Security Researchers Find Way to Prevent USB Restricted Mode From Activating on iOS Devices

Security researchers claim to have discovered a loophole that prevents an iPhone or iPad from activating USB Restricted Mode, Apple's latest anti-hacking feature in iOS 12 beta and iOS 11.4.1, which was released on Monday.

USB Restricted Mode is designed to make iPhones and iPads immune to certain hacking techniques that use a USB connection to download data through the Lightning connector to crack the passcode.

Lightning iPhone 7
iOS 11.4.1 and iOS 12 prevent this by default by disabling data access to the Lightning port if it's been more than an hour since the iOS device was last unlocked. Users can also quickly disable the USB connection manually by engaging Emergency SOS mode.

However, researchers at cybersecurity firm ElcomSoft claim to have discovered a loophole that resets the one-hour counter. The bypass technique involves connecting a USB accessory into the Lightning port of the iOS device, which prevents USB Restricted Mode from locking after one hour.

ElcomSoft's Oleg Afonin explained the technique in a blog post:

What we discovered is that iOS will reset the USB Restrictive Mode countdown timer even if one connects the iPhone to an untrusted USB accessory, one that has never been paired to the iPhone before (well, in fact the accessories do not require pairing at all). In other words, once the police officer seizes an iPhone, he or she would need to immediately connect that iPhone to a compatible USB accessory to prevent USB Restricted Mode lock after one hour. Importantly, this only helps if the iPhone has still not entered USB Restricted Mode.

According to Afonin, Apple's own $39 Lightning to USB 3 Camera Adapter can be used to reset the counter. Researchers are currently testing a mix of official and third-party adapters to see what else works with the bypass technique.

apple lightning usb camera adapter
Afonin notes that ElcomSoft found no obvious way to break USB Restricted Mode once it has been engaged, suggesting the vulnerability is, in his words, "probably nothing more than an oversight" on Apple's part. Still, at present its existence provides a potential avenue for law enforcement or other potentially malicious actors to prevent USB Restricted Mode from activating shortly after seizure.

Both iOS 11.4.1 and iOS 12 beta 2 are said to exhibit the same behavior when exploiting the loophole. However, expect this to change in subsequent versions of iOS – Apple continually works on strengthening security protections and addressing iPhone vulnerabilities as quickly as possible to defend against hackers.

Apple reportedly introduced USB restrictions to disable commercial passcode cracking tools like GrayKey. Afonin cites rumors that the newer GrayShift tool is able to defeat the protection provided by USB Restricted Mode, but the research community has yet to see firm evidence confirming this.

Related Forums: iOS 11, iOS 12

Popular Stories

iPhone SE 4 Thumb 1

iPhone SE 4 With Apple's Own 5G Modem 'Confirmed' to Launch in March

Tuesday November 19, 2024 12:12 pm PST by
Barclays analyst Tom O'Malley and his colleagues recently traveled to Asia to meet with various electronics manufacturers and suppliers. In a research note this week, outlining key takeaways from the trip, the analysts said they have "confirmed" that a fourth-generation iPhone SE with an Apple-designed 5G modem is slated to launch towards the end of the first quarter next year. In line with previo...
airtag purple

AirTag 2 Rumored to Launch Next Year With These New Features

Sunday November 17, 2024 5:18 am PST by
Apple released the AirTag in April 2021, so it is now three over and a half years old. While the AirTag has not received any hardware updates since then, a new version of the item tracking accessory is rumored to be in development. Below, we recap rumors about a second-generation AirTag. Timing Apple is aiming to release a new AirTag in mid-2025, according to Bloomberg's Mark Gurman....
Magic Mouse Next to Keyboard

No, Apple CEO Tim Cook Didn't Say He Prefers Logitech's MX Master 3 Over the Magic Mouse

Sunday November 17, 2024 3:03 pm PST by
While the Logitech MX Master 3 is a terrific mouse for the Mac, reports claiming that Apple CEO Tim Cook prefers that mouse over the Magic Mouse are false. The Wall Street Journal last month published an interview with Cook, in which he said he uses every Apple product every day. Soon after, The Verge's Wes Davis attempted to replicate using every Apple product in a single day. During that...
Generic iOS 18 Feature Real Mock

