Apple Rolls Out Password Cracking Defense, With One Major Flaw

Apple Rolls Out Password Cracking Defense, With One Major Flaw

Apple has rolled out a new version of iOS that seeks to block the passcode cracking tools favored by law enforcement and governments. After looking at the problem, Apple opted for what seemed like a foolproof solution: USB Restricted Mode. This feature blocks all USB access to a locked phone. But security researchers note that it’s trivially easy to block that lockout with Apple’s own accessories.

This change to iOS was spurred by the prevalence of devices like the GrayKey from a company called Grayshift. This unassuming little box can inject code into a locked iPhone that churns for a few hours or days before displaying the device’s passcode. Police around the world have happily dropped serious cash for GrayKey boxes. The company charges $15,000 for GrayKey boxes with a limit of 300 unlocks, and $30,000 for one with unlimited unlocks.

USB Restricted Mode on iPhones now shuts off all USB access after a phone has been locked for about an hour. If the attacker can’t inject code into the phone, it doesn’t matter what exploits exist. This seems like a perfect solution, but security researchers from ElcomSoft have pointed out a significant shortcoming.

After testing the latest build of iOS (11.4.1), researchers report that USB Restricted Mode does indeed persist across reboots and software restores. However, it is possible to prevent the phone from going into Restricted Mode at all as long as you’ve got a Lightning USB accessory to plug in. Even some of Apple’s own accessories will do the trick.

A GrayKey box for unlocking Apple mobile devices.
A GrayKey box for unlocking Apple mobile devices.

According to ElcomSoft’s Oleg Afonin, connecting certain Lightning accessories will reset the one-hour countdown, allowing law enforcement to prevent the device from being locked down indefinitely. The $9 Lightning-to-audio-jack adapter doesn’t work, but Apple’s Lightning-to-USB-3.0 adapter does. The adapter doesn’t even need to be “trusted” or previously paired with the phone to reset the timer. This means law enforcement could even design a custom USB accessory that continuously resets the counter to keep a phone vulnerable.

If the countdown expires, USB Restricted Mode is still a good defense against hacks. The researchers suspect this is a bug in iOS, so Apple could fix it with another update. This security feature will still compromise the usefulness of the GrayKey and similar devices. It’s common for phones seized by police to be off or sitting unused for more than an hour.

Continue reading

Security Researcher: ‘solarwinds123’ Password Left Firm Vulnerable in 2019
Security Researcher: ‘solarwinds123’ Password Left Firm Vulnerable in 2019

SolarWinds, the company at the center of the massive hack that hit US government agencies and corporations, doesn't exactly use cutting-edge password techniques.

Microsoft Now Offers the Option to (Mostly) Ditch Your Password
Microsoft Now Offers the Option to (Mostly) Ditch Your Password

Microsoft wants to ditch passwords and it's making the feature widely available on Windows for the first time.

Microsoft, Apple, And Google Join Forces to Kill The Password
Microsoft, Apple, And Google Join Forces to Kill The Password

On World Password Day the world's three largest tech firms have announced an alliance to banish passwords to the ash heap of history.

Netflix Ads and Password Sharing Fees Could Arrive This Year
Netflix Ads and Password Sharing Fees Could Arrive This Year

In a notice sent to employees, Netflix management said they were aiming to have an ad-supported tier ready for sign-ups by the fourth quarter of 2022.