Apple's new USB security feature has a major flaw

[ItsMitch]

S: Engadget

 

Apple introduced a new security feature into iOS 11.4.1 yesterday but security researchers have already found flaws in the software which could allow law enforcement to bypass the security software. In a report from ElcomSoft they explain that a $39 USB 3 Camera Adapter from Apple can bypass it within specific parameters & requirements.

The flaw you may ask? 

Quote

With the release of iOS 11.4.1, the procedure for properly seizing and transporting iPhone devices may be altered to include a compatible Lightning accessory. Prior to iOS 11.4.1, isolating the iPhone inside a Faraday bag and connecting it to a battery pack would be enough to safely transport it to the lab. iOS 11.4.1 adds the need for another dongle setup. In order to fool USB Restricted Mode, one would need to perform the following steps:

1. Connect the iPhone to a compatible Lightning accessory (such as the official Lightning to USB 3 Camera Adapter).
2. Plug external battery pack to the adapter (to avoid iPhone battery drain).
3. Place the entire assembly in a Faraday bag.

According to our tests, this effectively disables USB Restricted Mode countdown timer, and allows safely transporting the seized device to the lab.

If you get a message that the device should be unlocked in order to use the accessory (when you connect it), then USB restricted mode has been activated already, and there is nothing you can do about that, sorry.

What are the chances that the device is seized within in hour after last unlock? Quite high. We were not able to find recent stats, but even two years ago an average user unlock their iPhone at least 80 times a day.

 

It has been said that this could just be a gigantic oversight by Apple and it will most likely be fixed, but ElcomSoft do warn that this issue may be related to Apple's Lightning Communication Protocol.

 

Paper by Elcomsoft. 

https://blog.elcomsoft.com/2018/07/this-9-device-can-defeat-ios-usb-restricted-mode/ 

Summoning the LTT resident Mac Man @DrMacintosh for his insight on this (I don't use mac's nor apple devices)

 

tl;dr Law Enforcement can still grab your data if they act within the hour and do it properly. 

[Sir Asvald]

LOL

[Sfekke]

Now that is why iDevices don't get viruses + will never get stolen or cracked!

 

Oh wait, it happened? Again, GOSH DARN APPLE!

[ItsMitch]

6 minutes ago, Abdul201588 said:

LOL

It's not a vulnerability...... #fakenews, we just put it in there for the FBI and hopes no-one finds out.... 

[Christophe Corazza]

Quote

"once the police officer seizes an iPhone, he or she would need to immediately connect that iPhone to a compatible USB accessory to prevent USB Restricted Mode lock after one hour."

 

In other news, if you leave your phone unlocked, someone can make it stay unlocked by playing with it.

[ItsMitch]

1 minute ago, Christophe Corazza said:

In other news, if you leave your phone unlocked, someone can make it stay unlocked by playing with it.

in other news, reading the article is helpful in this situation and makes people look less silly  

Quote

The feature is designed to protect iPhones against USB devices used by law enforcement to crack your passcode, and works by disabling USB access after the phone has been locked for an hour.

If your phone has been locked within one hour, law enforcement can still get access to it by using a USB accessory, thus thwarting the security feature apple created to prevent intrusion. 

[Christophe Corazza]

8 minutes ago, SC2Mitch said:

If your phone has been locked within one hour, law enforcement can still get access to it by using a USB accessory, thus thwarting the security feature apple created to prevent intrusion. 

 

I've understood that this only helps if the iPhone has still not entered USB Restricted Mode.

But it also works after it being locked?!?! 

[ItsMitch]

6 minutes ago, Christophe Corazza said:

But it also works after it being locked

Mind fuck detected, medication is advised, must get painkillers. 

[Christophe Corazza]

3 minutes ago, SC2Mitch said:

Mind fuck detected, medication is advised, must get painkillers. 

 

[williamcll]

I don't think someone can just pull a faraday cage out of nowhere.

[Christophe Corazza]

4 minutes ago, williamcll said:

I don't think someone can just pull a faraday cage out of nowhere.

 

Why not? I've always got a spare on in my pocket 

 

Seriously though, a Faraday bag is not that big though:

This one conveniently already has an iPhone inside 

[ItsMitch]

4 minutes ago, williamcll said:

I don't think someone can just pull a faraday cage out of nowhere.

You underestimate the use of the FBI and their responses to scenes of terror, shootings, etc. 

[captain_to_fire]

Good thing iOS 12 is still in beta. No wonder Grayshift is bold enough to say they managed to circumvent URM. 

 

1 hour ago, SC2Mitch said:

If you get a message that the device should be unlocked in order to use the accessory (when you connect it), then USB restricted mode has been activated already, and there is nothing you can do about that, sorry.

What are the chances that the device is seized within in hour after last unlock? Quite high. We were not able to find recent stats, but even two years ago an average user unlock their iPhone at least 80 times a day.

