Apple’s latest move in its ongoing war of words with the FBI, National Security Agency, and other intelligence and law enforcement agencies over encryption is a feature that turns off USB data access on locked iOS devices.
According to TechCrunch and MacRumors, Elcomsoft researchers recently discovered a feature called “USB Restricted Mode” hidden in the iOS 11.4 code. When the mode is activated, an iOS device like an iPhone will disable all data access via the Lightning port after a week of not being unlocked or paired to a computer. Charging will continue to work.
The functionality of USB Restricted Mode is actually very simple. Once the iPhone or iPad is updated to the latest version of iOS supporting the feature, the device will disable the USB data connection over the Lightning port one week after the device has been last unlocked.
At this point, it is still unclear whether the USB port is blocked if the device has not been unlocked with a passcode for 7 consecutive days; if the device has not been unlocked at all (password or biometrics); or if the device has not been unlocked or connected to a trusted USB device or computer.
It’s easy to see why Apple saw fit to introduce the feature: Authorities have been rushing to purchase Graykey encryption-breaking devices manufactured by Grayshift, a company that supposedly has a former Apple engineer on staff. Graykey devices are designed to plug into an iPhone’s Lightning port and automatically decrypt them over a matter of hours to days using an unknown vulnerability—essentially giving authorities the long-desired backdoor into encrypted iOS devices that Apple has refused to provide.
With this security feature activated, investigators or anyone else hoping to break into an Apple device will have even more of a limited timeframe to do so. Shutting down the USB port automatically also means Apple has come up with a method to prevent device access without having to obtain knowledge of whatever vulnerability Grayshift and its competitors like Cellerbrite have apparently learned of.
If USB Restricted Mode is activated, authorities won’t be able to simply stash iPhones they can’t unlock in evidence lockers until a new technique to break into them emerges, barring some way to work around the disabled Lightning port, which sounds kind of difficult. It also means agencies like FBI won’t be able to grandstand about how Apple should be forced to build them a fancy hacking tool the next time they acquire a phone they’re unable to unlock themselves in the required timeframe. Essentially, that device will be on another level of hardware lockdown that Apple can’t deactivate after the fact.
Other recent iOS 11 updates have introduced time limits for local backup techniques that could be used to extract information from a device, MacRumors noted.
Update 9:25am, May 9: USB Restricted Mode may not be coming to iOS anytime soon after all. As CyberScoop reports, the feature is not included in the current iOS 11.4 beta release notes, while it was in the iOS 11.3 release notes but never actually made it into that release. Further, ElcomSoft’s chief executive, Vladimir Katalov, tells CyberScoop that their report was based primarily on third-party chatter about the feature. “We had to operate with what Cellebrite and GrayShift say, as well as their users—but there is of course not 100 percent guarantee,” Katalov told CyberScoop. “Sometimes we even have to be provocative a little bit, because that seems to be the only way to get public response from Apple.”
We have reached out to Apple to clarify what’s happening with USB Restricted Mode and will update when we receive a response.