Apple iPhone’s USB Restricted Mode gives Feds a cracking headache

Apple thinks it has restricted a bypass that allowed companies working with agencies such as the FBI to gain access to locked iPhones.

According to Reuters, a forthcoming software release – probably iOS 12 in September – will block all communication through the lightning port if the phone hasn’t been unlocked for an hour.

Under the new ‘USB Restricted Mode’, which is already at the beta stage in iOS11.4.1, only power charging will be possible after that.

This has been mentioned before but the timescale of one hour is dramatically shorter than the one week mooted when the story raised its head a month ago.

On the face of it, a small tweak, but almost certainly enough to severely limit the use of tools from companies such as Grayshift and Cellebrite, which are believed to depend on a USB port connection to attack Apple’s security.

It recently emerged that Grayshift’s GrayKey is a small box with an Internet connection and two Lightning cables sticking out of it – images on the Internet show as much.

These connect to two iPhones at a time and somehow instigate what must be a brute force of the passcode – essentially trying lots of options until the correct one is found.

This would be a simple process if it weren’t for onerous time restrictions Apple has built into iPhones that limit the rate at which incorrect guesses can be made.

Another factor is the length of the passcode with informed reports suggesting days being needed where a passcode of six digits is being attacked.

Grayshift and Cellebrite might be exploiting other, unspecified vulnerabilities in the iPhone to speed up or gain access, even if a crack of Apple’s Secure Enclave (which we speculated on in a previous story) now seems highly unlikely.

What is known is that it’s easier to guess a way into an iPhone that is turned on and has been accessed by its owner (the “After First Unlock” method) as opposed to one that is turned off (“Before First Unlock”).

Apple’s move is being seen as an attempt to stymie access by the US Government, with which it fought a high-profile legal case over access to the iPhone of Tashfeen Malik, who carried out the San Bernardino mass shooting in 2015.

With Apple refusing to unlock the device come what may, the case only ended when the Feds discovered a weakness that gave them a way in without the company’s help.

Privacy campaigners have pointed out that plenty of others – not least foreign governments and criminals – also want to get into other people’s iPhones. The convenience of the FBI isn’t the only issue at stake here.

Will USB Restricted Mode work?

For a while at least, yes. Police will have to initiate passcode cracking within an hour of finding an iPhone, which will only be possible in a small minority of cases.

Or perhaps not, if a report claiming Grayshift has already developed a way of countering Apple’s USB block is correct. Motherboard quote an email from an unnamed expert:

Grayshift has gone to great lengths to future-proof their technology and stated that they have already defeated this security feature in the beta build.

Another way of gauging Apple’s security block is to read the responses of US police forces, which have been buying iPhone-cracking boxes with enthusiasm in the last year.

Sentiments reflected in the New York Times suggest that Grayshift may be further from countering Apple than the source above thinks.

The battle to crack open the iPhone increasingly defines the confrontation between big tech and governments over the use of strong encryption.

Neither side can give ground. The crackers will be back for another try while Apple, of course, will then respond in kind. If this is a war, of sorts, it’s still early days.