Access restriction mode for accessories on iOS devices and how to bypass it

Today I’ll talk about one technically interesting solution from Apple, through which the company tried to protect its devices from password guessing - and what came of it as a result. To begin with, I will answer the question, why do I need a mode of restricting access to accessories in the iPhone.

Protection against cracking the screen lock code

The basic story about iOS security is yet to come. Now I want to focus on one rather controversial feature of iOS, which makes the security of all user data both in the device and in the cloud account dependent on one single factor: the screen lock code. If you know the screen lock code, you can extract almost all data from the iPhone, including passwords from accounts. Password backup protection? No, they didn’t hear: it’s as if it is, but resetting it, knowing the lock code is a matter of a few seconds. Unlink a stolen phone from iCloud? If the lock code is known - no problem at all; iCloud password changes in a few seconds, and the old password from Apple ID is not needed. Two-factor authentication? Great, be sure to turn it on! But if the lock code is known, the whole device becomes the second factor. I humbly mention such things as the user’s password database in iCloud, his SMS and iMessage messages, as well as the Health data that our programs can decrypt using the lock code (if necessary, first resetting the password from the “cloud” using the same single lock code).

Knowing the iPhone lock code can do a number of amazing things; the country should know its heroes, and I will write about it in detail. Not surprisingly, the last remaining line of defense - in fact, the screen lock code - at Apple is being guarded like the apple of an eye. For several years in a row, the default lock code length is not 4, but 6 digits. Secure Element, the hardware component of the Secure Enclave security subsystem, with varying success limits the speed of search. So, for the iPhone just turned on (or rebooted), the search speed will be slow; we were called digits of the order of 19 years for a complete search of the password space. (However, no one breaks the 6-digit lock code with frontal attacks; dictionaries are used in which the lock codes are sorted by frequency of use).

Data Retrieval Protection

It would seem that a lock code of 6 digits and 19 years of busting is already not bad. However, progress does not stand still, and there are already at least two solutions on the market (the development of Cellebrite and GrayShift companies for the police and special services) that can significantly speed up the search in cases when the phone got into AFU (After First Unlock, that is, removed from the user in the on state, and the user unlocked the device at least once after a reboot). Moreover, for such devices (and this, we note, the vast majority of seized phones), such solutions also have a special mode in which part of the data (here I apologize in advance - without details) is retrieved even without the need to crack the lock code. Desperate to protect their devices from the vulnerabilities exploited by Cellebrite and GrayShift, Apple decided to take a desperate step that caused heated debate among all involved. This step is the introduction to iOS 11.4.1 (and further improvement in iOS 12) of the access restriction mode, or USB restricted mode.

USB access restriction

Since GrayKey and Cellebrite UFED (or CAS service) connect to the iPhone to transfer data via the Lightning port (which is exactly the case, they do not use any service or diagnostic ports), then let's just disable this port completely? No, we will allow him to charge (and even then not from any charge), but we’ll completely hack the possibility of data transfer! With the data transfer mode disabled, GrayKey and UFED will not even be able to see the iPhone, and even more so - to extract information from it!

So we came to the access restriction mode, or USB restricted mode. Both names are unofficial; Apple itself does not particularly highlight this mode. The article Using USB accessories with iOS 11.4.1 and later says the following:

In iOS 11.4.1 and later [...], you may need to unlock the device to recognize and use the accessory later. The accessory will remain connected, even if the device is subsequently blocked. If you do not first unlock the password-protected iOS device (or unlock and connect it to a USB accessory within the last hour), the iOS device will not interact with the accessory or computer, and in some cases it may not charge. A notification may also appear that the device must be unlocked to use accessories.

The following describes the steps in order to disable this feature (by default - active).

You can make your iOS device always have access to USB accessories. [...] On many auxiliary devices, a parameter is automatically turned on, which provides access to USB devices on the first connection. (I’ll clarify: there’s a clear inaccuracy of the translation. The original article in English uses the wording “Many assistive devices will automatically turn on the setting to allow USB devices the first time they're connected”, that is, “many universal access devices can automatically turn on this setting. ”On the devices themselves, as follows from the Russian text of Apple, in fact, nothing is turned on).

If you do not connect to USB accessories regularly, you may need to enable this option manually.

In the Settings menu, select “Face ID and Password Code” or “Touch ID and Password Code” and enable access to USB accessories in the “Lock Screen Access” section.

If access to USB accessories is disabled [...], you may need to unlock your iOS device to connect to USB accessories.

Please note: the access restriction mode is activated when the USB Accessories switch is turned off.

By the way, the access restriction mode of accessories is instantly activated even when the user activates SOS mode on the phone, for which, depending on the model, you need to press the screen power button several times (3 or 5 depending on the market), or hold down the button turn on the screen and any of the volume control buttons.

What does this mode do? In the mode of restricting access to accessories, the iPhone or iPad completely disables any data exchange through the Lightning port built into the device. The only thing that remains available is charging (in practice, even it is not always). From the point of view of a computer or other device to which the iPhone will be connected in protective mode, the phone will not be any different from an external battery.

