Apple's iOS 11.4 update with 'USB Restricted Mode' may defeat tools like GrayKey
The iOS 11.4 beta contains a new feature called USB Restricted Mode, designed to defeat physical data access by third parties -- possibly with forensic firms like Grayshift and Cellebrite in mind.
GrayKey device. | Source: MalwareBytes
"To improve security, for a locked iOS device to communicate with USB accessories you must connect an accessory via Lightning connector to the device while unlocked -- or enter your device passcode while connected -- at least once a week," reads Apple documentation highlighted by security firm ElcomSoft. The feature actually made an appearance in iOS 11.3 betas, but like AirPlay 2 was removed from the finished code.
The change blocks use of the Lightning port for anything but charging if a device is left untouched for seven days. An iPhone or iPad will even refuse to sync with computer running iTunes until iOS is unlocked with a passcode.
USB Restricted Mode may be intended to impose a seven-day window on when digital forensics specialists like Grayshift can break into a device, at least using any simple techniques. Those firms will often employ a "lockdown" record from a suspect's computer to create a local backup of iPhone data, skipping passcode entry.
iOS 11 already has some restrictions on lockdown records, namely automatic expiration, and full-disk encryption that renders them useless if a device is rebooted. The 11.3 update shrank the life of iTunes pairing records to seven days.
ElcomSoft suggested that connecting a device to a paired accessory or computer could extend the Restricted Mode window, and centrally-managed hardware may already have that mode disabled.
"If the phone was seized while it was still powered on, and kept powered on in the meanwhile, than the chance of successfully connecting the phone to a computer for the purpose of making a local backup will depend on whether or not the expert has access to a non-expired lockdown file (pairing record)," ElcomSoft elaborated. "If, however, the phone is delivered in a powered-off state, and the passcode is not known, the chance of successful extraction is slim at best."
The exact details of the hacking techniques used by Cellebrite and Grayshift's GrayKey have been kept secret, so it's possible they may still work after iOS 11.4 is released. The companies could however resort to more extreme methods to get at data, such as removing the flash memory from the devices, copying them, and using the copies to attack the password.
GrayKey device. | Source: MalwareBytes
"To improve security, for a locked iOS device to communicate with USB accessories you must connect an accessory via Lightning connector to the device while unlocked -- or enter your device passcode while connected -- at least once a week," reads Apple documentation highlighted by security firm ElcomSoft. The feature actually made an appearance in iOS 11.3 betas, but like AirPlay 2 was removed from the finished code.
The change blocks use of the Lightning port for anything but charging if a device is left untouched for seven days. An iPhone or iPad will even refuse to sync with computer running iTunes until iOS is unlocked with a passcode.
USB Restricted Mode may be intended to impose a seven-day window on when digital forensics specialists like Grayshift can break into a device, at least using any simple techniques. Those firms will often employ a "lockdown" record from a suspect's computer to create a local backup of iPhone data, skipping passcode entry.
iOS 11 already has some restrictions on lockdown records, namely automatic expiration, and full-disk encryption that renders them useless if a device is rebooted. The 11.3 update shrank the life of iTunes pairing records to seven days.
ElcomSoft suggested that connecting a device to a paired accessory or computer could extend the Restricted Mode window, and centrally-managed hardware may already have that mode disabled.
"If the phone was seized while it was still powered on, and kept powered on in the meanwhile, than the chance of successfully connecting the phone to a computer for the purpose of making a local backup will depend on whether or not the expert has access to a non-expired lockdown file (pairing record)," ElcomSoft elaborated. "If, however, the phone is delivered in a powered-off state, and the passcode is not known, the chance of successful extraction is slim at best."
The exact details of the hacking techniques used by Cellebrite and Grayshift's GrayKey have been kept secret, so it's possible they may still work after iOS 11.4 is released. The companies could however resort to more extreme methods to get at data, such as removing the flash memory from the devices, copying them, and using the copies to attack the password.
Comments
Ok, I'm only joking but there has to be some defence that IOS could employ after all, the device is essentially being hacked. Even if it is to do a security level storage wipe, user configurable naturally. All it should leave are Cat Videos.
Good to hear that APple is trying to address the issue, but this strikes me as a bit of a work-around patch rather than fixing the hole itself and tells me they still don’t know exactly how the hack is being executed. (Or at least didn’t when 11.4 was being written)
Then again I have nothing of interest to law enforcement.
That being said, I see a day where Apple removes the Lightning jack completely. The internet will probably explode when it happens (literally stop working), but its bound to happen eventually.
I've found that the USB tethering is more reliable than WiFi.
Just remember the words of the theologian Martin Niemöller after his release from Dachau... paraphrased...
They put them in camps, but Communists, who cares about them? They opposed religion.
Incurables? Perhaps they do cost society too much.
Trade Unions.
Social Democrats.
Jews.
The Church does not concern itself with politics.
A bit overstated, airnerd, but I think we all need occasional reminders of the slippery slope that can happen with federal forces on denizens.
Besides, removing the lightning port assumes that wireless connections are both more reliable and more secure than hardwired connections and I dont’ think one can make that argument.
Does that "anything" include the headphone adapter?
The original poster didn't ask for Apple to completely disable data connection via USB, just to have a toggle in Settings to disable it. That definitely should be something that Apple does. Even better, give us a way to set the USB connection to either Disabled, Normal, Ask, where Normal is how it behaves today and Ask always prompts the user before allowing the connection. That would help increase security for users that typically only use their Lightning ports for charging while not interfering with other use cases.
Almost how you can log into the BIOS & enable/disable every port on a computer? And set a BIOS password.
Yes. That works well for sneaker-net security in a medical/finance/business setting
I'm assuming that the hackers have already reached the limit of how fast one can input the pass code using the USB, as there's a limit to how fast data can be transmitted through the USB.
One also has to remember that it takes time for law enforcement to set up the iPhone for hacking. Not to mention the time it takes to get a search warrant. If the government agency involve don't have the proper equipment in place at the time they take possession of the iPhone, they might end up losing days from that 7 day USB lock out window and end up having only 3 or 4 days to try to hack in. I assuming most local law enforcement offices don't have the proper set up and must get the iPhone to the nearest FBI office with the proper set up, in order to hack the iPhone. Plus I don't think the FBI is going to stop everything just to hack into some drug dealer's iPhone for a local police. Its only the high profile cases that will get the FBI immediate attention. So for the average iPhone and iPad users, the 7 day USB lock out window is not as long as it seems as their iPhone or iPad would most likely be sitting in the evidence room for more than 7 days, if they were arrested and charged with a low profile crime.
Being innocent of wrongdoing is not a defence.
They haven't let not having a good argument stop them yet.
They have AirPods for that. All enlightened people have them, you know.