USB Restricted Mode 'doesn't work' for securing iPhone data

iOS 11.4.1 adds “USB Restricted Mode.” Apple aims to prevent law enforcement from using plug-in devices that crack passcodes.

But, some Russian researchers claim, it’s easily defeatable. You just need an inexpensive dongle (uh, “inexpensive” by Apple standards, I guess).

Design deficiency? Implementation fail? Or overhyped FUD? In this week’s Security Blogwatch, we restrict our snark.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Can you see a laser pointer from the ISS? 

State of Security Operations 2018: Go Inside World SOCs


What’s the craic? Kieren McCarthy dials up the snark—Apple emits iPhone cop-block update:

The iOS 11.4.1 upgrade is small by Apple standards … but it represents a big headache for … organizations that want to gain access to someone else's phone, because it kills off the most common route to bypassing the device's security.

"USB Restricted Mode" … will disable a data connection from the iPhone's charging/data port … after one hour of being locked. … The new feature will not prevent the phone from being charged, but if you want to … transfer any data to or from the device, you will need to [unlock it].

That data port is the main way the Feds and cops break into locked phones right now. … It was Grayshift's decision to mass produce a small box … for $15,000 that forced Apple to shut down the entry point.

What could possibly go wrong? Thomas Fox-Brewster ferments cunning: [You’re fired—Ed.]

An adapter costing just $39, can help cops and robbers bypass one of [Apple’s] biggest security features in iOS 11.4.1.

Vladimir Katalov, CEO of Elcomsoft, told [me] this would be big news for law enforcement, who would typically need some time to transfer an iPhone to labs and gain the relevant warrants to unlock the device.

Apple hadn’t responded to a request for comment at the time of publication.

Расскажи мне больше! Oleg Afonin obliges—This $39 Device Can Defeat iOS USB Restricted Mode:

We have found no obvious way to break USB Restricted Mode once it is already engaged. However, we discovered a workaround.

What we discovered is that iOS will reset the USB Restrictive Mode countdown timer even if one connects the iPhone to an untrusted USB accessory … that has never been paired to the iPhone before. … Once the police officer seizes an iPhone, he or she would need to immediately connect that iPhone to a compatible USB accessory to prevent [the] lock after one hour.

What are the chances that the device is seized within [an] hour after last unlock? Quite high.

The issue appears to lie in Apple’s Lightning communication protocol. If the iPhone talks to a computer, the two devices must establish trust by exchanging unique cryptographic keys. This, however, does not apply to the majority of existing Lightning accessories.

Can Apple change it in future versions of iOS? To us, it seems highly unlikely simply because of the humongous amount of MFi devices that aren’t designed to support such a change.

To which Tim Hardwick reacts thuswise:

iOS 11.4.1 and iOS 12 [disable] data access to the Lightning port if it's been more than an hour since the iOS device was last unlocked. Users can also quickly disable [it] manually by engaging Emergency SOS mode.

Apple's own $39 Lightning to USB 3 Camera Adapter can be used. … Researchers are currently testing a mix of official and third-party adapters to see what else works.

The vulnerability … provides a potential avenue for law enforcement or other potentially malicious actors to prevent USB Restricted Mode from activating shortly after seizure.

But wait. There’s iMore. Rene Ritchie calls it USB Restricted Mode FUD:

There's some FUD — Fear Uncertainty and Doubt — going around. … Security perpetually has to be balanced against convenience.

First, there's no such thing as "untrusted USB accessories". There are "untrusted devices" … devices like computers capable of pairing with and extracting data … but not "untrusted USB accessory". By itself, that statement sets off all kinds of alarms.

Second, Apple itself outlined why some devices, like accessibility devices, can override the lockout. That's because the daily usage of those devices requires an element of convenience that Apple believes supersedes … security.

Here's the process for how that article should have been developed, if it cared more about getting to the facts and less about stealing attention through sensationalism: 
1. Discover behavior.
2. Disclose it to Apple.
3. If it's a bug, work with Apple to get it patched prior to disclosure.
4. If it's not a bug, disclose the behavior along with cogent arguments about why you agree or disagree with the choice of behaviors.

Increasingly, it's not the bits that are the exploit or the malware, it's the coverage of the bits. That's terrible for everyone from media to customers.

What will Apple fans make of this? Here’s Turnpike:

There is always going to be a ping-pong, back-and-forth effect to this kind of thing with problems and solutions; but having an Apple device and having Apple on your side working to protect it is, while not perfect, the closest thing to it you will find with any company. Nobody else really cares about protecting your data quite like Apple does.

But Marty J. McLean finds it hard to believe:

I find it hard to believe (well, with Apple’s [quality control] lately who knows) that an obvious oversight like this could happen.

But won’t the police or FBI need a warrant? How does this work, legally? David A. Gatwood explainifies:

You have an hour for the cop to take the logger device out of his or her pocket, crack the phone, and extract the data into a storage device, under an "exigent circumstances" exception.

In the best-case scenario, they then must obtain a warrant to extract the data from the storage device and rifle through it. … You can safely assume that time-limited access means that warrant requirements will get weakened to accommodate that time limit.

The only limit that won't inevitably lead to the rapid erosion of our fourth amendment rights is a zero-length limit.

Still, it’s gotta be better than Android, right? Wrong, claims AmiMoJo:

Take the Pixel 2. Flash memory is encrypted with a key, same as the iPhone. Key is stored in a secure element, same as the iPhone. Arbitrarily long passwords supported, same as the iPhone.

[But] you need to unlock the phone and enable USB data every single time you want to use it. There is no time-out, the moment you unplug the USB cable it's locked to charge only/host mode.

Some manufacturers go even further, e.g. Samsung with its "Knox" system, which was certified by the NSA and DoD.

But why did Apple design it like this? Jake Williams thinks he knows why:

This is likely only an issue because there is no headphone jack and data must be passed to the headphone adapter. That headphone jack is looking pretty damn good right now.

Meanwhile, Scooz sees the bright side for Tim’s crew:

Apple seemingly doing anything to sell their overpriced adapters.

The moral of the story? If the police can do it, so can thieves. Unmanaged BYOD is risky.

And finally …

Can you see a laser pointer from the ISS?

 Bonus footage: ISS passes in front of the Sun

You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Ben Ostrowsky (cc:by)

State of Security Operations 2018: Go Inside World SOCs
Topics: Security