Researchers found that plugging in a USB device stops the timer for USB Restricted Mode from engaging, giving attackers a possible point of entry.
An oversight in the implementation of USB Restricted Mode in iOS 11.4.1 and the iOS 12 Beta 2 potentially allows malicious actors to override the new security feature intended to prevent unauthorized device access. According to a blog post by Oleg Afonin, a security researcher at Elcomsoft, plugging a device into the Lightning port before USB Restricted Mode is engaged interrupts the countdown timer.
As a quick review, USB Restricted Mode is a new feature that limits an iOS-powered device to only charge via USB if it has not been unlocked in the last hour. After one hour, the USB port cannot be used to communicate with a computer or other device. Similarly, this also affects the ability to use USB accessories on a given device. Apple's support page on the topic indicates that iOS-powered devices will need to be unlocked in order for USB accessories plugged in to a given device to be recognized:
Starting with iOS 11.4.1, if you use USB accessories with your iPhone, iPad, or iPod touch, or if you connect your device to a Mac or PC, you might need to unlock your device for it to recognize and use the accessory. Your accessory then remains connected, even if your device is subsequently locked.
If you don't first unlock your password-protected iOS device—or you haven't unlocked and connected it to a USB accessory within the past hour—your iOS device won't communicate with the accessory or computer, and in some cases, it might not charge. You might also see an alert asking you to unlock your device to use accessories.
The failure in this sequence, according to Afonin's post, occurs when a USB device is plugged into an iOS-powered device in the hour-long window before USB Restricted Mode is engaged. If such a device is plugged in, the countdown timer for USB Restricted Mode is halted, making it possible to potentially crack the passcode of the device.
Perhaps more troubling, this works with Apple's official accessories, like the Lightning to USB 3 Camera Adapter, which would give attackers a USB connection. Afonin noted that this does not work with Apple's 3.5mm adapter, though wrote that if it did work, the adapter itself does not allow for passthrough charging, which could potentially allow for battery drain, "especially if you transport it in a Faraday bag."
SEE: Information security policy (Tech Pro Research)
That observation is quite important, as one of the effects of USB Restricted Mode protects users against hacking devices sold to governments. Companies such as Cellebrite, which was alleged to have unlocked the phone of the San Bernardino shooter, as well as GrayShift, rely on vulnerabilities likely unknown by Apple to crack the passcode used to secure iPhones and iPads. In theory, the one-hour window imposed by USB Restricted Mode greatly reduces the window of opportunity for law enforcement—or anyone else in possession of hacking devices—to unlock a given device.
Apple previously indicated to Reuters that the company began work on this protection before learning that this avenue of attack was used commonly among law enforcement, stating that "We have the greatest respect for law enforcement, and we don't design our security improvements to frustrate their efforts to do their jobs." That said, law enforcement groups including the FBI have demanded for years that tech companies be required to provide a means of access to unlock devices for investigative purposes—in effect, a backdoor to encryption.
The pressing need for this access was undercut in May, as the Washington Post reported that "the FBI has repeatedly provided grossly inflated statistics to Congress and the public about the extent of problems posed by encrypted cellphones," indicating that the number of phones that the bureau could not unlock were "probably between 1,000 and 2,000," while the claimed number was "nearly 7,800."
For their part, Elcomsoft wrote that after several tests, USB Restricted Mode is otherwise quite robust, as the setting persists across reboots and software restores performed in Recovery Mode, noting that "we have found no obvious way to break USB Restricted Mode once it is already engaged." The post characterizes the current insecurity as an oversight, but did not indicate if Apple will change it in future releases.
The big takeaways for tech leaders:
- An oversight in the implementation of USB Restricted Mode in iOS stops the countdown timer if a USB device is plugged into the Lightning port.
- This does not work for all USB devices, as seemingly passive devices such as Apple's official 3.5mm adapter do not stop the countdown timer.
- iOS 11 tips and tricks for business professionals (free PDF) (TechRepublic)
- Apple releases iOS 11.4.1 with USB lockout security feature (Download.com)
- Fitness app Polar exposed locations of spies and military personnel (ZDNet)
- Apple iOS 12: Cheat sheet (TechRepublic)
- Has Apple abandoned professional Mac users? (ZDNet)
- How hackers can steal your password with an infrared photo of your keyboard (TechRepublic)
- Apple to close iPhone security hole used by police, criminals (CNET)