Apple’s Touted USB Restricted Mode Can Be Broken in a Second

Apple’s highly touted USB Restricted Mode has taken an embarrassing blow. The security feature which turns an lightning cable port into a charge-only interface, significantly hampering attempts to break into an iOS device, has a glaring weakness.

How it Works

USB Restricted Mode was introduced in iOS 11.4.1 and iOS 12 beta 2. It basically turns the lightning port, which can be used to crack an iPhone, into a mere charging port one hour after the phone’s been unlocked. Once in USB Restricted Mode, the lightning port cannot be used to access data on the phone anymore.

In a previous post, we spoke about GrayKey, a popular iPhone cracking tool that uses the lightning port to initiate brute force attacks in order to unlock the device. Apple’s then upcoming security feature was seen as a response to GrayKey. By bricking the iPhone within an hour, Apple hoped that that would severely limit GrayKey’s ability to do its job.

GrayKey issued a statement claiming that they had already found a way to circumvent USB Restricted Mode, though it did not detail how.

For devices running iOS 11.4.1 and iOS 12 beta 2, plugging in any device will disable the timer. Yes, you read that correctly.

Disabling the timer means that hacker need not worry about trying to hack the phone within an hour before its port shuts off.

Why?

According to ElcomSoft, the problem might stem from Apple’s Lightning communication protocol. Typically, when you connect the iPhone to another device, the two will exchange keys and start ‘trusting’ each other. But not all accessories with lightning ports have the ability to exchange keys, and so the iPhone was perhaps designed to just trust them by default.

This seems simple enough to resolve, but in fact, it is quite complicated. Apple could easily change this behavior, but that would render a great number of accessories incompatible with the iPhone.