Apple said an upcoming iOS software update will remove the infamous iPhone USB access feature, blocking out both hackers – and law enforcement – from accessing a locked phones’ data via the device port.
Apple confirmed that new upcoming default settings will disable the iPhone’s Lightning port, its charging and data port, an hour after the iPhone has been unlocked.
“At Apple, we put the customer at the center of everything we design,” an Apple spokesperson told Threatpost in an email. “We’re constantly strengthening the security protections in every Apple product to help customers defend against hackers, identity thieves and intrusions into their personal data.”
This means that users can still charge their phones, but will not be able to continue to transfer data to and from their device until they enter the passcode.
The move blocks off several devices (some of which have been used by federal law enforcement agencies) that have been designed to hack into iPhones via the Lightning port.
One such device, called the GrayKey box, has been known to unlock iPhones using the Lightning port to install software that cracks the passcode of an iOS device. Reports have found that several federal agencies – such as the FBI – have used the device, made by a company called Grayshift, to unlock up-to-date iPhones.
The move may also protect against Cellebrite’s UFED devices, forensic tools for iPhones and iPads that can reportedly unlock iOS devices.
“The fact is that this method of access presents a vulnerability, and Apple has made a calculated decision that they’ll see a better return on fixing that vulnerability than continuing to allow it to be exploited,” Tim Erlin, VP product management and strategy at Tripwire, said in an email to Threatpost.
In beta versions of iOS 11.4, Apple had first introduced a rudimentary version of the feature called USB Restricted Mode. This feature disabled USB access to the Lightning Connector after seven days.
In the case of USB Restricted Mode, the Apple spokesperson told Threatpost the company learned that possible vulnerabilities exist in how iOS handles USB devices, and thus commenced a thorough review of the code, improving the security of many pieces of the USB stack.
The Apple spokesperson said additional mitigation was added which would remove the USB as an attack surface when customers don’t need it, without negatively impacting the user experience.
Apple told Reuters it will be permanently available in a forthcoming OS release.
Apple’s Rocky Past With FBI
Apple has had a long bumpy history with federal law enforcement when it comes to unlocking iPhones.
That conflict escalated in 2016, when Apple refused to comply with an FBI request to unlock the iPhone of the San Bernardino gunman who killed 14 people in 2015.
Apple CEO Tim Cook at the time said in an open letter: “Building a version of iOS that bypasses security in this way would undeniably create a backdoor. And while the government may argue that its use would be limited to this case, there is no way to guarantee such control.”
When it comes to the new USB security measure, meanwhile, Apple said in a statement to Reuters that the move is directed toward hackers and bad actors instead of law enforcement.
“We have the greatest respect for law enforcement, and we don’t design our security improvements to frustrate their efforts to do their jobs,” the Apple spokesperson told Threatpost in an email.
Despite Apple’s assurances, the move may continue to sour the relationship between the phone giant and the government, experts say.
“This move shows that Apple is putting the consumer’s privacy first, at least in this instance,” Troy Kent, threat researcher at Awake Security, told Threatpost. “It’s better for the general consumer and also likely for organizations. Will it sour the relationship between Apple and the law enforcement in the future? I’m sure. But that doesn’t mean there won’t be another exploit out sometime soon that doesn’t require a USB connection.”
Erlin, for his part, said that law enforcement in the U.S. will certainly be impacted by this most recent move by Apple.
“This isn’t the first time that we’ve seen tension between Apple and law enforcement,” Erlin told Threatpost. “While Apple’s position is that addressing this vulnerability is for the benefit of customers in countries where there are fewer legal protections around seizing devices, there’s no doubt that it will impact law enforcement in the United States as well.”