Apple's iOS 11.4 update with 'USB Restricted Mode' may defeat tools like GrayKey

GrayKey device. | Source: MalwareBytes

The iOS 11.4 beta contains a new feature called USB Restricted Mode, designed to defeat physical data access by third parties — possibly with forensic firms like Grayshift and Cellebrite in mind.

"To improve security, for a locked iOS device to communicate with USB accessories you must connect an accessory via Lightning connector to the device while unlocked — or enter your device passcode while connected — at least once a week," reads Apple documentation highlighted by security firm ElcomSoft. The feature actually made an appearance in iOS 11.3 betas, but like AirPlay 2 was removed from the finished code.

The change blocks use of the Lightning port for anything but charging if a device is left untouched for seven days. An iPhone or iPad will even refuse to sync with computer running iTunes until iOS is unlocked with a passcode.

USB Restricted Mode may be intended to impose a seven-day window on when digital forensics specialists like Grayshift can break into a device, at least using any simple techniques. Those firms will often employ a "lockdown" record from a suspect's computer to create a local backup of iPhone data, skipping passcode entry.

iOS 11 already has some restrictions on lockdown records, namely automatic expiration, and full-disk encryption that renders them useless if a device is rebooted. The 11.3 update shrank the life of iTunes pairing records to seven days.

ElcomSoft suggested that connecting a device to a paired accessory or computer could extend the Restricted Mode window, and centrally-managed hardware may already have that mode disabled.

"If the phone was seized while it was still powered on, and kept powered on in the meanwhile, than the chance of successfully connecting the phone to a computer for the purpose of making a local backup will depend on whether or not the expert has access to a non-expired lockdown file (pairing record)," ElcomSoft elaborated. "If, however, the phone is delivered in a powered-off state, and the passcode is not known, the chance of successful extraction is slim at best."

The exact details of the hacking techniques used by Cellebrite and Grayshift's GrayKey have been kept secret, so it's possible they may still work after iOS 11.4 is released. The companies could however resort to more extreme methods to get at data, such as removing the flash memory from the devices, copying them, and using the copies to attack the password.