When Apple rolled out the first iOS 11.3 betas earlier this year, one smaller feature mentioned in the release notes was a new security protocol that would lock down a user’s Lightning port if it hadn’t been used for anything other than charging for more than a week. Specifically, Apple noted that users would be required to re-enter their device passcode to authorize a Lighting-connected USB accessory if it has not been connected to the device for more than a week. Although much like AirPlay 2 and Messages in the Cloud, this feature never made it into the final iOS 11.3 release, Elcomsoft notes that it’s back in the iOS 11.4 betas, with a report on exactly how it works and some of the ramifications of the new feature for iOS forensics.
The feature, now dubbed “USB Restricted Mode” is relatively straightforward, disabling the ability to transfer any data over the Lightning port one week after the device has last been unlocked, effectively turning the Lightning port into a charging-only interface.
While it’s possible the feature isn’t quite finished yet — Apple’s release notes still suggest that the feature will only kick in if a USB accessory has not been connected to an unlocked device in the past seven days — Elcomsoft reports that this is how it currently seems to work, and raises questions about the difference between a passcode or Touch ID/Face ID unlock, and how trusted USB devices and computers factor in. Elcomsoft notes that in its own testing, they were able to confirm that the USB lockout occurred after a device was left completely idle for seven days, but have not yet conducted any further testing, likely due to the timeframes involved.
The report does go on to add, however, that once this lockdown has occurred, it appears that all USB communication through the Lightning port ceases entirely; the iOS device can still be charged through the Lightning port, but it will not attempt to establish a data connection, even to previously trusted computers or other devices.
This new protocol effectively throws a spanner into the works for law enforcement, which will now have only a maximum of seven days to use current forensic techniques to recover data from a seized iPhone, and could in fact have considerably less time available if the seven-day clock is actually based on the last time a USB device was connected — as Apple’s release notes imply — as opposed to simply the last time a user authenticated to the device.
Apple has already been tightening security with each iOS 11 point release, and in fact in iOS 11.3 trusted computer pairing records now expire after only seven days, meaning that a user who hasn’t connected the iPhone to their computer for more than seven days will need to re-authenticate with their password to re-establish the trust relationship, removing one of the attack vectors used by forensics experts to gain access to otherwise-locked iPhones. However, the new USB Restricted Mode significantly increases the security, effectively disabling all data communications over the Lightning port once the seven-day window has expired.
