In the wake of revelations that companies including Grayshift and Cellebrite have developed tricks to extract data from encrypted iPhones, Apple has quietly added an additional protection to the beta version of iOS 11.4: USB Restricted Mode. Discovered by security researchers Elcomsoft, the new feature is said to be “aimed squarely at law enforcement” and automatically password-locks the device’s Lightning port after seven days of inactivity. At that point, the port will only function for charging — crucially eliminating data transfers, such as backups or extractions — until the correct password is entered.
iOS 11.4’s USB Restricted Mode builds on a “lockdown record” protection added to iTunes around the release of iOS 11.3. Before iOS 11, a lockdown record enabled a computer to access certain device information and initiate iTunes backups without entering the passcode — something law enforcement personnel exploited to make backups at will. To increase device security, iOS 11 made the lockdown records expire after an unspecified period of time, while iOS 11.3 clamped down further, causing the records to expire after seven days. The changes radically reduced the timeframe for law enforcement action after seizure of a device.
Elcomsoft says that the new USB Restricted Mode is designed to prevent “device acquisition after the device has been stored for 7 consecutive days without being unlocked or connected to a (paired) computer or USB accessory.” Going forward, it says, the success rate of unlocking the iPhone will depend largely on whether it was powered on when seized and kept powered on until it reached the lab. If “the phone is delivered in a powered-off state,” Elcomsoft says, “and the passcode is not known, the chance of successful extraction is slim at best.” Once the seven-day countdown on the device is up, the lockdown record on the suspect’s computer will likely have expired, as well.
Apple’s commitment to protecting user privacy has at times conflicted with its obligation to cooperate with law enforcement investigations. Consequently, third parties such as Grayshift have created devices capable of brute force hacking iOS password protections, thus enabling law enforcement personal — and others with similar interests and resources — to examine and back up the contents of encrypted devices. As there are some situations in which enabling unauthorized device access achieves a public good, Apple has had to walk a fine line between fully blocking these efforts and continuing a cat-and-mouse game with hackers.
Elcomsoft notes that the impact of the USB Restricted Mode on Grayshift’s and Cellebrite’s device hacking solutions is uncertain and that there’s a possibility the feature could disappear at the last moment from iOS 11.4, which has not yet been finalized. Additionally, companies will apparently have the option of completely disabling USB Restricted Mode from corporate-managed devices. But for most users such a feature will likely harden the security of their iPhones against unwanted intrusions.