Researchers find loophole that extends USB Restricted Mode's hour-long timer

Posted:
in iPhone edited September 2020
Just hours after Apple debuted USB Restricted Mode in its latest iOS 11.4.1 firmware, security researchers discovered an easy to implement workaround that prevents the feature from working as intended.


Grayshift's GrayKey iPhone cracking tool. | Source: MalwareBytes


In testing for months, and released earlier today, USB Restricted Mode is Apple's answer to iPhone intrusion techniques that use third-party software to crack device passcodes.

When enabled, the feature deactivates USB data processes, conducted through an iPhone's Lightning port, when the device remains locked for over an hour. After hitting the predetermined time limit, Lightning is only able to pass power through to iPhone for device charging.

The mechanism disrupts hacking techniques used by criminals, as well as tools like those marketed by digital forensics firm Grayshift, whose GrayKey iPhone unlocking box requires access to an operational USB port.

According to security researchers at ElcomSoft, however, USB Restricted Mode's countdown timer resets when a Lightning accessory like Apple's Lightning to USB 3 Camera adapter is connected to a target iPhone, effectively defeating the security protocol. Even untrusted accessories, or those that have not previously interfaced with an iPhone, can be used to reset the counter.

ElcomSoft is experimenting with unofficial Lightning to USB adapters to see if they, too, can extend the one hour time limit.

The USB accessory procedure is not viable once USB Restricted Mode activates. Through testing, ElcomSoft confirmed a successful lockout is "maintained through reboots, and persists software restores via Recovery mode. In other words, we have found no obvious way to break USB Restricted Mode once it is already engaged."

However, as the firm notes, iPhone owners are constantly picking up, unlocking and using their devices throughout the day, thereby increasing the odds that target hardware can be intercepted within the one hour time limit.

"In other words, once the police officer seizes an iPhone, he or she would need to immediately connect that iPhone to a compatible USB accessory to prevent USB Restricted Mode lock after one hour," ElcomSoft's Oleg Afonin explains in a blog post.

An ideal accessory should include means of transferring power to iPhone, as proper forensics techniques call for a device to be transported in a Faraday bag or similar to prevent communication with cellular networks. This results in extreme battery drain as iPhone ramps up power to its communications stack as it searches for an adequate signal.

Afonin guesses the USB Restricted Mode loophole is the result of an oversight on Apple's part. Defeating (or more accurately postponing the activation of) an otherwise well-thought-out security protocol with readily available consumer products is likely not what Apple had in mind when it created the feature. Still, the workaround exists in both iOS 11.4.1 and the latest iOS 12 beta.

Apple might rectify the issue in a future release, but for now USB Restricted Mode is vulnerable until its preset one hour window closes.
«1

Comments

  • Reply 1 of 29
    cornchipcornchip Posts: 1,954member
    Serious question; is USB(C) any more secure? 

    (I’m guessing it’s not).
  • Reply 2 of 29
    SoliSoli Posts: 10,038member
    Afonin guesses the USB Restricted Mode loophole is the result of an oversight on Apple's part. Defeating (or more accurately postponing the activation of) an otherwise well-thought-out security protocol with readily available consumer products is likely not what Apple had in mind when it created the feature.
    To me it sounds like it's by design. If Apple made it so that you need to input your password every hour even when using an accessory that would be a bad tradeoff for their customers. Security is great, but not at the expense of a massive inconvenience.

    Maybe we'll see Apple's MFi program advance to where the chips in accessories will need to send a unique and encrypted hash that will be stored in a database on the iDevice that you'll have to authenticate the first time you use it. This would help prevent those obtaining your iDevice through other methods from being able to plug in some other accessory—even Apple accessories, like the aforementioned Lightning to USB 3 Camera adapter—not keep the timer from counting down.


    PS: While I don't see Lightning port going away anytime soon (and even once it does there will still be a diagnostics port like on the Apple Watch) with Qi charging and wireless syncing becoming the norm I wonder if it would behoove Apple to allow users to further disable the Lightning port. I'm guessing this won't happen, but I thought I'd mention it for the sake of security.
    edited July 2018 bestkeptsecretRayz2016magman1979tdknox
  • Reply 3 of 29
    tallest skiltallest skil Posts: 43,388member
    When enabled, the feature deactivates USB data processes, conducted through an iPhone's Lightning port, when the device remains locked for over an hour. After hitting the predetermined time limit, Lightning is only able to pass power through to iPhone for device charging.
    Let me double-check, but it has deactivated charging on my devices, too. I wonder if that wasn’t just a bug or misinterpretation…
  • Reply 4 of 29
    I wouldn’t call it a loophole - sounds like how it’s supposed to work. If you keep connecting your iPhone to accessories the timer should reset. Otherwise you’d be nagged every hour to unlock just to continue your normal routine.