How it works? On a philistine level - fine. Forget about iOS 11.4.1, after all, this version of the system has been around for more than a year. In current versions of iOS (starting with iOS 12) access to accessories is blocked at the very moment when the user locks the screen of the iPhone. There are exceptions; for example, if you occasionally connect the phone to a computer or other “digital” accessories (the 3.5mm headphone adapter is not “considered”, more on that below), then the protective mode will not be activated immediately after the screen is locked, but after an hour.

If you try to connect a locked iPhone to a computer, the computer will not see anything: even basic information about the device (such as model, serial number and iOS version) is not available. A pop-up notification will appear on the device itself, offering to unlock the iPhone to use the accessory.

Theoretically, the protective mode is quite reliable: the phone will still refuse to communicate with the computer, even if it is rebooted. If you put the iPhone in Recovery or DFU mode, it becomes available from the computer - but it is not possible to enumerate passwords in these modes. You can even fill in the latest firmware (we did it), but upon subsequent loading into the system, the port is deactivated again. In other words, at the philistine level, protection works.

And not at the philistine level? We know of two solutions whose developers allegedly were able to circumvent the defense. These are Cellebrite (a UFED Premium offline solution and CAS service) and GrayShift (a grayKey hardware solution). Under certain conditions (conditions were not disclosed), both manufacturers are able to connect to the iPhone with a "blocked" port and carry out an attack on the lock code (and in some cases, extract some information without the lock code).

Thus, Apple managed to achieve its goal only partially. Yes, the iPhone is a little safer. Neither an accidental cracker, nor even craftsmen from criminal gangs hunting for stolen iPhones, can bypass this protection. But the police and special services have chances, and are pretty good.

Access Limit Vulnerabilities

I’ll make a reservation right away: I don’t know (I can’t “tell”, but really are unknown) the vulnerabilities that Cellebrite and GrayShift use to bypass the protection of restrictions. I can only make assumptions from information obtained from public sources. The first assumption is a vulnerability in the Lightning protocol. Remember, I mentioned the adapter from the Lightning connector to the 3.5mm headphone output? It is this adapter that does not obey the general rules: its connection does not reset the protection mode activation timer, and if the protective mode has already turned on, you can connect and use this adapter without unlocking the iPhone.

Meanwhile, unlike many similar USB Type C adapters that use USB Alt Mode to transmit an analog signal, this adapter is a full-fledged digital device with a built-in DAC chip . That is, even in the "protective" mode, the iPhone still transmits some data through a seemingly tightly blocked port. But what if our device “pretends” to be an adapter for activating the port, and then it goes along the chain of vulnerabilities? This is just an assumption, but the option seems quite plausible.

The second assumption is again the Lightning vulnerability, but somewhat on the other hand. Recently, it turned out that another Apple adapter, the Lightning to HDMI adapter, is actually a computer with a built-in Secure Boot and Darwin core . Moreover, this adapter does not have its own firmware; firmware is downloaded to it from the iPhone every time a user connects an adapter. In this case, the firmware is not signed with a unique identifier, the digital signature is static. It is unlikely that the vulnerability was found in this adapter, but the idea seems quite promising.

Finally, there are also “universal access” devices that can be used by the visually impaired, people with impaired fine motor skills and other categories of users who need special devices to communicate with the iPhone. This category of devices has a special status; according to Apple documentation, their use leads to deactivation of access restrictions to accessories. You can try to imagine an attack in which our device will first appear as an adapter to 3.5mm (data exchange has gone), after which it will be an accessory for people with fine motor impairments (in other words, an external keyboard).

Why do I think the vulnerability lies in the Lightning protocol? On the black market, you can find both “engineering” models of different versions of the iPhone, in which part of the protection hardware is deactivated, as well as some special cables that provide additional functions. This was a detailed article in English ; Here is a Russian-language article referring to it. And here they posted a photo of a special engineering cable - alas, without details. Plus details about Lightning in general can be found here .

Is there any benefit of restricting access to accessories?

How useful is the access restriction mode? After all, can both Cellebrite and GrayShift get around it? Here I want to pay attention to two things. Firstly, few people know exactly how, in which cases and for which particular combinations of hardware and iOS versions the two companies mentioned can bypass the protective mode. Information is issued by companies in a strictly dosed, strictly confidential and exclusively to users of their products after signing a non-disclosure agreement. Secondly, the users of the products of both companies are exclusively law enforcement agencies and special services of a number of countries, among which Russia is not currently included. Thus, nothing personally threatens your data and your device on the territory of Russia: other similar solutions simply do not exist now.

Thus, using this mode (it is activated automatically for all users and remains active if you yourself or any of the universal access accessories doesn’t turn it off), you can get an additional degree of protection against both password cracking and data leakage right away after screen lock. However, even if you connected your iPhone to a computer or adapter within the last three days, data transfer will still be blocked for an hour.

Related links:


All Articles