What is USB Restricted Mode in iOS?
Apple’s iOS 11.3 introduced a feature called USB Restricted Mode. This extra layer of security protection didn’t ship in that release, but when available in iOS 11.4 this is what you need to know about it.
What is USB Restricted Mode?
USB Restricted Mode is an extra layer of protection iPhone users can use on their devices if they want to keep their data safe. When it is in place it renders the Lightning port unusable seven days after the last device unlock. This makes it difficult to use brute force attack solutions such as GrayKey to break device security.
What Apple says about USB Restricted Mode
In the iOS 11.3 beta release notes, Apple described USB Restricted Mode as follows:
“To improve security, for a locked iOS device to communicate with USB accessories you must connect an accessory via lightning connector to the device while unlocked – or enter your device passcode while connected – at least once a week.”
How it works
This additional security means users will regularly need to enter their passcode to use Lightning-connected device, though you can switch off USB Restricted Mode so a passcode is never required to connect to a USB accessory.
“This mode is disabled on devices that are updated to iOS 11.3 if they are supervised but not enrolled in MDM,” Apple’s release notes said.
It is already possible to achieve something similar when using Mobile Device Management (MDM) tools (such as those used by the enterprise and education markets) to manage iPhones. Apple Configurator can prevent devices from being paired with any Mac other than the one defined. Third-party solutions add additional options.
What does this mean for law enforcement?
Elcomsoft explains:
“In other words, law enforcement will have at most 7 days from the time the device was last unlocked to perform the extraction using any known forensic techniques, be it logical acquisition or passcode recovery via GreyKey or other services . Even the 7 days are not a given, since the exact date and time the device was last unlocked may not be known.”
What GrayKey says about USB Restricted Mode
“Starting with iOS 11.3, iOS saves the last time a device has been unlocked (either with biometrics or passcode) or was connected to an accessory or computer. If a full seven days (168 hours) elapse [sic] since the last time iOS saved one of these events, the Lightning port is entirely disabled,” Braden Thomas wrote in a blog post seen only by customers, which Motherboard obtained.
“You cannot use it to sync or to connect to accessories. It is basically just a charging port at this point. This is termed USB Restricted Mode, and it affects all devices that support iOS 11.3.”
Is this protection strong enough?
It’s not perfect, of course, and companies like Cellebrite or GrayKey who make their money out of providing tools that can be used to break into iPhones to take their data will continue to develop new ways to achieve this aim. All the same, USB Restricted Mode should help you – or any large enterprise in fear of industrial espionage – keep your data safe.
Who needs it?
Understandably, law enforcement argues that police and other authorities should be equipped with tools to break into smartphones to get data.
The problem with this argument is that once one group has such tools, everyone else wants them too, leading to a proliferation of knowledge about how to subvert device security.
That’s a real challenge to enterprises, medical practitioners, educators, journalists or anyone else who regularly handles highly confidential information.
The danger is that these tools will fall into the hands of rogue governments, unscrupulous competing business entities, or criminals, forming a big threat to individual and corporate freedom and security.
I care about my security, what else can I do?
Read the iOS security guide, and make sure to use a complex alpha-numeric passcode.