USB the Hard Way
Apple made it trickier for anyone looking to download the contents of an iOS device this week with a new feature that prevents USB accessories from communicating with devices that haven't been unlocked in an hour.
Apple this week released a new version of iOS that includes a feature that makes life much more difficult for anyone who tries to download the contents of a device, whether that be a thief, an attacker, or a forensics investigator.
The feature has been in several beta versions of iOS over the last few months, hiding slightly below the surface. It’s called USB Restricted Mode and Apple inserted it into iOS 11.4.1, which was released Monday. The new mode has a very simple function: to prevent USB accessories from communicating with an iOS device that hasn’t been unlocked in at least an hour. That may seem like a nuisance for normal daily use, but the feature plays a specific and important security role.
When thieves (or attackers who have physical access to a device) get hold of an iPhone or iPad, one of the things they will do quickly is try to dump the data from the device. There are a number of ways to do that, most of which involve connecting the device to a computer or specialized forensics device. Those connections happen through the iPhone’s USB Lightning port, and Apple’s change can prevent thieves or other attackers from being able to get access to the device’s contents. Restricted Mode is enabled by default in the new version of iOS.
“Starting with iOS 11.4.1, if you use USB accessories with your iPhone, iPad, or iPod touch, or if you connect your device to a Mac or PC, you might need to unlock your device for it to recognize and use the accessory. Your accessory then remains connected, even if your device is subsequently locked,” Apple said.
“If you don’t first unlock your password-protected iOS device—or you haven’t unlocked and connected it to a USB accessory within the past hour—your iOS device won’t communicate with the accessory or computer, and in some cases, it might not charge. You might also see an alert asking you to unlock your device to use accessories.”
Forrester Names Digital Guardian a Leader in Endpoint Detection and Response
While this is a subtle change by Apple, it’s one that could have a wide range of effects. For most users, Restricted Mode won’t make much of a difference in their daily lives. Many people don’t really use USB accessories as much as they used to, aside from earbuds. And people tend to unlock their phones several times an hour during normal use, so Restricted Mode wouldn’t kick in. But for people who are at a higher risk of certain kinds of targeted attacks or theft of their devices, Restricted Mode can provide an important extra layer of protection against data loss.
The other part of the equation is how Restricted Mode affects the law enforcement and forensics communities. During investigations, law enforcement officers rely on specialized tools to access and download the contents of locked iPhones. Companies such as Cellebrite and Grayshift sell devices specifically designed to unlock iPhones through the use of software exploits. Those devices use the USB port to connect to iPhones, so law enforcement officers who seize locked iPhones now may have as little as an hour to get to work on those phones if Restricted Mode is enabled.
Although the new feature is enabled by default, users can disable it by going in to the Settings, selecting the Touch ID (or Face ID) and Passcode option and then scrolling down to the option that says USB Accessories and toggling the selector.
The Definitive Guide to DLP
- The seven trends that have made DLP hot again
- How to determine the right approach for your organization
- Making the business case to executives
The Definitive Guide to Data Classification
- Why Data Classification is Foundational
- How to Classify Your Data
- Selling Data Classification to the Business