{"id":15786,"date":"2018-07-13T16:44:15","date_gmt":"2018-07-13T23:44:15","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=15786"},"modified":"2018-07-13T16:48:25","modified_gmt":"2018-07-13T23:48:25","slug":"sb-usb-protected-mode","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2018\/07\/sb-usb-protected-mode\/","title":{"rendered":"Security Bits \u2013 USB Protected Mode, Exactis Breach"},"content":{"rendered":"<h3>Followups<\/h3>\n<ul>\n<li>&#x1f1ea;&#x1f1fa; EU Copyright Directive:\n<ul>\n<li><a href=\"https:\/\/www.bbc.com\/news\/world-europe-44696302\">Italy Wikipedia shuts down in protest at EU copyright law \u2014 www.bbc.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/07\/09\/copyright-directive-legislation-voted-down-by-european-parliament\/\">Copyright Directive legislation voted down by European Parliament \u2014 nakedsecurity.sophos.com\/\u2026<\/a> (This is not the end of this legislation, but it is a significant setback.)<\/li>\n<\/ul>\n<\/li>\n<li>Spectre\/Meltdown\n<ul>\n<li>Another variant has been discovered, but it&#8217;s similar enough to previous ones that the existing mitigations seem to cover it \u2014 <a href=\"https:\/\/arstechnica.com\/?p=1341201\">arstechnica.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><!--more--><\/p>\n<h3>Security Medium \u2014 USB Protected Mode<\/h3>\n<p>USB Protected mode has made an appearence in a number of iOS betas, but had never made it into a final release until iOS 11.4.1 was released this week.<\/p>\n<p>What this feature does is put the Lightning\/USB port on iOS devices into a charge-only mode opportunistically. USB cables\/ports have two distinct sets of cables\/connectors, a pair for sending data, and a pair for sending power. Normally a lightning port passes both USB power and USB data. In USB restricted mode the data connectors are disabled, so it becomes as if the cable being used is a charge-only cable.<\/p>\n<p>Most of the time, most users only use their lightning port to charge their devices, so Apple saw an opportunity to add some additional security without inconveniencing users. When ever it&#8217;s clear that USB data is not needed by the user, the OS has an opportunity to harden itself a little by locking the port down.<\/p>\n<p><em>Opportunistic<\/em> is the key word here \u2014 the idea is to add security only in situations where users won&#8217;t be inconvenienced. The idea is not to provide an absolute security control, but to make more users more secure more of the time than they were before. Just like a seatbelt that save many lives is a great safety feature even if it doesn&#8217;t save all lives.<\/p>\n<p>How does it work? If you leave the feature enabled, then each time your iOS device locks a 1 hour timer starts to count down. If you plug a device into your lightning port that uses USB data the timer stops. If the timer makes it down to zero USB data is disabled until the next time you unlock your device.<\/p>\n<p>Stopping the counter when USB data is used is vital to this feature&#8217;s un-intrusiveness. Imagine if Apple had not gone the opportunistic route and opted for an absolute security control instead \u2014 after an hour, BAM, USB is disabled. What effect would that have?<\/p>\n<p>Firstly, lightning headphones would stop working after an hour \u2014 that in itself would be so catastrophic the feature could never fly!<\/p>\n<p>Secondly, data transfers using the card reader adaptor would fail after an hour. Imagine not being able just leave your iPad transferring photos without having to worry about the port killing itself while in use?<\/p>\n<p>This is why USB Protected mode only kicks in if the USB data pins have not been used within the first hour of the phone being locked.<\/p>\n<p>USB protected mode is not purely opportunistic though \u2014 you can explicitly trigger it by enabling SOS mode (by tapping the lock button 5 times in quick succession).<\/p>\n<p>So what&#8217;s this <em>bypass<\/em> the media are prattling on about? They are describing the expected and sane behaviour of this feature as a <em>bypass<\/em>, which is just nuts IMO. If you get your hands on an iOS devices that is not in USB restricted mode, and if you plug a device that uses USB data into it, then USB restricted mode will not activate. That&#8217;s not a bypass, that&#8217;s how it&#8217;s supposed to work!<\/p>\n<p>What would be a <em>bypass<\/em> would be a way of disabling USB restricted mode without either unlocking the device via the password or biometrics, or factory restoring the device (which destroys all the data contained on the device). Ironically, the report from Elcomsoft that so much of the media are using as their source for claiming a bypass actually says that they were unable to get a device that is in restricted mode out of restricted mode without unlocking the phone or wiping it completely. In other words, the report used to support the bypass actually says they couldn&#8217;t find a bypass! Elcomsoft are not innocent though, their spin and headline are pure click-bait too!<\/p>\n<h4>Links<\/h4>\n<ul>\n<li><a href=\"https:\/\/www.theverge.com\/2018\/7\/9\/17549538\/apple-ios-11-4-1-blocks-police-passcode-cracking-tools\">Apple releases iOS 11.4.1 and blocks passcode cracking tools used by police \u2014 www.theverge.