    Apparently if you perform the SOS function (which disables TouchID until you enter your passcode - sometimes referred to as “cop mode”) it immediately locks the iPhone AND prevents USB from working.

    So those with something to hide (or just don’t want authorities snooping through your iPhone) you can quickly lock out USB.

    Seems like an all-round good compromise of security while retaining ease-of-use.
    netmageairmanchairmanmagman1979tdknox
  • Reply 5 of 29
    ♬♬ Jonathan Zdziarski, where are you? ♪♪♩♩

    Are you wasting his time Apple? Isn't figuring out this stuff ahead of time the point of hiring security experts?
    cgWerks
  • Reply 6 of 29
    cgWerkscgWerks Posts: 2,952member
    I wouldn’t call it a loophole - sounds like how it’s supposed to work. If you keep connecting your iPhone to accessories the timer should reset. Otherwise you’d be nagged every hour to unlock just to continue your normal routine.

    Apparently if you perform the SOS function (which disables TouchID until you enter your passcode - sometimes referred to as “cop mode”) it immediately locks the iPhone AND prevents USB from working.
    Yeah, it would be a bit of a pain if you unlocked your phone and were using some accessory and it just stopped at an hour point. But, in general, I think that would be fine for most situations... a tradeoff for sure. The most common situation might be a road-trip with USB connection in the car?

    But, do most people know how to do an SOS lock-out or would they have the forethought to do that in the moment? I'd have to look up how to do it for my phone... and doesn't that also call 911?

    ♬♬ Jonathan Zdziarski, where are you? ♪♪♩♩
    Are you wasting his time Apple? Isn't figuring out this stuff ahead of time the point of hiring security experts?
    Yeah, one wonders what he's doing at Apple these days. I'm sure there is plenty to do though, and he can't do it all.
  • Reply 7 of 29
    olsols Posts: 51member
    This whole thing is quite worrying as why is the USB transfer initially enabled without entering the correct password? It were off by default then these tools won’t work in the first place
  • Reply 8 of 29
    netmagenetmage Posts: 314member
    On iphone X you hold power and one of the volume buttons for five seconds,and no it doesn't call emergency services, it gives you a menu of options including power off and call emergency services.
  • Reply 9 of 29
    netmagenetmage Posts: 314member
    An hour seems too long, and perhaps only the current device should function past an hour? Once unplugged, the phone should immediately lock out USB unless it has been unlocked recently.
    edited July 2018 JaiOh81
  • Reply 10 of 29
    tallest skiltallest skil Posts: 43,388member
    Wait… why can’t I quote myself?

    Devices do not charge, confirmed.

    Leaving a device for more than an hour and then plugging it in does not activate charging. This is an all-Apple environment. iPhone 6 plugged into a 27” Cinema Display with an Apple Lighting cable, plugged into a 2009 Mac Pro. Only after it’s unlocked does the charging *ping* sound and the battery icon turn green.
    edited July 2018 space2001
  • Reply 11 of 29
    perhaps this could have been avoided if it was a "recognised" or "known" accessory but I'm not sure if the physical capabilities are there - every usb accessory would have to have a unique identifier which I highly doubt they have unless it was a requirement of the MFI program?
  • Reply 12 of 29
    dewmedewme Posts: 5,718member
    Wait… why can’t I quote myself?

    Devices do not charge, confirmed.

    Leaving a device for more than an hour and then plugging it in does not activate charging. This is an all-Apple environment. iPhone 6 plugged into a 27” Cinema Display with an Apple Lighting cable, plugged into a 2009 Mac Pro. Only after it’s unlocked does the charging *ping* sound and the battery icon turn green.
    Aha, that explains why my iPhone 6+ was sitting at 57% charge after spending the night plugged into my iMac. Good to know and probably why my iPhone/IPad puts up that little blurb about USB functionality and unlocking when I plug it in. Good to know.
    tallest skil
  • Reply 13 of 29
    linkmanlinkman Posts: 1,046member
    Wait… why can’t I quote myself?

    Devices do not charge, confirmed.

    Leaving a device for more than an hour and then plugging it in does not activate charging. This is an all-Apple environment. iPhone 6 plugged into a 27” Cinema Display with an Apple Lighting cable, plugged into a 2009 Mac Pro. Only after it’s unlocked does the charging *ping* sound and the battery icon turn green.
    I wonder if this might have the unintended consequence of essentially bricking your iPhone? Imagine a situation where the port is locked out and then the battery dies. Plug the thing in to get it alive again only to have the phone not accept power and the owner cannot unlock it because there is no longer a way to do so without iOS starting up. I would assume that Apple tested for this though...
    retrogusto
  • Reply 14 of 29
    airnerdairnerd Posts: 693member
    Why can't apple just give me a toggle, make it part of control center, where I can just choose to disable data transfer via lightning?  Should be much simpler than all these "what if" scenarios that could be stopping music or preventing charging.  

