Security Bits Logo

Security Bits – USB Protected Mode, Exactis Breach

Followups

Security Medium — USB Protected Mode

USB Protected mode has made an appearence in a number of iOS betas, but had never made it into a final release until iOS 11.4.1 was released this week.

What this feature does is put the Lightning/USB port on iOS devices into a charge-only mode opportunistically. USB cables/ports have two distinct sets of cables/connectors, a pair for sending data, and a pair for sending power. Normally a lightning port passes both USB power and USB data. In USB restricted mode the data connectors are disabled, so it becomes as if the cable being used is a charge-only cable.

Most of the time, most users only use their lightning port to charge their devices, so Apple saw an opportunity to add some additional security without inconveniencing users. When ever it’s clear that USB data is not needed by the user, the OS has an opportunity to harden itself a little by locking the port down.

Opportunistic is the key word here — the idea is to add security only in situations where users won’t be inconvenienced. The idea is not to provide an absolute security control, but to make more users more secure more of the time than they were before. Just like a seatbelt that save many lives is a great safety feature even if it doesn’t save all lives.

How does it work? If you leave the feature enabled, then each time your iOS device locks a 1 hour timer starts to count down. If you plug a device into your lightning port that uses USB data the timer stops. If the timer makes it down to zero USB data is disabled until the next time you unlock your device.

Stopping the counter when USB data is used is vital to this feature’s un-intrusiveness. Imagine if Apple had not gone the opportunistic route and opted for an absolute security control instead — after an hour, BAM, USB is disabled. What effect would that have?

Firstly, lightning headphones would stop working after an hour — that in itself would be so catastrophic the feature could never fly!

Secondly, data transfers using the card reader adaptor would fail after an hour. Imagine not being able just leave your iPad transferring photos without having to worry about the port killing itself while in use?

This is why USB Protected mode only kicks in if the USB data pins have not been used within the first hour of the phone being locked.

USB protected mode is not purely opportunistic though — you can explicitly trigger it by enabling SOS mode (by tapping the lock button 5 times in quick succession).

So what’s this bypass the media are prattling on about? They are describing the expected and sane behaviour of this feature as a bypass, which is just nuts IMO. If you get your hands on an iOS devices that is not in USB restricted mode, and if you plug a device that uses USB data into it, then USB restricted mode will not activate. That’s not a bypass, that’s how it’s supposed to work!

What would be a bypass would be a way of disabling USB restricted mode without either unlocking the device via the password or biometrics, or factory restoring the device (which destroys all the data contained on the device). Ironically, the report from Elcomsoft that so much of the media are using as their source for claiming a bypass actually says that they were unable to get a device that is in restricted mode out of restricted mode without unlocking the phone or wiping it completely. In other words, the report used to support the bypass actually says they couldn’t find a bypass! Elcomsoft are not innocent though, their spin and headline are pure click-bait too!

Links

Notable Security Updates

Notable News

  • Three packages in the Arch Linux software repository were poisoned with malware. The packages are not part of the core OS, but they are published through official Arch Linux channels. Unlike Gentoo, Arch’s response leaves a lot to be desired, the best they’ve had to offer so far is snark — nakedsecurity.sophos.com/…
  • A report from the NYT details how Samba Interactive TV (a service built into TVs from many manufacturers including Sony, Sharp, Magnavox, Toshiba & Philips) uses network sniffing to track people as they move from place to place. The company say 90% of users opt in to the service which is presented as a way to get show recommendations and special offers — www.nytimes.com/…, nakedsecurity.sophos.com/… & tidbits.com/…
  • Some Samsung phones have been hit by a bizarre bug that sends a users photos to seemingly random people in their contacts without permission — mashable.com/…
  • Google have quietly pushed out a new security feature in Chrome that keeps tabs at different domains in separate processes to help stop data leaking between sites through vulnerabilities that can be remotely triggered like some Spectre/Meltdown variants — www.bleepingcomputer.com/…
  • 🇺🇸 WIRED are reporting that the US government secretly sold boobytrapped spy phones to suspects, and they may not have had appropriate wiretapping warrants before doing so — www.wired.com/…
  • A timely warning — security researchers from the University of Hertfordshire bought 100 second hand SD cards to see how many would contain sensitive personal data, the answer? Two thirds of them! — nakedsecurity.sophos.com/…

Suggested Reading

1 thought on “Security Bits – USB Protected Mode, Exactis Breach

  1. nexvan - July 17, 2018

    Very interesting

Leave a Reply

Your email address will not be published.

Scroll to top