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/how-use-usb-restricted-mode-your-iphone-or-ipad\">How to use USB Restricted Mode on your iPhone or iPad \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/usb-restricted-mode-fud-and-how-avoid-it\">USB Restricted Mode FUD and how to avoid it \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li>The Elcomsoft report on their experiments with USB Restricted Mode \u2014 <a href=\"https:\/\/blog.elcomsoft.com\/2018\/07\/this-9-device-can-defeat-ios-usb-restricted-mode\/\">blog.elcomsoft.com\/\u2026<\/a><\/li>\n<\/ul>\n<h3>Notable Security Updates<\/h3>\n<ul>\n<li>Patch Tuesday has been and gone with the usual updates from Microsoft and Adobe \u2014 <a href=\"https:\/\/krebsonsecurity.com\/2018\/07\/patch-tuesday-july-2018-edition\/\">krebsonsecurity.com\/\u2026<\/a>\n<ul>\n<li>The Adobe patch for Flash is particularly important to get installed ASAP \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/07\/11\/update-flash-and-adobe-acrobat-now\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"https:\/\/www.macobserver.com\/news\/product-news\/apple-wi-fi-update-for-boot-camp-6-4-0\/\">Apple Releases Wi-Fi Update for Boot Camp 6.4.0, Can Be Updated Through Windows \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/tidbits.com\/2018\/07\/09\/apple-releases-ios-11-4-1-tvos-11-4-1-and-watchos-4-3-2\/\">Apple Releases iOS 11.4.1, tvOS 11.4.1, and watchOS 4.3.2 \u2014 tidbits.com\/\u2026<\/a><\/li>\n<\/ul>\n<h3>Notable News<\/h3>\n<ul>\n<li>Three packages in the Arch Linux software repository were poisoned with malware. The packages are not part of the core OS, but they are published through official Arch Linux channels. Unlike Gentoo, Arch&#8217;s response leaves a lot to be desired, the best they&#8217;ve had to offer so far is snark \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/07\/11\/another-linux-distro-poisoned-with-malware\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>A report from the NYT details how <em>Samba Interactive TV<\/em> (a service built into TVs from many manufacturers including Sony, Sharp, Magnavox, Toshiba &amp; Philips) uses network sniffing to track people as they move from place to place. The company say 90% of users opt in to the service which is presented as a way to get show recommendations and special offers \u2014 <a href=\"https:\/\/www.nytimes.com\/2018\/07\/05\/business\/media\/tv-viewer-tracking.html\">www.nytimes.com\/\u2026<\/a>, <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/07\/09\/smart-tvs-are-spying-on-you-through-your-phone\/\">nakedsecurity.sophos.com\/\u2026<\/a> &amp; <a href=\"https:\/\/tidbits.com\/2018\/07\/10\/your-smart-tv-could-be-tracking-everything-you-watch\/\">tidbits.com\/\u2026<\/a><\/li>\n<li>Some Samsung phones have been hit by a bizarre bug that sends a users photos to seemingly random people in their contacts without permission \u2014 <a href=\"https:\/\/mashable.com\/2018\/07\/02\/samsung-text-photo-glitch\/\">mashable.com\/\u2026<\/a><\/li>\n<li>Google have quietly pushed out a new security feature in Chrome that keeps tabs at different domains in separate processes to help stop data leaking between sites through vulnerabilities that can be remotely triggered like some Spectre\/Meltdown variants \u2014 <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/google-enables-site-isolation-feature-for-99-percent-of-chrome-desktop-users\/\">www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; WIRED are reporting that the US government secretly sold boobytrapped <em>spy phones<\/em> to suspects, and they may not have had appropriate wiretapping warrants before doing so \u2014 <a href=\"https:\/\/www.wired.com\/story\/us-government-sold-spy-phones-to-suspects\/\">www.wired.com\/\u2026<\/a><\/li>\n<li>A timely warning \u2014 security researchers from the University of Hertfordshire bought 100 second hand SD cards to see how many would contain sensitive personal data, the answer? Two thirds of them! \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/07\/09\/what-sensitive-data-is-lurking-on-your-old-sd-card\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<h3>Suggested Reading<\/h3>\n<ul>\n<li>PSAs, Tips &amp; Advice\n<ul>\n<li>Beware of a novel new use for leaked passwords \u2014 more convincing extortion scams! Extortionists are actively using username &amp; password combinations form password breaches to add apparent legitimacy to extortion letters claiming to have webcam video of the victim watching pornography on their device. It&#8217;s a scam, don&#8217;t hand over any bitcoins! \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/07\/13\/sextortion-scam-knows-your-password-but-dont-fall-for-it\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>(iOS) <a href=\"https:\/\/www.imore.com\/health-records-api-everything-you-need-know\">Health Records: Everything you need to know! \u2014 www.imore.