But then again, URM will kick in after an hour. The OP explicitly states that the seized iPhone should be unlocked within an hour. I think one hour is a good enough grace period for law enforcement. But for the security conscious person, aside from not unlocking the device for an hour, rebooting the iPhone will also activate URM. 

[ScratchCat]

1 hour ago, Christophe Corazza said:

 

I've understood that this only helps if the iPhone has still not entered USB Restricted Mode.

But it also works after it being locked?!?! 

An iPhone will enter USB Restricted Mode 1 hour after being locked.

 

This "bug" allows you to prevent USB Restricted Mode from being activated after 1 hour so you can later e.g. once you get to the nearest GrayKey can use the USB attack vector to unlock the phone.

[captain_to_fire]

42 minutes ago, Christophe Corazza said:

 

Why not? I've always got a spare on in my pocket 

 

Seriously though, a Faraday bag is not that big though:

This one conveniently already has an iPhone inside 

I’m guessing law enforcement will place iPhones inside faraday bags in order to temporarily disable remote locate and wipe features of iCloud which requires wifi or cellular data. 

[ScratchCat]

4 minutes ago, captain_to_fire said:

But then again, URM will kick in after an hour. The OP explicitly states that the seized iPhone should be unlocked within an hour. I think one hour is a good enough grace period for law enforcement. But for the security conscious person, aside from not unlocking the device for an hour, rebooting the iPhone will also activate URM. 

The described method disables the timer so you can take as long as you like:

1 hour ago, SC2Mitch said:

1. Connect the iPhone to a compatible Lightning accessory (such as the official Lightning to USB 3 Camera Adapter).
2. Plug external battery pack to the adapter (to avoid iPhone battery drain).
3. Place the entire assembly in a Faraday bag.

According to our tests, this effectively disables USB Restricted Mode countdown timer, and allows safely transporting the seized device to the lab.

 

[suicidalfranco]

in @DrMacintosh own words:

 

[AlTech]

All people need to do is make sure that their phone locks every 1-2 minutes of no usage and keep their phone locked unless they need to unlock it.

 

E.g Checking the time doesn't require an unlock.

[captain_to_fire]

15 minutes ago, ScratchCat said:

The described method disables the timer so you can take as long as you like:

 

Thanks for the heads up. It’s definitely an oversight from Apple that needs patching and more penetration testing for iOS 12. 

[x3x53530]

From what I read, this flaw resets the one hour counter when a usb accessory is plugged in as long as the restricted mode isn't yet active. It sounds like law enforcement can plug in an accessory like the camera adapter and a power bank if the accessory allows pass through. Then once at the lab, switch the accessory to the GrayKey to unlock the iPhone. 

 

Apple can stop this workaround by not resetting the one hour counter. iOS could be configured to allow an accessory to connect during the one hour, but after that hour if the accessory is unplugged then the restricted mode activates. They should also consider blocking new usb connections after the one hour in the case of someone using a hub that would allow them to plug in the GrayKey without unplugging the original accessory.

 

I like that Apple is adding this feature, but I wish they would let users set the counter to what they want. I would rather have a very short time than the one hour because I have no problem with having to unlock my phone to connect an accessory.

[Fasterthannothing]

Haha all the isheep saying how great Apples security is and then stuff like this happens. It all started when Apple essentially challenged the government, grey market hackers, and anyone else that realized there was a huge profit to make from cracking Apple devices. There is no way one company can win a security war against a government and other for profit hackers. I'm not saying that Android is secure it's not either what I'm saying is Apple needs to drop the security illusion they are selling before it ruins them. They are in a race against tons of hackers and security researchers and right now they are losing bad and it's not helping that they are tripping over themselves in the process.

[DrMacintosh]

49 minutes ago, Shorty88jr said:

There is no way one company can win a security war against a government and other for profit hackers.

Apple has been doing pretty well so far. It would seem you would rather companies not try to fight for you and would rather everyone just give up. Yeah no, I like my liberties thank you very much. 

[DrMacintosh]

An unfortunate oversight. Thankfully Apple actually has a software update model so this error can be fixed in a subsequent update that everyone will be able to download and install right away. 

 

And again, a little reality check, Apple is still doing way more than anyone else in terms of user privacy and security......and it’s not like this is sending photos from your camera roll to peope in your contacts ?

[DrMacintosh]

1 hour ago, x3x53530 said:

 

I like that Apple is adding this feature, but I wish they would let users set the counter to what they want.

This is one of those cases where Apple decides  what’s best. They’ve always walked a fine line between usability and functionality. 

 

They dont want peope setting it to some timeframe that breaks the usability or experience of the device. 

[Fasterthannothing]

15 minutes ago, DrMacintosh said:

Apple has been doing pretty well so far. It would seem you would rather companies not try to fight for you and would rather everyone just give up. Yeah no, I like my liberties thank you very much. 

Not at all what I said I said they shouldn't be saying that their devices are secure to the extent they would like people to believe when clearly companies have broken their security.