Apple has tried to make every possible feature to restrict unwanted access to their iPhones. The USB restricted mode is an example of this. However, technology is always prone to bugs, and so is Apple! Last week, they released iOS 11.4.1 with a lot of bug fixes. However, they also released an important bug too. Researchers at ElcomSoft have discovered an iOS security vulnerability that could bypass the USB restriction feature.
An Important iOS Security Vulnerability Accompanies iOS 11.4.1
With the release of iOS 11.4.1, Apple released patches for various bugs previously reported. This even includes a patch for the Taiwan iOS bug that crashed various iOS iPhones and iPads. The iOS 11.4.1 also gained much attention due to the USB Restricted Mode for enhanced security. However, researchers at ElcomSoft discovered a new iOS security vulnerability that could ditch the USB Restricted Mode.
In a blog post on July 9, 2018, Oleg Afonin explained how the newly discovered flaw ditched the iOS security feature. He wrote,
“What we discovered is that iOS will reset the USB Restrictive Mode countdown timer even if one connects the iPhone to an untrusted USB accessory, one that has never been paired to the iPhone before.”
It means anyone could easily prevent the USB Restricted Mode from activation. All one needs to do is to connect a lightning adapter or any USB accessory to a recently unlocked device. However, this feature won’t work if the device has passed one hour from the last unlock.
Is That Really A Glitch?
Apple’s latest security feature, USB Restricted Mode, has received much appreciation from its users. The feature was first rolled-out in iOS 12, which Apple later released in iOS 11.4.1 as well for its customers. As the name suggests, USB Restricted Mode restricts data transfer over USB linked devices. After unlocking an iPhone or iPad, one has to connect a USB accessory to the phone within one hour. Otherwise, the USB accessory won’t work if connected to the locked device.
As explained by Apple,
“Starting with iOS 11.4.1, if you use USB accessories with your iPhone, iPad, or iPod touch, or if you connect your device to a Mac or PC, you might need to unlock your device for it to recognize and use the accessory. Your accessory then remains connected, even if your device is subsequently locked. If you don’t first unlock your password-protected iOS device—or you haven’t unlocked and connected it to a USB accessory within the past hour—your iOS device won’t communicate with the accessory or computer, and in some cases, it might not charge.”
Although the description looks simple to understand, I noticed one tricky phrase while writing this article. Did you notice what Apple say?
“Your accessory then remains connected, even if your device is subsequently locked.”
I wonder if the bug appeared somewhere when Apple allowed the USB accessory to stay connected after the device autolocks again. Or, perhaps Apple left the glitch deliberately. We know Apple is concerned about the data security and privacy of its customers. Apple Safari’s stoppage of browser fingerprinting is one such example. So, maybe we could see a patch coming soon from Apple (only if it truly is an iOS security vulnerability).