Security researchers find workaround for iOS 11.4’s USB Restricted Mode

Less than a day after Apple officially added an iPhone and iPad hack-preventing USB Restricted Mode to iOS, security researchers at ElcomSoft have detailed a simple workaround that can be used by law enforcement personnel to mitigate the feature. The workaround requires a Lightning connector accessory, such as Apple’s $39 Lightning to USB 3 Camera Adapter, but is expected to work with numerous other Lightning accessories, as well.

USB Restricted Mode was added to iOS 11.4.1 and iOS 12 after beta testing in iOS 11.4. The feature is designed to lock an iPhone’s or iPad’s Lightning port after one hour of device inactivity, preventing the port from being used for anything except basic charging until a password is entered again. Apple says that it added USB Restricted Mode to iOS to increase device security against a known means of hacking, which notably has been used by law enforcement personnel to extract the contents of criminal suspects’ phones without their permission.

According to ElcomSoft, USB Restricted Mode generally works exactly as expected: Even if the device is rebooted or software restored, the lock persists. However, if the device is connected to a Lightning accessory — including one that has never been connected before — the one-hour countdown timer to initiate USB Restricted Mode will be reset. As a result, the Lightning port can be kept accessible for an hour past the point of initial seizure by plugging in a Lightning accessory.

The loophole apparently doesn’t work with every Lightning accessory, notably failing with Apple’s $9 Lightning to 3.5mm adapter, which is included with some iPhones. Additionally, if the Lightning accessory doesn’t include a pass-through power port, there’s no way to keep the device fueled during transport.

But with a power-transferring accessory, police — or other hackers — have a fairly straightforward means of accessing a seized iOS 11.4.1 device. They can connect the Lightning accessory, tether an external battery for power, place everything in a Faraday bag so the phone cannot be reached wirelessly, then transport it to the location of a Cellebrite or Grayshift hacking solution for immediate processing.

ElcomSoft notes that Apple could update a future version of iOS to “remember which devices were connected to the iPhone, and only allow those accessories to establish connectivity without requiring an unlock,” but researchers didn’t see other practical ways to enhance the USB Restricted Mode, given the design of existing Lightning accessories. On the other hand, the researchers note that Grayshift is said to already be able to defeat USB Restricted Mode through other means, though that’s unconfirmed at this point. History suggests that the back-and-forth between Apple and hackers will continue until one side gives up — and given the stakes and money on the hacking side, that’s unlikely to be anytime soon.