Mobile forensics researchers recently discovered a major new security feature while poking around in the beta version of Apple’s upcoming iOS 11.4 release, due soon.
It’s called USB Restricted Mode: a feature that popped up in the iOS 11.3 beta but didn’t make it to the final release. The feature snips the USB data connection over the Lightning port if the device hasn’t been unlocked for a week. The device can still be charged over USB, but after 7 days, it won’t give up data without a passcode, meaning that at least some backdoor ways to get at data won’t work anymore.
ElcomSoft researchers found this explanation of how it works in Apple’s documentation:
To improve security, for a locked iOS device to communicate with USB accessories you must connect an accessory via lightning connector to the device while unlocked – or enter your device passcode while connected – at least once a week.
If the device is unlocked with a passcode, the data transfer over USB will be re-enabled. But once the Lightning port has been disabled for a week, thieves or investigators won’t be able to get at data by pairing the device to a computer or USB accessory. Without a passcode to unlock the device, they won’t even be able to get into it using an existing iTunes pairing record, used to recognize PCs that are ‘trusted’ by the device, also known as a lockdown record.
As ElcomSoft researcher Oleg Afonin has explained, forensics experts have found pairing records to be “immensely handy” for extracting device data without having to first unlock it with a passcode, a fingerprint press or a trusted face.
Lockdown records aren’t foolproof when it comes to getting into phones without those unlocking techniques, but on the upside for police or thieves, you could use old records – Afonin mentioned using a year-old lockdown record. That is, you could do that up until recently. In iOS 11.3 beta Release Notes, Apple said it was adding an expiration date to lockdown records.
In a post published on Tuesday, Afonin said that it’s not clear yet whether the iPhone unlocking techniques developed by outfits such as Grayshift and Cellebrite will be blocked by the new USB Restricted Mode.
According to Grayshift’s reported marketing materials, its iPhone X and 8 unlock tool is called GrayKey. Grayshift claims its software works against disabled iPhones, which is one of the states an iPhone can enter if a passcode is entered incorrectly too many times.
Law enforcement agents using a tool like GrayKey have apparently only needed two things to get into an iOS device: physical access and enough time. As Forbes has reported, the tool might hack Apple’s Secure Enclave: the isolated chip in iPhones that handles encryption keys. Secure Enclave makes it time-consuming to brute-force a phone by incrementally increasing the time between guesses: up to an hour for the ninth attempt and onwards.
The new USB Restricted Mode will sharply curtail the time investigators have to break into an iOS device. As TechCrunch noted, the FBI milked its months-long access to the phone of the dead San Bernardino terrorist and mass murderer Syed Rizwan Farook before breaking into his iPhone 5C, dragging the matter through the courts and turning it into a major battle in the war against encryption.
Looks like the FBI, et al., are going to have to speed things up quite a bit with the upcoming seven-day deadline of this new security feature, assuming it makes it into the final release.