Security Researchers Find Way to Prevent USB Restricted Mode From Activating on iOS Devices

Discussion in 'MacRumors.com News Discussion' started by MacRumors, Jul 10, 2018.

  1. MacRumors macrumors bot

    MacRumors

    Joined:
    Apr 12, 2001
    #1
    [​IMG]


    Security researchers claim to have discovered a loophole that prevents an iPhone or iPad from activating USB Restricted Mode, Apple's latest anti-hacking feature in iOS 12 beta and iOS 11.4.1, which was released on Monday.

    USB Restricted Mode is designed to make iPhones and iPads immune to certain hacking techniques that use a USB connection to download data through the Lightning connector to crack the passcode.

    [​IMG]

    iOS 11.4.1 and iOS 12 prevent this by default by disabling data access to the Lightning port if it's been more than an hour since the iOS device was last unlocked. Users can also quickly disable the USB connection manually by engaging Emergency SOS mode.

    However, researchers at cybersecurity firm ElcomSoft claim to have discovered a loophole that resets the one-hour counter. The bypass technique involves connecting a USB accessory into the Lightning port of the iOS device, which prevents USB Restricted Mode from locking after one hour.

    ElcomSoft's Oleg Afonin explained the technique in a blog post:
    According to Afonin, Apple's own $39 Lightning to USB 3 Camera Adapter can be used to reset the counter. Researchers are currently testing a mix of official and third-party adapters to see what else works with the bypass technique.

    [​IMG]

    Afonin notes that ElcomSoft found no obvious way to break USB Restricted Mode once it has been engaged, suggesting the vulnerability is, in his words, "probably nothing more than an oversight" on Apple's part. Still, at present its existence provides a potential avenue for law enforcement or other potentially malicious actors to prevent USB Restricted Mode from activating shortly after seizure.

    Both iOS 11.4.1 and iOS 12 beta 2 are said to exhibit the same behavior when exploiting the loophole. However, expect this to change in subsequent versions of iOS - Apple continually works on strengthening security protections and addressing iPhone vulnerabilities as quickly as possible to defend against hackers.

    Apple reportedly introduced USB restrictions to disable commercial passcode cracking tools like GrayKey. Afonin cites rumors that the newer GrayShift tool is able to defeat the protection provided by USB Restricted Mode, but the research community has yet to see firm evidence confirming this.

    Article Link: Security Researchers Find Way to Prevent USB Restricted Mode From Activating on iOS Devices
     
  2. martyjmclean macrumors regular

    martyjmclean

    Joined:
    Jan 24, 2018
    Location:
    Sydney, NSW, Australia
    #2
    I find it hard to believe (well, with Apple’s QC lately who knows) that an obvious oversight like this could happen.
     
  3. christarp macrumors 6502

    christarp

    Joined:
    Oct 29, 2013
    #3
    Interesting, so the cops would need to confiscate the alleged evidence and transport it back to wherever they take it and then keep it plugged into the device. might be tough to do within an hour, but I'm sure they'll find a way. And I'm also sure Apple will find a way to close this loophole. Cat and mouse continues.
     
  4. MacRS4 macrumors member

    Joined:
    Aug 18, 2010
    #4
    Have I misunderstood this? What they're saying is that <1 hour and you plug in a USB, it resets the count-down timer for the USB lockout.

    So imagine you unlock/lock your phone, and plug it in to your computer shortly afterward. You wouldn't want the USB lock to engage would you? Say for example if you were copying 100GB of movies to it.

    Or is the lack of 'trusted' devices enabling the reset of the counter? I.e. A mistake on the expected behaviour.

    PS. I've not had nearly enough coffee yet.
     
  5. Kiro macrumors member

    Kiro

    Joined:
    Sep 15, 2015
    Location:
    Germany, Leipzig
    #5
    Maybe that is due to stuff like the hdmi adapters. Think about watching a movie that is about 2h long. You won't like to have the phone unlocked all the time or unlock it after one hour...
     
  6. IGI2, Jul 10, 2018
    Last edited: Jul 10, 2018

    IGI2 macrumors 6502

    IGI2

    Joined:
    May 6, 2015
    #6
    In other news, if you leave your phone unlocked, someone can make it stay unlocked by playing with it.

    Or like an iPad with an option set: lock after 4 hours, etc. of not using

    USB Restricted Mode is not so different here, it locks after one hour after of NOT using, so someone can prolong this period by connecting it to any* device.

    Yes, this is an oversight, that *some* devices (not just trusted) can prolong this behavior, but once locked:
    It stays locked.

    Maybe it's not a mistake, but the design of this secure connection, maybe if it doesn't transmit any data with untrusted devices, it doesn't know it's trusted or untrusted. Moreover, they didn't want to make it so much pain in the ass (what suggest a lack of option Immediately, just at least 1 hour) so it prolongs this time (lockdown timer) by being connected just to any device.

    After all, when the police grabs a malicious iPhone, they very often have an access to their computers, e.g. when they raid some hidden places of criminals. So even if Apple will set this to Immediately, criminals should watch out.
     
  7. alphaod macrumors Core

    alphaod

    Joined:
    Feb 9, 2008
    Location:
    NYC
    #7
    Makes sense seeing some accessories like the HDMI adapter do not require authorization in the first place.

    I wouldn't see this as an oversight. Can't have a perfect solution.
     
  8. Turnpike, Jul 10, 2018
    Last edited: Jul 10, 2018

    Turnpike macrumors 6502

    Turnpike

    Joined:
    Oct 2, 2011
    Location:
    New York City!
    #8
    There is always going to be a ping-pong, back-and-forth effect to this kind of thing with problems and solutions; but having an Apple device and having Apple on your side working to protect it is, while not perfect, the closest thing to it you will find with any company. Nobody else really cares about protecting your data quite like Apple does.
     
