iOS 11.4.1’s New Passcode Cracking Prevention Feature Can Be Bypassed: ElcomSoftJuly 10, 2018
While iOS 11.4.1 has just arrived with a USB Accessories toggle to restrict access to passcode cracking tools, researchers now claim that they have discovered a bug in the latest development. The bug is alleged to reset the one-hour counter available within the latest iOS update as long as a USB accessory is connected to the iOS device before the toggle triggers the lock. Interestingly, as per the researchers, authorities and private companies don’t need any specific USB accessory to reset the counter. The researchers have spotted that it can be compromised using Apple’s native Lightning to USB 3 Camera adapter that is available at $39 (roughly Rs. 2,700). The toggle was notably first seen as the ‘USB Restricted Mode’ in the developer preview betas of iOS 12 and iOS 11.4.1 last month.
The team of researchers at ElcomSoft have reiterate that once the USB Restricted Mode is enabled, it restricts all the data communications that occur over the Lightning port. This means if you haven’t turned the USB Accessories toggle on, and it has been more than an hour since your Apple device was locked, a USB accessory won’t be able to communicate with your device. However, as Oleg Afonin of ElcomSoft has highlighted, the feature is of no use if a USB accessory is already connected to your hardware. This prevents the USB Restricted Mode lock from turning after the one-hour timer. The resetting of the built-in feature works even with an untrusted USB accessory, one that has never been paired with the device before. “What we discovered is that iOS will reset the USB Restrictive Mode countdown timer even if one connects the iPhone to an untrusted USB accessory, one that has never been paired to the iPhone before (well, in fact, the accessories do not require pairing at all). In other words, once the police officer seizes an iPhone, he or she would need to immediately connect that iPhone to a compatible USB accessory to prevent USB Restricted Mode lock after one hour,” Afonin writes in a blog post while explaining the loophole.
It has been seen that the lock doesn’t get affected with Apple Lightning to 3.5mm jack adapter, though the one-hour countdown was reset through the official Lightning to USB 3 Camera Adapter. “According to our tests, this effectively disables USB Restricted Mode countdown timer, and allows safely transporting the seized device to the lab,” claims Afonin. The researcher also underlined that with the release of iOS 11.4.1, the procedure of “properly seizing and transporting” an iPhone could include a compatible Lightning accessory. “Prior to iOS 11.4.1, isolating the iPhone inside a Faraday bag and connecting it to a battery pack would be enough to safely transport it to the lab,” he concludes.
While Apple might fix the flaw in the next iOS 11.4 release or in the iOS 12, Afonin doesn’t consider it as a severe vulnerability and calls it an “oversight.” However, this doesn’t mean that the USB connectivity with an Apple device is entirely safe. Law enforcement and private companies could leverage the loophole and design new hardware to continue to crack passcodes through the Lightning port.