Yesterday, Apple’s iOS 11.4.1 update secured the USB Lightning port on iPhones and iPads. And already there is a workaround, allowing cops and criminals to retain access to the port, and then use their hacking tools to extract your private data.
USB Restricted Mode
In iOS 11.4.1, and also in the current iOS 12 beta, if the Lightning port isn’t used for an hour, it is deactivated. You can plug in a cable to charge the iPhone, but if you plug in any kind of accessory, it will be blocked. In order to let the accessory connect, you have to unlock the iPhone with a passcode, Touch ID, or Face ID. Accessories include audio interfaces, keyboard, SD card readers, and more.
This is a security feature almost certainly designed to block passcode unlockers like the infamous GrayKey box used by police. These bypass the usual restrictions on entering passcodes by attacking through the Lightning port. With the port disabled, these attacks are blocked.
However, Oleg Afonin, a writer at Elcomsoft, says that this new security measure can already be defeated. Elcomsoft is a company that makes forensic tools for governments and law enforcement, so it is in the company’s interest to break this new lock.
How the new exploit works around Apple’s lock
Afonin’s method works by extending the one-hour countdown of Apple’s USB Restricted Mode. The Lightning port is blocked after an hour, but only if nothing is attached to it. The trick, then, is to attach a USB accessory to the port as soon as possible after stealing (or seizing) the iPhone, in order to stop it from locking down. Done correctly, says Afonin, and the lock can be held off indefinitely, as long as the iPhone doesn’t restart (or run out of juice).
This chink in the USB Restricted Mode’s armor can probably be closed, but it might prove annoying to users. After all, if you’re listening to music with your iPhone hooked up to a USB audio interface, you don’t want the music to stop after an hour, and to re-authenticate before you can continue. I’m sure Apple’s brainiacs are already working on an elegant fix, though.
