Grayshift claims it defeated Apple's forthcoming 'USB Restricted Mode' security feature
Grayshift, the digital forensics firm that markets the GrayKey iPhone unlocking tool, says it already has a workaround for Apple's upcoming "USB Restricted Mode," an iOS 12 security feature that effectively disables hardwired USB data connections in a bid to protect user information.
Grayshift's Graykey device | Source: MalwareBytes
On Wednesday, Apple confirmed USB Restricted Mode will be introduced to consumers in a future version of iOS.
The feature, which has been in testing since iOS 11.3 but is enabled by default in the first iOS 12 beta seed, affords a high level of protection from external brute force attacks by cutting off data connections with USB accessories after a predetermined time period.
Initially, USB Restricted Mode required accessories to be connected to an unlocked device, or prompted users to enter their device passcode, at least once per week. Under current operating protocols, however, that window of opportunity has been reduced to an hour.
In other words, when the feature is active, a passcode is required when attempting to transfer data to or from a USB accessory connected to an iPhone that has not been unlocked within the prescribed one hour time limit.
For law enforcement agencies relying on iPhone unlocking solutions like Grayshift's GrayKey, USB Restricted Mode poses a significant hurdle to accessing a target device. Officials only have an hour to secure a warrant to access the device, attach the USB-based GrayKey tool and perform a brute force attack.
However, according to email correspondence between Grayshift and an unnamed forensics expert seen by Motherboard, the forensics firm has seemingly found a workaround to Apple's solution.
"Grayshift has gone to great lengths to future proof their technology and stated that they have already defeated this security feature in the beta build," the email reads. "Additionally, the GrayKey has built in future capabilities that will begin to be leveraged as time goes on."
Exactly how the company managed to defeat the USB lockdown is unclear. Further details of the supposed workaround are unavailable, though a second person responding to the original email noted Grayshift "addressed" USB Restricted Mode in a recent webinar. Whether that session outlined a successful exploit is also unclear.
Other digital forensics firms are working on similar workarounds. ElcomSoft in May suggested it might be possible to extend USB Restricted Mode's window beyond the hour-long restriction by connecting an iPhone to a paired accessory or computer while it is unlocked. The company added that dedicated hardware could potentially disable the feature completely.
For its part, Apple says the feature is designed to protect its customers from hackers and other ne'er-do-wells, not to stymie legitimate law enforcement investigations.
"We're constantly strengthening the security protections in every Apple product to help customers defend against hackers, identity thieves and intrusions into their personal data," Apple said in a statement provided to AppleInsider. "We have the greatest respect for law enforcement, and we don't design our security improvements to frustrate their efforts to do their jobs."
The feature is, however, useful in preventing unwarranted government access in countries that do not afford consumers the same protections as U.S. laws.
Grayshift's Graykey device | Source: MalwareBytes
On Wednesday, Apple confirmed USB Restricted Mode will be introduced to consumers in a future version of iOS.
The feature, which has been in testing since iOS 11.3 but is enabled by default in the first iOS 12 beta seed, affords a high level of protection from external brute force attacks by cutting off data connections with USB accessories after a predetermined time period.
Initially, USB Restricted Mode required accessories to be connected to an unlocked device, or prompted users to enter their device passcode, at least once per week. Under current operating protocols, however, that window of opportunity has been reduced to an hour.
In other words, when the feature is active, a passcode is required when attempting to transfer data to or from a USB accessory connected to an iPhone that has not been unlocked within the prescribed one hour time limit.
For law enforcement agencies relying on iPhone unlocking solutions like Grayshift's GrayKey, USB Restricted Mode poses a significant hurdle to accessing a target device. Officials only have an hour to secure a warrant to access the device, attach the USB-based GrayKey tool and perform a brute force attack.
However, according to email correspondence between Grayshift and an unnamed forensics expert seen by Motherboard, the forensics firm has seemingly found a workaround to Apple's solution.
"Grayshift has gone to great lengths to future proof their technology and stated that they have already defeated this security feature in the beta build," the email reads. "Additionally, the GrayKey has built in future capabilities that will begin to be leveraged as time goes on."
Exactly how the company managed to defeat the USB lockdown is unclear. Further details of the supposed workaround are unavailable, though a second person responding to the original email noted Grayshift "addressed" USB Restricted Mode in a recent webinar. Whether that session outlined a successful exploit is also unclear.
Other digital forensics firms are working on similar workarounds. ElcomSoft in May suggested it might be possible to extend USB Restricted Mode's window beyond the hour-long restriction by connecting an iPhone to a paired accessory or computer while it is unlocked. The company added that dedicated hardware could potentially disable the feature completely.
For its part, Apple says the feature is designed to protect its customers from hackers and other ne'er-do-wells, not to stymie legitimate law enforcement investigations.
"We're constantly strengthening the security protections in every Apple product to help customers defend against hackers, identity thieves and intrusions into their personal data," Apple said in a statement provided to AppleInsider. "We have the greatest respect for law enforcement, and we don't design our security improvements to frustrate their efforts to do their jobs."
The feature is, however, useful in preventing unwarranted government access in countries that do not afford consumers the same protections as U.S. laws.
Comments
One of my friends is a city prosecutor, and Android-based phones are no problem to get into, but iPhones are much more difficult.
Next day...
AppleInsider reports a new iOS 12 beta release that further tightens USB lock security features, rendering Greyshift’s workaround worthless.
How difficult it will be to use if such features can be enabled 🙄
If their claim of "defeat" requires it is plugged into something before the 1 hour expires, that is not a defeat, and they are simply lying.
And those are three things off the top of my head. Add in there the potential for new Apple silicon that will act as an extra layer of security between the system that will keep track of these actions even when the core system is reset in a way that keeps GreyKey's reset mechanism from wiping the device and I think Apple can end up making it increasingly harder for hackers without causing the user any additional effort.
PS: Regardless, I'd use Apple full keyboard instead of just a 6-digit PIN to access my device. With their American English keyboard you have nearly 2 billion combinations with just 4 characters if you employ their very special characters (á la long press on a key). If and when Emoji are ever allowed the palette opens up to around a BASE-1000 system and may even be easier for people to remember since ideograms can be more relatable to an individual than individual characters.
Cohen's the target of a major criminal investigation, and they had a warrant that was signed by a federal judge which indicates they're not searching for wrongdoing retroactively, and certainly not collecting "banal" information. Anyone the target of a state-sponsored investigation probably has a bit more to worry about than what is stored on their iPhone.
What law did they break?
They blame Apple when it's their own damned fault!
Also keep in mind that fastasleep didn't claim that Apple has a flawless track record. I'd argue that him saying it's decent isn't given Apple enough credit because security includes encrypting the drive, keeping 3rd-party apps out of your data, using randomized MAC addresses, end-to-end encryptions for iMessages, and even keeping websites from tracking you. These are security features that don't thought about much because they're not front-facing. Hell, I probably wouldn't even have brought them up for this post had it not been for WWDC being so recent, so I'd say that compared to their competitors Apple's track record in iPhone security is excellent.
Let the one-upsmanship continue ...
Of course that wouldn't stop them cracking open the unit and patching in on the circuit board side but they are having to invest quite bit of effort to get started at that point.
"Decent" was intentionally nerfed as what I had originally typed might've be misconstrued as Apple fanboy hyperbole.