On the day of its official release, technology security gurus are raising a red flag over Apple’s new security feature, USB Restricted Mode.
The feature was designed to shield iPhone users against passcode-cracking devices used by law enforcement, essentially immobilizing any attempts at accessing the device after it’s been in locked mode for an hour.
Computer security forensics firm ElcomSoft has found a $39 device -- one Apple sells on its on website -- that runs contrary to Apple’s instructions, fooling the restricted mode and giving access to anyone using the device.
“What we discovered is that iOS will reset the USB Restrictive Mode countdown timer even if one connects the iPhone to an untrusted USB accessory, one that has never been paired to the iPhone before (well, in fact the accessories do not require pairing at all),” wrote ElcomSoft’s Oleg Afonin in a blog post.
“In other words, once the police officer seizes an iPhone, he or she would need to immediately connect that iPhone to a compatible USB accessory to prevent USB Restricted Mode lock after one hour. Importantly, this only helps if the iPhone has still not entered USB Restricted Mode,” Afonin commented.
Making sure its research is as inclusive and objective as possible, ElcomSoft says it plans to test as many USB adapters as possible and found that one, the Apple Lightning to 3.5mm jack adapter ($9), does not work to defeat USB restrictions.
The Twittersphere was bristling with news of the workaround with tech watchers like Mashable agreeing that Apple’s new security feature was “painfully easy to hack.” Another site tweeted a step-by-step on how to trick the feature.
Needless to say, the issue raises a number of questions.
Why is Apple’s USB Restricted so easily fooled? Can Apple patch its own security hole? The answers are uncertain, but critics are making it clear that Apple has an issue with its Lightning communication protocol.
“The ability to postpone USB Restricted Mode by connecting the iPhone to an untrusted USB accessory is probably nothing more than an oversight,” summed up Afonin.
“We don’t know if this behavior is here to stay, or if Apple will change it in near future. According to our tests, both iOS 11.4.1 and iOS 12 beta 2 exhibit similar behavior; however, this can change in subsequent versions of iOS.”
In a statement to ConsumerAffairs, Vladimir Katalov -- CEO, co-owner, and co-founder of ElcomSoft -- added that a small adjustment on Apple's part could go a long way towards making some consumers more comfortable.
"What we want to see is more granular control over what can and what cannot trigger the USB Restricted Mode. There are people who'd prefer unlocking their phones every time someone connects an accessory to the Lightning port instead of being subjected to the flawed restrictions. Apple already took care of the people who don’t want the new feature, so we’d like to see some love for those of us who just can’t have too much security," he said.