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Notable Breaches &amp; Privacy Violations\n<ul>\n<li>By publishing too much info without enough anonymization the Polar fitness tracking app made it possible for reporters to de-anonymize the data and find the real names of people who&#8217;s real names really shouldn&#8217;t be findable including military personnel \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/07\/10\/privates-on-parade-fitness-tracker-app-reveals-sensitive-user-details\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/07\/03\/typeform-data-breach-hits-thousands-of-survey-accounts\/\">Typeform data breach hits thousands of survey accounts \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.macobserver.com\/news\/timehop-breach\/\">Timehop Breach Exposes Millions of Phone Numbers \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.wired.com\/story\/exactis-database-leak-340-million-records\/\">Marketing Firm Exactis Leaked a Personal Info Database with 340M Records \u2014 www.wired.com\/\u2026<\/a>\n<ul>\n<li>Megan Morrone interviews Troia on Tech News Weekly (at 41:02) <a href=\"https:\/\/twit.tv\/shows\/tech-news-weekly\/episodes\/39?autostart=false\" target=\"_blank\" rel=\"noopener\">twit.tv\/&#8230;<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"https:\/\/www.imore.com\/thousands-android-and-ios-apps-are-leaking-your-data-through-their-firebase-backend\">Thousands of iOS and Android apps are leaking your data through their Firebase backend \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/07\/02\/second-former-equifax-staffer-charged-with-insider-trading\/\">Second former Equifax staffer charged with insider trading \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>ExxonMobil bungles the launch of their latest rewards program and accidentally directs customers to a page pushing crapware and premium rate phone numbers \u2014 <a href=\"https:\/\/krebsonsecurity.com\/2018\/07\/exxonmobil-bungles-rewards-card-debut\/\">krebsonsecurity.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>News\n<ul>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/07\/03\/facebook-gave-certain-companies-special-access-to-customer-data\/\">Facebook gave certain companies special access to customer data \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x1f1e9;&#x1f1ea; <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/07\/13\/facebook-ordered-to-let-grieving-mother-in-to-dead-daughters-account\/\">Facebook ordered to let grieving mother in to dead daughter\u2019s account \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/07\/11\/apple-and-google-questioned-by-congress-over-user-tracking\/\">Apple and Google questioned by Congress over user tracking \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>Security researchers have released a tool for scrubbing the invisible metadata many printers add into the documents they print. This could be a big help for whistleblowers \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/07\/03\/tool-scrubs-hidden-tracking-data-from-printed-documents\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/07\/12\/default-router-password-leads-to-spilled-military-secrets\/\">Default router password leads to spilled military secrets \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Opinion &amp; Analysis\n<ul>\n<li><a href=\"https:\/\/www.bbc.com\/news\/technology-44640959\">Social media apps are &#8216;deliberately&#8217; addictive to users \u2014 www.bbc.com\/\u2026<\/a><\/li>\n<li>The WSJ highlight some of the ways many developers abuse the access users give them to their email accounts \u2014 <a href=\"https:\/\/www.wsj.com\/articles\/techs-dirty-secret-the-app-developers-sifting-through-your-gmail-1530544442\">www.wsj.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/07\/10\/why-the-airplane-romance-that-went-viral-should-worry-everyone\/\">Why the airplane romance that went viral should worry everyone \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Followups &#x1f1ea;&#x1f1fa; EU Copyright Directive: Italy Wikipedia shuts down in protest at EU copyright law \u2014 www.bbc.com\/\u2026 Copyright Directive legislation voted down by European Parliament \u2014 nakedsecurity.sophos.com\/\u2026 (This is not the end of this legislation, but it is a significant setback.) Spectre\/Meltdown Another variant has been discovered, but it&#8217;s similar enough to previous ones that [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":14958,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,214],"tags":[1664,50,569,2081,2673],"class_list":["post-15786","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-bart","tag-security","tag-security-bits","tag-spectre","tag-usb-protected-mode"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2018\/04\/Security-Bits-Logo_1000px.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/15786","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=15786"}],"version-history":[{"count":2,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/15786\/revisions"}],"predecessor-version":[{"id":15788,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/15786\/revisions\/15788"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/14958"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=15786"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=15786"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=15786"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}