Apple Releases iOS 18.1.1 and iPadOS 18.1.1 With Security Fixes

Tuesday November 19, 2024 10:10 am PST by
Apple today released iOS 18.1.1 and iPadOS 18.1.1, minor updates to the iOS 18 and iPadOS 18 operating systems that debuted earlier in September. iOS 18.1.1 and iPadOS 18.1.1 come three weeks after the launch of iOS 18.1. The new software can be downloaded on eligible iPhones and iPads over-the-air by going to Settings > General > Software Update. Apple has also released iOS 17.7.2 for...
at t turbo indicator iphone 16 pro max v0 8hrh7w5f3w1e1

AT&T Turbo Indicator Showing Up in iPhone Status Bar for Subscribers

Wednesday November 20, 2024 3:42 am PST by
AT&T has begun displaying "Turbo" in the iPhone carrier label for customers subscribed to its premium network prioritization service, according to reports on Reddit. The new indicator seems to have started appearing after users updated to iOS 18.1.1, but that could be just coincidence. Image credit: Reddit user No_Highlight7476 The Turbo feature provides enhanced network performance through ...
iPhone 17 Slim Feature Single Camera 1 Redux

'iPhone 17 Air' Rumored to Surpass iPhone 6 as Thinnest iPhone Ever

Monday November 18, 2024 1:07 pm PST by
In a research note with Hong Kong-based investment bank Haitong today, obtained by MacRumors, Apple analyst Jeff Pu said he agrees with a recent rumor claiming that the so-called "iPhone 17 Air" will be around 6mm thick. "We agreed with the recent chatter of an 6mm thickness ultra-slim design of the iPhone 17 Slim model," he wrote. If that measurement proves to be accurate, there would be ...
bug security vulnerability issue fix larry

Make Sure to Update: iOS 18.1.1 and macOS Sequoia 15.1.1 Fix Actively Exploited Vulnerabilities

Tuesday November 19, 2024 10:52 am PST by
The iOS 18.1.1, iPadOS 18.1.1, and macOS Sequoia 15.1.1 updates that Apple released today address JavaScriptCore and WebKit vulnerabilities that Apple says have been actively exploited on some devices. With the JavaScriptCore vulnerability, processing maliciously crafted web content could lead to arbitrary code execution. The WebKit vulnerability had the same issue with maliciously crafted...

Top Rated Comments

christarp Avatar
83 months ago
Interesting, so the cops would need to confiscate the alleged evidence and transport it back to wherever they take it and then keep it plugged into the device. might be tough to do within an hour, but I'm sure they'll find a way. And I'm also sure Apple will find a way to close this loophole. Cat and mouse continues.
Score: 10 Votes (Like | Disagree)
Turnpike Avatar
83 months ago
There is always going to be a ping-pong, back-and-forth effect to this kind of thing with problems and solutions; but having an Apple device and having Apple on your side working to protect it is, while not perfect, the closest thing to it you will find with any company. Nobody else really cares about protecting your data quite like Apple does.
Score: 8 Votes (Like | Disagree)
Scooz Avatar
83 months ago
Apple seemingly doing anything to sell their overpriced adapters...
Score: 7 Votes (Like | Disagree)
MacRS4 Avatar
83 months ago
Have I misunderstood this? What they're saying is that <1 hour and you plug in a USB, it resets the count-down timer for the USB lockout.

So imagine you unlock/lock your phone, and plug it in to your computer shortly afterward. You wouldn't want the USB lock to engage would you? Say for example if you were copying 100GB of movies to it.

Or is the lack of 'trusted' devices enabling the reset of the counter? I.e. A mistake on the expected behaviour.

PS. I've not had nearly enough coffee yet.
Score: 7 Votes (Like | Disagree)
alphaod Avatar
83 months ago
Makes sense seeing some accessories like the HDMI adapter do not require authorization in the first place.

I wouldn't see this as an oversight. Can't have a perfect solution.
Score: 6 Votes (Like | Disagree)
robertcoogan Avatar
83 months ago
One could also change the 6-digit PIN to a password (mix of characters) and defeat any graybox regardless.
Score: 6 Votes (Like | Disagree)