Yesterday, Apple released iOS 11.4.1 with USB Restricted Mode. The feature is aimed at rendering third-party boxes which try to brute force into a locked iPhone useless. Once the feature is enabled, an iPhone becomes inaccessible to any third-party software over USB if its screen is locked for one hour.
However, there seems to be a loophole in Apple’s implementation as discovered by ElcomSoft. They do praise the feature saying that once it is engaged, there’s no way to break past it. The restriction persists through reboots and even while trying to restore an iPhone using a firmware file via Recovery mode.
But the trick is to prevent USB Restricted Mode from engaging itself. This can be done by plugging any USB accessory into the iPhone’s Lightning port. Even when one plugs in a new USB accessory that has never been paired with the iPhone, the timer of the USB Restricted Mode will reset itself. Any USB accessory that connects to an iPhone over the Lightning port works, including Apple’s own Lighting to USB 3 Camera adapter which is available for $39.
What we discovered is that iOS will reset the USB Restrictive Mode countdown timer even if one connects the iPhone to an untrusted USB accessory, one that has never been paired to the iPhone before (well, in fact the accessories do not require pairing at all). In other words, once the police officer seizes an iPhone, he or she would need to immediately connect that iPhone to a compatible USB accessory to prevent USB Restricted Mode lock after one hour. Importantly, this only helps if the iPhone has still not entered USB Restricted Mode.
ElcomSoft has ordered other non-original USB accessories for the iPhone to see if they can also be used to reset the USB Restricted Mode timer. As the company says though, it is likely an oversight from Apple which will perhaps be fixed in a future point release of iOS 11.4 or when iOS 12 releases later this year.