{"id":80914,"date":"2018-07-14T07:30:19","date_gmt":"2018-07-14T14:30:19","guid":{"rendered":"https:\/\/www.intego.com\/mac-security-blog\/?p=80914"},"modified":"2022-08-26T00:35:23","modified_gmt":"2022-08-26T07:35:23","slug":"anti-hack-feature-comes-to-ios-11-4-1-but-is-it-good-enough","status":"publish","type":"post","link":"https:\/\/www.intego.com\/mac-security-blog\/anti-hack-feature-comes-to-ios-11-4-1-but-is-it-good-enough\/","title":{"rendered":"Anti-hack feature comes to iOS 11.4.1\u2026 but is it good enough?"},"content":{"rendered":"

\"\"<\/p>\n

Earlier this week, Apple released security updates<\/a> for all of its major operating systems: macOS, iOS, watchOS, and tvOS.<\/p>\n

Interestingly, iOS 11.4.1 includes a surprise: USB Restricted Mode\u2014a somewhat controversial security feature that Apple describes in a separate support article<\/a>.<\/p>\n

What Is USB Restricted Mode?<\/h3>\n

USB Restricted Mode was first introduced in the iOS 12 beta at Apple’s WWDC\u00a0event<\/a> in early June. (Related:\u00a0Why iOS 12 Is Huge for Security and\u00a0Privacy<\/a>)<\/p>\n

\"\"

USB Restricted Mode is enabled by default in iOS 11.4.1 and later. Image: Apple<\/a><\/p><\/div>\n

By default, iOS 12\u2014and now iOS 11.4.1\u2014purposely block access to USB devices connected to\u00a0an\u00a0iPhone after it has been locked for at least one hour, or if the phone has been put into Emergency SOS mode<\/a>. After one of those conditions has been met, connecting a device to the Lightning port requires unlocking the phone before the connected device will work.<\/p>\n

\"\"Apple made\u00a0this\u00a0change\u00a0to\u00a0improve the physical security of the iPhone (as well as the iPad and iPod touch). With iOS 11.4 and earlier, it was possible for an attacker to connect a\u00a0password-cracking tool such as Grayshift’s\u00a0GrayKey<\/a> to an iOS device, potentially allowing the attacker to try to brute-force crack the device’s PIN or passcode so that personal data could be extracted from the device.<\/p>\n

What’s the Controversy?<\/h3>\n

Although USB Restricted Mode may sound like a great thing to security-conscious consumers and privacy advocates, some worry that the feature could potentially prevent law enforcement agencies from obtaining access to encrypted information on a suspect’s iOS device after having legally obtained a warrant, or to stop an impending terrorist attack.<\/p>\n

\"\"The GrayKey device in particular is supposedly only sold to law enforcement and intelligence agencies. Grayshift competitor\u00a0Cellebrite<\/a>\u00a0offers a\u00a0mail-in\u00a0password cracking service for iOS devices, marketed toward the same audience.<\/p>\n

Apple maintains that the new feature is designed to defend customers “against hackers, identity thieves and intrusions into their personal data,” and that the company has “the greatest respect for law enforcement, and we don’t design our security improvements to frustrate their efforts to do their jobs.”<\/p>\n

But Does USB Restricted Mode Actually Work?<\/h3>\n

There is some debate, however, about whether USB Restricted Mode actually protects anyone sufficiently at all.<\/p>\n

\"\"Digital forensics company ElcomSoft reports<\/a> that by simply attaching certain dongles to an iOS device’s Lightning port within one hour of the last time the device was unlocked is all it takes to prevent USB Restricted Mode from becoming activated.<\/p>\n

Dongles capable of defeating USB Restricted Mode reportedly include Apple’s own Lightning to USB 3 Camera Adapter<\/a>, which Apple sells for only US$39. ElcomSoft speculates and plans to confirm that cheaply manufactured third-party products\u2014which they say can cost less than\u00a0$3\u2014may work just as well.<\/p>\n

Depending on the situation, your device may be well enough protected from certain attacks regardless of this workaround. If an attacker steals your phone after it has already been locked for an hour, or if you have a chance to press your iPhone’s Emergency SOS<\/a> button combination before an attacker can steal\u00a0the phone\u00a0or attach a dongle to it, then USB Restricted Mode will engage and you’ll be protected.<\/p>\n

For law enforcement and intelligence agencies, there may be yet another loophole that could\u00a0give\u00a0them legal permission to\u00a0start breaking into a device within an hour of the last time it was unlocked.\u00a0Data recovery company DriveSavers recently\u00a0reported<\/a>\u00a0that agencies\u00a0can\u00a0search a device without a warrant if there are\u00a0“exigent circumstances,” meaning that a reasonable person\u00a0would conclude\u00a0“that a warrantless search or entry\u2026 was necessary to prevent physical harm to the officers or other persons, the destruction of relevant evidence, the escape of a suspect, or some other consequence improperly frustrating legitimate law enforcement efforts.”<\/p>\n

\"\"<\/a>We’ve talked about\u00a0iPhone password cracking, Cellebrite, GrayKey, USB Restricted Mode, and related topics\u00a0on several recent episodes of the Intego Mac Podcast<\/strong>: March 7<\/a>, April 27<\/a>, July 6<\/a>, and July 13<\/a>. Be sure to subscribe<\/a> to make sure you don’t miss\u00a0future discussions on this topic.<\/p>\n

Other New Apple Security Updates<\/h3>\n

\"\"Aside from iOS 11.4.1 and other OS updates, Apple also released updates for Safari\u00a0for Mac, as well as\u00a0the company’s\u00a0notable\u00a0Windows software: iTunes and iCloud for Windows, as well as Wi-Fi drivers for Boot Camp which finally mitigate the KRACK vulnerabilities<\/a>\u00a0that came to light way back in October 2017.<\/p>\n

For more technical details about the vulnerabilities patched in the latest security updates,\u00a0you can review the following Apple support articles:<\/p>\n