Sophos Cloud Optix
Mobile forensics researchers recently discovered a major new security feature while poking around in the beta version of Apple’s upcoming iOS 11.4 release, due soon.
It’s called USB Restricted Mode: a feature that popped up in the iOS 11.3 beta but didn’t make it to the final release. The feature snips the USB data connection over the Lightning port if the device hasn’t been unlocked for a week. The device can still be charged over USB, but after 7 days, it won’t give up data without a passcode, meaning that at least some backdoor ways to get at data won’t work anymore.
ElcomSoft researchers found this explanation of how it works in Apple’s documentation:
To improve security, for a locked iOS device to communicate with USB accessories you must connect an accessory via lightning connector to the device while unlocked – or enter your device passcode while connected – at least once a week.
If the device is unlocked with a passcode, the data transfer over USB will be re-enabled. But once the Lightning port has been disabled for a week, thieves or investigators won’t be able to get at data by pairing the device to a computer or USB accessory. Without a passcode to unlock the device, they won’t even be able to get into it using an existing iTunes pairing record, used to recognize PCs that are ‘trusted’ by the device, also known as a lockdown record.
As ElcomSoft researcher Oleg Afonin has explained, forensics experts have found pairing records to be “immensely handy” for extracting device data without having to first unlock it with a passcode, a fingerprint press or a trusted face.
Lockdown records aren’t foolproof when it comes to getting into phones without those unlocking techniques, but on the upside for police or thieves, you could use old records – Afonin mentioned using a year-old lockdown record. That is, you could do that up until recently. In iOS 11.3 beta Release Notes, Apple said it was adding an expiration date to lockdown records.
In a post published on Tuesday, Afonin said that it’s not clear yet whether the iPhone unlocking techniques developed by outfits such as Grayshift and Cellebrite will be blocked by the new USB Restricted Mode.
According to Grayshift’s reported marketing materials, its iPhone X and 8 unlock tool is called GrayKey. Grayshift claims its software works against disabled iPhones, which is one of the states an iPhone can enter if a passcode is entered incorrectly too many times.
Law enforcement agents using a tool like GrayKey have apparently only needed two things to get into an iOS device: physical access and enough time. As Forbes has reported, the tool might hack Apple’s Secure Enclave: the isolated chip in iPhones that handles encryption keys. Secure Enclave makes it time-consuming to brute-force a phone by incrementally increasing the time between guesses: up to an hour for the ninth attempt and onwards.
The new USB Restricted Mode will sharply curtail the time investigators have to break into an iOS device. As TechCrunch noted, the FBI milked its months-long access to the phone of the dead San Bernardino terrorist and mass murderer Syed Rizwan Farook before breaking into his iPhone 5C, dragging the matter through the courts and turning it into a major battle in the war against encryption.
Looks like the FBI, et al., are going to have to speed things up quite a bit with the upcoming seven-day deadline of this new security feature, assuming it makes it into the final release.
A week sounds like a very long time. I think an hour would be better, or even just don’t allow USB devices to connect unless the phone is unlocked.
On my Android smartphone, if I connect it to a PC over USB it will only charge and I need to go into the menus each time to turn on data transfer mode. Naturally that menu is only accessible after I have unlocked my phone. That means if the phone is taken (by a normal criminal or law enforcement), they can’t get my data without my passcode.
Please remember, that in your specific case the pairaing records are still accessible and there is a basic communication between the devices (“please unlock the phone to get access”). This is already enough in special cases to gain access to the device.
As it’s written here, the complete USB communication stack will be disabled, so there will be no data sent unless the phone got unlocked and the USB stack enabled back again, which used in addition to the first option is really handy.
How can you cover these topics without mentioning the risk and threat to personal and national security that unlockable doors and unseeable things present? Government was formed originally, almost solely, for the purpose of providing mutual security and justice, and yet many, maybe even yourself, seem happy to see hypocritical corporations, such as Apple et al, erase the ability for govt. to serve even that basic purpose!? That’s unfair reporting of the issue, and it exposes your own biases.
Anyone thumbing this down, is apparently willing to protect terrorists, rapists, child-predators, et al. But would you protect them in other ways that the law does not require? Shelter, money, lying for them, abetting? How about being complicit in the actual crimes themselves? And why do you see a distinction between those aides and unlockable doors and unseeable actions? Are you REALLY that thick headed, or are you just anarchists and nihilists whose moral worth is about as long as their list of personal beliefs [hint: it’s usually pretty short].
That’s a pretty twisted view. Government is by the people to protect the people. If government can invade your privacy at a whim (which is usually full of corrupt people), what was the point of having a government in the first place. It’s not protecting you at all. Companies provide products and services people want. If people didn’t was secure devices there wouldn’t be a market for them. However – if you really think government should have full access to all data and nothing should be private at all, that people should be restricted from choice and information – China is a big country, and likely has room for you.
The govt. is proposed to be invading anyones privacy “at a whim” most of the time these encryption and privacy controls have been at serious issue is in investigations of very serious and damaging crimes. How do you defend that? You have a point, countries that take their security seriously, and understand the measures that are sometimes necessary, do not allow these types of issues to last long, RIM being a prime example. Do you really think that a warrant is the same as an unlocked door? That’s just plain stupid. The examples where this has been an obvious issue are definitely not examples where a warrant and legal jurisdiction to obtain the data that was sought was lacking.
Tell me if I’m wrong but isn’t it possible to simply setup a leadbox with 1 internal spoofed cellular antenna then you spoof the timeserver information that come in and tell the phone to be at any earlier date where the owner still had the phone and then the access would be open again?
@Frank: I don’t think so… it doesn’t check the timestamp to see whether data transfer should be available; it actively removes data access after a certain amount of time. So you’d need to set up the leadbox right when you got the phone and keep resetting the time to the existing time to prevent data access from being dropped.
Once it’s gone, you need a password to turn it on again, not just the right timestamp.
Well, your phone keeps track of elapsed time even when it’s turned off (you only have to reset the time if the battery goes totally flat) , so it can always compare the difference between how much measured (“internal”) time and how much (alleged “external”) network time has elapsed. It should therefore be fairly obvious when the two values get so far out of alignment that one or both of them can’t possibly be correct…
…in which case, surely the code would assume the worst, and activate the lockout anyway?
That wouldn’t resolve this issue, 7 days without being unlocked, that’s the clock running. having cellular connection to provide a false time to the device wouldn’t reset the internal clock that is likely running that timer. I doubt it’s all dependent on NTP or GPS time-synch.
Good they have become the people’s enemy
The same could be said of Apple/Google/Facebook/et cetera… At least the government is publicly accountable in a direct way.
I’ve heard if you cut the orange wire you get HBO and all the PPV channels for free…