Is Apple’s New iOS Really Uncrackable?

Even as Apple went public yesterday with a new mobile device operating system intended to close security loopholes that law enforcement agencies were using to access locked devices, one digital forensics firm said it found a workaround to bypass the new security features for a cost of about forty bucks.

The new Apple iOS, 11.4.1, includes USB Restricted Mode, which prevents anyone, including law enforcement, from unlocking a device via its Lightning charging port if the device is locked for more than an hour.

Apple’s inclusion of the new feature comes amid the firm’s long history of sparring with the law enforcement community over accessing seized Apple devices.

Most famously Apple and the FBI clashed in 2016 over accessing the iPhone of one of the perpetrators in the terrorist attack in San Bernardino, Calif., in 2015. Apple refused an FBI request to create a “backdoor” software program that could bypass encryption and other security protocols to access locked devices, arguing that compliance with the request would also create backdoor access for cybercriminals. The FBI eventually dropped its court case against Apple and revealed that it had accessed the phone through other means, most likely the Lightning port. Before the new update from Apple, law enforcement agencies have relied on the ability to unlock devices via USB as tech companies have introduced strong encryption capabilities.

In a statement regarding the update, Apple said the new capability was created to provide strong protection against cybercriminals, though the company recognized that the update also is a roadblock for law enforcement.

“We’re constantly strengthening the security protections in every Apple product to help customers defend against hackers, identity thieves, and intrusions into their personal data,” Apple said in a statement. “We have the greatest respect for law enforcement, and we don’t design our security improvements to frustrate their efforts to do their jobs.”

However, whether USB Restricted Mode will actually secure devices remains to be seen, as one security firm–ElcomSoft–found a way to bypass the update for roughly $39 by using readily available Apple accessories.

The new Apple security measure works by essentially disabling the Lightning port’s data connection either one hour after the device’s last unlocking or one hour after it was disconnected from a trusted USB device. However, connecting a device to an Apple dongle, including the Lightning to USB 3 Camera Adapter, can reset the one-hour limit. When the Lightning to 3.5mm jack dongle doesn’t work, law enforcement officers could use other USB accessories to buy time while they looked for other ways to break into a device. ElcomSoft noted that this workaround is only effective if the iPhone has not entered USB Restricted Mode.

“What we discovered is that iOS will reset the USB Restrictive Mode countdown timer even if one connects the iPhone to an untrusted USB accessory, one that has never been paired to the iPhone before (well, in fact the accessories do not require pairing at all),” an ElcomSoft blog post explains. “In other words, once the police officer seizes Apple an iPhone, he or she would need to immediately connect that iPhone to a compatible USB accessory to prevent USB Restricted Mode lock after one hour.”

Since the loophole was discovered so quickly–less than 24 hours after the update was released–the question becomes whether Apple can close the loophole in its next update.

“To us, it seems highly unlikely simply because of the humongous amount of MFi (Made for iPhone/iPod/iPad) devices that aren’t designed to support such a change,” ElcomSoft said. “Theoretically, iOS could remember which devices were connected to the iPhone, and only allow those accessories to establish connectivity without requiring an unlock–but that’s about all we can think of.”

ElcomSoft further explained that the discovery of the loophole will likely change how law enforcement agencies treat seized devices.

“Prior to iOS 11.4.1, isolating the iPhone inside a Faraday bag and connecting it to a battery pack would be enough to safely transport it to the lab,” the blog post explained. “iOS 11.4.1 adds the need for another dongle setup. … According to our tests, this effectively disables USB Restricted Mode countdown timer, and allows safely transporting the seized device to the lab.”

Apple has not commented on ElcomSoft’s discovery.

Recent