Apple has rolled out a new version of iOS that seeks to block the passcode cracking tools favored by law enforcement and governments. After looking at the problem, Apple opted for what seemed like a foolproof solution: USB Restricted Mode. This feature blocks all USB access to a locked phone. But security researchers note that it’s trivially easy to block that lockout with Apple’s own accessories.
This change to iOS was spurred by the prevalence of devices like the GrayKey from a company called Grayshift. This unassuming little box can inject code into a locked iPhone that churns for a few hours or days before displaying the device’s passcode. Police around the world have happily dropped serious cash for GrayKey boxes. The company charges $15,000 for GrayKey boxes with a limit of 300 unlocks, and $30,000 for one with unlimited unlocks.
USB Restricted Mode on iPhones now shuts off all USB access after a phone has been locked for about an hour. If the attacker can’t inject code into the phone, it doesn’t matter what exploits exist. This seems like a perfect solution, but security researchers from ElcomSoft have pointed out a significant shortcoming.
After testing the latest build of iOS (11.4.1), researchers report that USB Restricted Mode does indeed persist across reboots and software restores. However, it is possible to prevent the phone from going into Restricted Mode at all as long as you’ve got a Lightning USB accessory to plug in. Even some of Apple’s own accessories will do the trick.
According to ElcomSoft’s Oleg Afonin, connecting certain Lightning accessories will reset the one-hour countdown, allowing law enforcement to prevent the device from being locked down indefinitely. The $9 Lightning-to-audio-jack adapter doesn’t work, but Apple’s Lightning-to-USB-3.0 adapter does. The adapter doesn’t even need to be “trusted” or previously paired with the phone to reset the timer. This means law enforcement could even design a custom USB accessory that continuously resets the counter to keep a phone vulnerable.
If the countdown expires, USB Restricted Mode is still a good defense against hacks. The researchers suspect this is a bug in iOS, so Apple could fix it with another update. This security feature will still compromise the usefulness of the GrayKey and similar devices. It’s common for phones seized by police to be off or sitting unused for more than an hour.
NYC Law Enforcement Has Been Cracking Locked iPhones for Almost 2 Year
Israeli forensics firm Cellebrite announced its new in-house phone cracking tool earlier this year, but a new report suggests law enforcement has had access to it since early 2018.