Featured

New iOS 11.4 may make it harder to extract data from stolen or seized iPhones

Digital forensics software firm Elcomsoft researchers have discovered an interesting security feature that’s slated to become available in the next version of iOS; and could make it harder to extract data from your stolen or seized iPhone.

It’s called USB Restricted Mode, and it basically locks down the data connection over the Lightning port one week after the last time your iOS device is unlocked.

A new iOS update is about to roll out in the next few weeks or even days. Reading Apple documentation and researching developer betas, we discovered a major new security feature that is about to be released with iOS 11.4. The update will disable the Lightning port after 7 days since the device has been last unlocked. What is the meaning of this security measure, what reasons are behind, and what can be done about it? Let’s have a closer look.

USB Restricted Mode in iOS 11.4

In the iOS 11.4 Beta, Apple introduced a new called USB Restricted Mode. In fact, the feature made its first appearance in the iOS 11.3 Beta, but was later removed from the final release. This is how it works:

“To improve security, for a locked iOS device to communicate with USB accessories you must connect an accessory via lightning connector to the device while unlocked – or enter your device passcode while connected – at least once a week.”

The functionality of USB Restricted Mode is actually very simple. Once the iPhone or iPad is updated to the latest version of iOS supporting the feature, the device will disable the USB data connection over the Lightning port one week after the device has been last unlocked.

At this point, it is still unclear whether the USB port is blocked if the device has not been unlocked with a passcode for 7 consecutive days; if the device has not been unlocked at all (password or biometrics); or if the device has not been unlocked or connected to a trusted USB device or computer. In our test, we were able to confirm the USB lock after the device has been left idle for 7 days. During this period, we have not tried to unlock the device with Touch ID or connect it to a paired USB device. What we do know, however, is that after the 7 days the Lightning port is only good for charging.

Forensic Consequences of USB Restricted Mode

Restricted USB Mode requires an iPhone running 11.3 to be unlocked at least once every 7 days. Otherwise, the Lightning port will lock down to charge only mode. The iPhone or iPad will still charge, but it will no longer attempt to establish a data connection. Even the “Trust this computer?” prompt will not be displayed once the device is connected to the computer, and any existing lockdown records (iTunes pairing records) will not be honoured until the user unlocks the device with a passcode.

In other words, law enforcement will have at most 7 days from the time the device was last unlocked to perform the extraction using any known forensic techniques, be it logical acquisition or passcode recovery via GreyKey or other services . Even the 7 days are not a given, since the exact date and time the device was last unlocked may not be known.

USB Restricted Mode and Lockdown Records

Before iOS 11, one could use an existing lockdown record to access the iPhone or iPad device for the purpose of creating a new local backup (logical acquisition). Essentially, this is exactly how experts perform logical acquisition in the vast majority of cases of iPhone and iPad devices that are locked with an unknown passcode. The lockdown record (a small file extracted from the suspect’s computer) allows accessing essential information about the device and initiating the backup sequence without the passcode.

In addition to iTunes-style backups, the lockdown record could be used for pulling media files (pictures and videos), list installed apps, and access general information about the device. Once created, the lockdown records would not expire; however, if you power-cycle or reboot the iPhone, even a valid lockdown record will be of little use until you unlock the device with a passcode because of full-disk encryption.

iOS 11 brought limitations to the use of lockdown records. In iOS 11.0 through 11.2.1, lockdown records would expire after a certain unspecified time. Once a lockdown record expired, it could no longer be used to establish communication with the iOS device; the user would need to enter their passcode on the device to establish a new pairing relationship.

iOS 11.3 further limited the lifespan of iTunes pairing records, making the records expire after 7 days.

What Happens After 7 Days?

Apparently, iOS stores information about the date and time the device was last unlocked or had a data connection to a USB port. After the seven days elapse, the Lightning port will be disabled. Once this happens, you will no longer be able to pair the device to a computer or USB accessory, or use an existing lockdown record, without unlocking the device with a passcode. The only thing you’ll be able to do is charging.

Whether or not iPhone unlocking solutions developed by GreyShift and Cellerbrite will work is still an open question.

Mitigation

USB Restricted Mode is aimed squarely at law enforcement, preventing device acquisition after the device has been stored for 7 consecutive days without being unlocked or connected to a (paired) computer or USB accessory. At this time, we suggest two possible mitigations.

  1. Extract the device during the first 7 days using a lockdown record (if available).
  2. Attempt to unlock the device during the first 7 days. Unlocking solutions (e.g. by GreyShift) will disable USB Restricted Mode if the initial connection is made while the Lightning port is still active.
  3. If a lockdown record is available, connecting the device to a paired accessory or computer may extend the time the USB port remains active. However, bear in mind that lockdown records now carry a 7-day expiry date of their own.

In addition, managed devices may disable USB Restricted Mode for good.

The success rate will receive on the condition in which the phone is delivered to the lab. If the phone was seized while it was still powered on, and kept powered on in the meanwhile, than the chance of successfully connecting the phone to a computer for the purpose of making a local backup will depend on whether or not the expert has access to a non-expired lockdown file (pairing record). If, however, the phone is delivered in a powered-off state, and the passcode is not known, the chance of successful extraction is slim at best.

Why Apple Needed USB Restricted Mode

Actually, it was only a matter of time. Companies such as Cellerbrite and the recent newcomer GreyShift make their business by unlocking protected iPhones. While Cellerbrite offers this exclusively as an in-house service, and the service is only available to select law enforcement agencies with proper court orders, GreyKey supplies the actual unlocking hardware to North American law enforcement. Both companies keep their lips shut as to the details of their techniques, so the exact method they use to gain access to the devices is not known to Apple. However, their ability to unlock even the latest hardware running the latest version of iOS is worrisome, so Apple is taking action with the USB Restricted Mode.

Conclusion

In responce to the latest developments, Apple made an attempt to prevent device exploitation. USB Restricted Mode effectively disables the iPhone or iPad Lightning ports after 7 days without an unlock. While this undoubtedly strengthens overall security of iOS devices, effectively disabling logical acquisition through lockdown records after 7 days the device has been in storage, its effect on passcode unlocking techniques developed by Cellerbrite and GreyShift is yet to be seen.

What else is Apple baking in iOS 11.4? Without going through the lengthy list of bug fixes and improvements, there is the possibility of iMessage sync with iCloud being finally released in iOS 11.4. iMessage sync showed up in early betas of iOS 11.0, but didn’t make it into the final release. The feature appeared again in iOS 11.3 betas, but was stripped from the final release at the last minute. There are signs the feature might be ready for prime time in iOS 11.4. How will iMessage sync work? How will it be different from Continuity, and what challenges and benefits will it present to the mobile forensic crowd? Stay tuned to find out!