USB Restricted Mode Introduced in iOS 11.4.1, But It Can Be Bypassed

Apple has released iOS 11.4.1, which includes a new security feature called USB Restricted Mode. This function was already available in beta versions of iOS starting from 11.3. Essentially, USB Restricted Mode requires users to enter their passcode when connecting their device to a PC, Mac, or USB accessory if the device has been locked for more than an hour.

If you don’t unlock your iPhone within an hour, the security mechanism activates. In theory, this is designed to prevent law enforcement and other agencies from hacking Apple devices using tools from companies like Cellebrite and Grayshift. Once USB Restricted Mode is activated, all data transfer through the device’s Lightning port is disabled. The only thing that remains available is charging; to a computer, an iPhone with USB Restricted Mode enabled will appear just like an external battery pack.

Although the official release of this security feature was expected with iOS 12, as mentioned above, USB Restricted Mode has already made it out of beta and is now available in iOS 11.4.1.

How USB Restricted Mode Works and Its Vulnerability

ElcomSoft specialist and “Hacker” magazine author Oleg Afonin has already dedicated a separate blog post to this new feature. Previously, ElcomSoft experts examined the beta versions of USB Restricted Mode and found it to be quite reliable: the phone would refuse to communicate with a computer, even after a reboot. If you put the iPhone into Recovery or DFU mode, it becomes accessible from a computer, but brute-forcing the passcode in these modes was still impossible. Researchers even tried to “restore” the device by installing a fresh firmware, but even that didn’t disable USB Restricted Mode.

All of this still applies to iOS 11.4.1. However, Afonin writes that USB Restricted Mode can still be bypassed. It turns out that the countdown timer for activating USB Restricted Mode resets if you connect any untrusted USB accessory to the iPhone in time.

“As soon as a police officer seizes an iPhone [from a suspect], they need to quickly connect any compatible USB accessory to the iPhone to prevent USB Restricted Mode from activating after an hour. It’s important to note that this only works if USB Restricted Mode was not already active on the iPhone,” Afonin explains.

Almost any USB accessory will reset the timer, including the official Lightning to USB 3 Camera Adapter. However, it’s already been found that the Apple Lightning to 3.5mm jack adapter does not work for this purpose, and researchers continue to test other accessories, including non-original ones ordered from AliExpress. According to Afonin, most of them will likely succeed in resetting the timer.

Why Is USB Restricted Mode So Easy to Bypass?

Now, security experts are very interested in why USB Restricted Mode is so easy to bypass, and whether Apple will fix this flaw in iOS 11.4.2 or iOS 12. It’s also strange that this “bug” survived through five beta versions of iOS 11.4.1.

ElcomSoft experts believe the problem may lie in the Lightning protocol itself. When an iPhone connects to a computer, the devices exchange cryptographic keys before trusting each other. But when connecting to most existing Lightning accessories, no such key exchange occurs, since many accessories simply can’t perform this exchange like a computer does. As a result, as long as USB Restricted Mode is inactive, the iPhone only checks the accessory’s MFi certificate and stops there.

Afonin notes that Apple is unlikely to be able to change this process, given that many MFi devices are designed differently. The only possible solution suggested by ElcomSoft analysts is to “teach” the iPhone to remember which accessories it has previously connected to, and only allow the timer to be reset by those trusted accessories.