hardwired connections and I dont’ think one can make that argument.
    The smart connector could be a good lightening port replacement for most of those uses. Plus would allow slim connection for battery cases and may even have the bandwidth to drive audio for speaker dock or headphone connection. The original patent design was meant to be stackable so could allow a battery case to have it's own connector for headphones and charging cable. The only service function it would need is a forced restore from internet function or very slow DFU mode.
  • Reply 17 of 27
    aegeanaegean Posts: 86member
    Apple should get rid off lightening port altogether. AirPower will hit the market soon and wireless connections are getting reliable every day and transferring of data shouldn't take much time even on currently max of 256gb storage. But before they do that, they should come up with better AirPod fit/design that all the ears on this planet can benefit from. And no I don't use cloud for anything. I only trust my own personal storage
    edited May 8
  • Reply 18 of 27
    chasmchasm Posts: 573member
    davidw said:
    chasm said:
    Seven days is entirely too generous IMO. LIke with TouchID/FaceID itself, 48 hours seems like a fair-enough window to me. I hope Apple won a promise from a certain misadministration not to push the issue if they gave them a seven-day window.
    If Apple were to have the USB disabled after just 48 hours, iPhone and iPad users might be tempted to use a 4 alphanumeric case sensitive pass code since it's very unlikely to be hacked in only 2 days. Apple rather users use at least a 6 alphanumeric, case sensitive, pass code, at all times.
    Well put. You make a great point. Well done!
  • Reply 19 of 27
    analogjackanalogjack Posts: 1,019member
    airnerd said:

    Then again I have nothing of interest to law enforcement.  

    Being innocent of wrongdoing is not a defence.


    designrbeowulfschmidtlostkiwijbdragon
  • Reply 20 of 27
    cgWerkscgWerks Posts: 1,350member
    airnerd said:
    Can they go a step further and have a toggle that prevents any data connection via USB?   I'm not a power user, but I can't remember the last time I connected my phone to anything to transfer data.
    That would be good... or what I don't understand is why they don't just disable data via USB unless it is unlocked. If I'm going to plug my device in to transfer something, I can certainly unlock it.

    MplsP said:
    Besides, removing the lightning port assumes that wireless connections are both more reliable and more secure than hardwired connections and I dont’ think one can make that argument.
    They haven't let not having a good argument stop them yet. :) Schiller will just get up there and say.... "Wires are legacy devices."

    mknelson said:
    Does that "anything" include the headphone adapter?
    They have AirPods for that. All enlightened people have them, you know.
    MplsPbaconstang
Sign In or Register to comment.