Security researchers discover method to stall USB Restricted Mode

Security researchers at a well-known security firm have discovered a loophole that can be used to prevent Apple’s new USB Restricted Mode from activating without needing to unlock an iPhone. USB Restricted Mode is a new feature that Apple added in iOS 11.4 that locks down an iPhone’s Lightning Port when it hasn’t been used for a certain time period, requiring the user to unlock the device before they will be able to use Lightning to USB accessories.

Security researchers discover method to stall USB Restricted Mode

By blocking all data connections through the Lighting port, the new feature aims to foil many of the recent hardware hacking tools that have emerged to bypass iPhone security, and while iOS 11.4 introduced the feature with a seven-day timer, this was reduced to only one hour in the iOS 12 betas, and in iOS 11.4.1 released this week.

However, researchers at ElcomSoft have discovered that simply connecting a USB accessory to the Lightning port of an iOS device will reset the one-hour counter, allowing the Lightning port to remain active indefinitely, even if the iOS device is otherwise locked.

This exploit, however, still requires that the device has been unlocked at least once within the past hour, otherwise USB Restricted Mode will have already been engaged, and ElcomSoft notes that there will be nothing that can then be done to bypass it at that point, however the company notes that with statistics suggesting that the typical user unlocks their iPhone 80 times per day, chances of a seized or stolen iPhone having been recently unlocked are relatively high, meaning that all that a law enforcement officer or hacker would need to do is connect just about any intelligent Lightning to USB accessory, such as Apple’s own Lightning to USB 3 Camera Adapter, in order to reset the counter, and then leave it connected until such time as they can plug the iPhone into a device such as a GrayKey box. In closing, ElcomSoft notes that this weakness is “probably nothing more than an oversight” on Apple’s part, and while both iOS 11.4.1 and iOS 12 beta 2 show the same behaviour, Apple could of course easily patch it in a future version.