Turns Out You Can Fool Apple’s “USB Restricted Mode” with a $39 Accessory (Or Something Cheaper)
Talk about short-lived happiness, fleeting joy, something-something… Apple “just” released the USB Restricted Mode with the release of iOS 11.4.1 earlier today. The security feature is designed to restrict the use of the USB port to block iPhone cracking tools from breaking into the iOS devices. It now appears all a hacker, a criminal, or a cop needs is a cheap USB accessory to bypass this not-so-restrictive restricted mode.
ElcomSoft researchers have published a blog post revealing a flaw in the design of USB Restricted Mode that resets the one-hour counter. All you need is to plug a USB accessory (even if it hasn’t been paired with the iPhone before) into the Lightning port to bypass this security feature.
“We performed several tests, and can now confirm that USB Restricted Mode is maintained through reboots, and persists software restores via Recovery mode,” ElcomSoft’s Oleg Afonin writes. “In other words, we have found no obvious way to break USB Restricted Mode once it is already engaged. However, we discovered a workaround…”
What we discovered is that iOS will reset the USB Restrictive Mode countdown timer even if one connects the iPhone to an untrusted USB accessory, one that has never been paired to the iPhone before (well, in fact the accessories do not require pairing at all). In other words, once the police officer seizes an iPhone, he or she would need to immediately connect that iPhone to a compatible USB accessory to prevent USB Restricted Mode lock after one hour. Importantly, this only helps if the iPhone has still not entered USB Restricted Mode.
The toolkit for law enforcement or criminals will now just need an additional USB accessory -something from Apple itself like the $39 Lightning to USB 3 Camera adapter or cheap $2 accessories from AliExpress, which the researchers are going to test, would potentially do the job.
With the release of iOS 11.4.1, the procedure for properly seizing and transporting iPhone devices may be altered to include a compatible Lightning accessory. Prior to iOS 11.4.1, isolating the iPhone inside a Faraday bag and connecting it to a battery pack would be enough to safely transport it to the lab.
Seems like an oversight on Apple’s part – fix could be soon released
While the team is going to test several cheap accessories to see if they work to bypass USB Restricted Mode, Apple could release an update to this feature in the coming weeks, removing this loophole. “The ability to postpone USB Restricted Mode by connecting the iPhone to an untrusted USB accessory is probably nothing more than an oversight,” Afonin admits. “We don’t know if this behavior is here to stay, or if Apple will change it in near future.”
However, if a cop gets to seize a locked iPhone until the next iOS update that brings fix to this flaw, they can potentially get around the USB Restricted Mode through a USB accessory.
If you think cops won’t be able to access the iPhone within the one-hour window, it appears that might not be such a big feat to achieve. As ElcomSoft writes, there are quite high chances of a device being seized within an hour since its last unlock. How so? Because an average user unlocks their devices at least 80 times a day – over 3 times an hour, on average.