The Most Comprehensive Data Protection Solution

Discover, classify, and protect your data from all threats with the only Gartner Magic Quadrant DLP and Forrester Wave EDR Leader.

First and Only Solution to Converge:

  • Data Loss Prevention
  • Endpoint Detection and Response
  • User and Entity Behavior Analytics
DATAINSIDER

Digital Guardian's Blog

USB the Hard Way

by Dennis Fisher on Wednesday July 11, 2018

Contact Us
Free Demo
Chat

Apple made it trickier for anyone looking to download the contents of an iOS device this week with a new feature that prevents USB accessories from communicating with devices that haven't been unlocked in an hour.

Apple this week released a new version of iOS that includes a feature that makes life much more difficult for anyone who tries to download the contents of a device, whether that be a thief, an attacker, or a forensics investigator.

The feature has been in several beta versions of iOS over the last few months, hiding slightly below the surface. It’s called USB Restricted Mode and Apple inserted it into iOS 11.4.1, which was released Monday. The new mode has a very simple function: to prevent USB accessories from communicating with an iOS device that hasn’t been unlocked in at least an hour. That may seem like a nuisance for normal daily use, but the feature plays a specific and important security role.

When thieves (or attackers who have physical access to a device) get hold of an iPhone or iPad, one of the things they will do quickly is try to dump the data from the device. There are a number of ways to do that, most of which involve connecting the device to a computer or specialized forensics device. Those connections happen through the iPhone’s USB Lightning port, and Apple’s change can prevent thieves or other attackers from being able to get access to the device’s contents. Restricted Mode is enabled by default in the new version of iOS.

“Starting with iOS 11.4.1, if you use USB accessories with your iPhone, iPad, or iPod touch, or if you connect your device to a Mac or PC, you might need to unlock your device for it to recognize and use the accessory. Your accessory then remains connected, even if your device is subsequently locked,” Apple said.

“If you don’t first unlock your password-protected iOS device—or you haven’t unlocked and connected it to a USB accessory within the past hour—your iOS device won’t communicate with the accessory or computer, and in some cases, it might not charge. You might also see an alert asking you to unlock your device to use accessories.”

Blog Post

Forrester Names Digital Guardian a Leader in Endpoint Detection and Response

While this is a subtle change by Apple, it’s one that could have a wide range of effects. For most users, Restricted Mode won’t make much of a difference in their daily lives. Many people don’t really use USB accessories as much as they used to, aside from earbuds. And people tend to unlock their phones several times an hour during normal use, so Restricted Mode wouldn’t kick in. But for people who are at a higher risk of certain kinds of targeted attacks or theft of their devices, Restricted Mode can provide an important extra layer of protection against data loss.

The other part of the equation is how Restricted Mode affects the law enforcement and forensics communities. During investigations, law enforcement officers rely on specialized tools to access and download the contents of locked iPhones. Companies such as Cellebrite and Grayshift sell devices specifically designed to unlock iPhones through the use of software exploits. Those devices use the USB port to connect to iPhones, so law enforcement officers who seize locked iPhones now may have as little as an hour to get to work on those phones if Restricted Mode is enabled.

Although the new feature is enabled by default, users can disable it by going in to the Settings, selecting the Touch ID (or Face ID) and Passcode option and then scrolling down to the option that says USB Accessories and toggling the selector.

Tags: Mobile Security, Encryption

Dennis Fisher

Dennis Fisher is editor-in-chief at Duo Security. He is an award-winning technology journalist who has specialized in covering information security and privacy for the last 15 years. Prior to joining Duo, he was one of the founding editors of On the Wire, Threatpost and previously covered security for TechTarget and eWeek.