    I have no reason to stop data transfer, but for someone who is worried about this they have that option.  Then the plug only can be used for charging until the phone is unlocked and toggled back to allow data.  

    Everyone is happy except those that want to force their way onto your phone. 
    stompyspinnyd
  • Reply 15 of 29
    kkqd1337kkqd1337 Posts: 464member
    I never use my lightning port for anything apart from charging in the car as I normally charge wireless, and use Bluetooth for music etc.

    So I would be happy to disable it permanently (unless I eventually get a new car with Apple Car Play that probably won’t be wireless). 

    But keeping it simple.... I guess if your a criminal all you need is a wireless charging iPhone with some chewing gum in the lightning port. 
  • Reply 16 of 29
    longpathlongpath Posts: 401member
    My hope is that Apple will eventually require that the device be unlocked before acknowledging such an accessory, or else the timer continues to count down; but once the device detects the accessory, it will continue to hold the timer at bay. This would prevent loss of use of these accessories after an hour's use while also preventing them from being used as work-arounds to prevent the time out feature from doing its job. 

    Should such an enhancement to the security feature come to be, I would love to see the timer reduced to a minute or less.
    edited July 2018 stompy
  • Reply 17 of 29
    retrogustoretrogusto Posts: 1,137member
    It seems like they should be able to leave charging enabled but disable data transfer. This is going to confuse so many people, if all of a sudden they stop being able to charge their phones the way they always have. And if the battery is about to die when they plug it in, things could get ugly, with important missed calls, alarm clocks not going off when needed, and perhaps the bricking scenario described by Linkman. 
    stompy
  • Reply 18 of 29
    mknelsonmknelson Posts: 1,145member
    linkman said:
    Wait… why can’t I quote myself?

    Devices do not charge, confirmed.

    Leaving a device for more than an hour and then plugging it in does not activate charging. This is an all-Apple environment. iPhone 6 plugged into a 27” Cinema Display with an Apple Lighting cable, plugged into a 2009 Mac Pro. Only after it’s unlocked does the charging *ping* sound and the battery icon turn green.
    I wonder if this might have the unintended consequence of essentially bricking your iPhone? Imagine a situation where the port is locked out and then the battery dies. Plug the thing in to get it alive again only to have the phone not accept power and the owner cannot unlock it because there is no longer a way to do so without iOS starting up. I would assume that Apple tested for this though...
    Plugged into your Cinema Display, the other fellow mentioned plugged into his iMac. Could it be that they aren't providing USB power because the USB data function is disabled (so the computer/display don't activate), but it may work if you use a dumb adapter?
    retrogustolongpath
  • Reply 19 of 29
    Say goodbye to the USB Lightning / USB-C port just like the headphone jack.  Or "Geez, thanks for telling us about that Elcomsoft". Now we just set the option to be an hour or always require a passcode when connecting USB or just force it to always prompt for passcode for everyone all the time.  Users will just have to unlock their device when plugging in accessories which is what it should be anyway.  

    Ease of use versus security.  I would rather have the option to set a higher level of security forcing the passcode for any USB connection and never have a timeout at all.  Something I can set with MDM Configuration Profiles as well.  Also requiring strong passwords and denying 4/6 digit passcodes via MDM.  Add a keypress option to disable FaceID / TouchID. So if you see it coming you can either reboot your iPhone or do the keypress option that disables the biometric unlock.  That works today.  

    Personally, if I was on vacation re-entering the USA, going through customs.  I would probably back up my iPhone and just wipe it as I am getting off the plane. Set it up without a passcode. If customs wishes to see it, they can look at a blank unconfigured device with no data.  Have fun with that.  See, I complied with unlocking it for you.  To do this to American citizens is despicable but yet it has been happening.  If you don't unlock your phone when they ask for it they can hold it almost indefinitely.  Nothing you can do about it either.  Really, if you are traveling to certain countries you should just carry a burner or buy one when you get there.
  • Reply 20 of 29
    focherfocher Posts: 688member
    Apple only has two choices here:

    1. The timer is absolute and requires unlocking after one hour. The downside is that this creates inconvenience for users.

    2. The timer resets every time the device is unlocked. This leaves the USB interface active for one hour after unlocking, but then locks. This creates inconvenience in that many users probably now find themselves going more than one hour after their last unlock procedure before they might plug in the phone. I saw this with my CarPlay system, where I couldn't figure out why the phone wasn't connecting to the head unit. Ended up that unlocking the phone re-enabled USB and then the connection proceeded.

    There's obviously a choice that has to be made here about convenience versus closing the USB hole.
Sign In or Register to comment.