  9. manu chao macrumors 603

    Joined:
    Jul 30, 2003
    #9
    I've read the this one-hour limit always as: 'This works if there is at least an hour between you using your phone and the cops getting their hands on it'. Of course, it is cheaper to equip all police with a Lightning to USB adaptor than with a Grey Box. But even if plain adaptors wouldn't work, the Grey Box manufacturers could probably easily create a much cheaper Grey Box lite that only stops this one-hour limit.
     
  10. Scooz macrumors regular

    Joined:
    Apr 9, 2012
    #10
    Apple seemingly doing anything to sell their overpriced adapters...
     
  11. beppedessi macrumors newbie

    Joined:
    Sep 9, 2013
    Location:
    Impruneta (FI), Italy
    #11
    Apple should pay a lot of more for this kind of services!
     
  12. Bacillus Suspended

    Bacillus

    Joined:
    Jun 25, 2009
    #12
    Indeed, especially if you implement countdown so lamentingly
     
  13. flyinmac macrumors 68040

    flyinmac

    Joined:
    Sep 2, 2006
    Location:
    United States
    #13
    I’m sure the police could easily keep some $5 accessory in the car to plug into the phone just to reset the timer.

    In many cities, police cars are always minutes away from a police station and spend more time there than they do on the roads.

    We have multiple levels of law enforcement in my area. And police are typically 30 seconds away anytime I’ve called for them (unless it wasn’t an emergency call - sometimes I just need to speak with them at their convenience).
     
  14. robertcoogan macrumors 6502

    robertcoogan

    Joined:
    Apr 5, 2008
    Location:
    Joshua Tree, California
    #14
    One could also change the 6-digit PIN to a password (mix of characters) and defeat any graybox regardless.
     
  15. Tech198 macrumors G5

    Joined:
    Mar 21, 2011
    Location:
    Australia, Perth
    #15
    not really an "oversight" because this could be a legit user..

    If regular users did this, at 59 minutes mark, the timers resets, but in a 'good' way, because nothing would be more frustrating than a user charging a phone and the the device cannot be charged anymore because of USB restricted mode 'Enabled', after 60 minutes.

    Its meant to be "after one hour of inactivity" of the port. But ya, now there is a solution to this, i'm sure the police will wanna use it...

    Perhaps Apple could just require your passcode, FaceID, and/or TouchID every time a user connects to the lightening port as a deterrent. Would be inconvenient, but that's probably the only way now.
     
  16. clystron macrumors member

    Joined:
    Aug 11, 2011
    #16
    One possible Improvement:

    Only keep Lightning enabled if a device is present at the time I lock the phone and only as long as that device is connected.
    Otherwise disable the port instantly when I lock the phone.

    Of course that is something that users would notice so it probably has to be an option
    --- Post Merged, Jul 10, 2018 ---
    Charging is not affected by the port locking down
     
  17. shadowmatt macrumors regular

    Joined:
    Feb 24, 2005
    #17
    Apple has never been good on security.

    They invest a lot in terms of making sure the iPhone cant be hacked, sideloading apps etc... But security on iOS and OSX has always been something they don't spend a lot of resources on.
     
  18. Tech198 macrumors G5

    Joined:
    Mar 21, 2011
    Location:
    Australia, Perth
    #18
    I guess that would be kind of irritating... Users would have to be aware of keeping things attached just so the mode would be enabled.

    If charging is not part of this then my phone's port would be locked 100% of the time since i don't have any other accessories other than the charging cable.

    One may see that as a good thing. :)
     
  19. clystron macrumors member

    Joined:
    Aug 11, 2011
    #19
    My suggestion is based on my use-case of course, I dont use many lightning accessories and I can not remember the last time I connected something other than a power-supply to my phone without also unlocking it.
     
  20. Mac Fly (film), Jul 10, 2018
    Last edited: Jul 10, 2018

    Mac Fly (film) macrumors 65816

    Mac Fly (film)

    Joined:
    Feb 12, 2006
    Location:
    Ireland
    #20
    An hour seems to be a good design compromise—design is compromise. There could be an option for pros to have the Lighting port always disabled, requiring a password every time. Probably should be optional though.
     
  21. rom3o macrumors member

    Joined:
    Dec 22, 2014
    #21
    Would it be so hard to have the timer reset only by connecting to trusted devices? I know that some accessories do not require authorisation but couldn’t that be changed iOS-wise without the need to change anything on the hardware side?
     
  22. DanielDD macrumors 6502

    Joined:
    Apr 5, 2013
    Location:
    Portugal
    #22
    In other news: Apple ran out of stock of USB dongles to US police agencies
     
  23. NervousFish2 macrumors regular

    NervousFish2

    Joined:
    Mar 23, 2014
    #23
    How is this news? Seems click-bait-y to me. "Scary headline" followed by predicable "Apple have never been good on security" blah blah... honestly, a lot of companies would not be putting it up to the FBI like this. I think its unlikely they'll be arriving at crime scenes and finding very many phones locked in under an hour. Or, considering this was all sparked by the San Bernardino (no?) case, that guy's 'second' phone was at home, in his house, and it was a few days before the FBI were on the scene. What Apple have put in place here seems a very strong statement of the company's intention to protect civil liberties.
     
  24. haruhiko macrumors 601

    haruhiko

    Joined:
    Sep 29, 2009
    #24
    Just long press the power button (or side button plus volume up for iPhone X) to force require passcode and the whole trick doesn't work anymore :)
     
  25. FunnelDog macrumors member

    Joined:
    May 4, 2015
    Location:
    Atlantic Coast
    #25
    I am no hacker, merely a security researcher. Enhanced security research. Finding alternative security options.
     

Share This Page