Advertisement
Phone Crackers

Apple Is Testing a Feature That Could Kill Police iPhone Unlockers

Apple’s new security feature, USB Restricted Mode, is in the iOS 12 Beta, and it could kill the popular iPhone unlocking tools for cops made by Cellebrite and GrayShift.

Image: Xavier Lalanne-Tauzia

This is part of an ongoing Motherboard series on the proliferation of phone cracking technology, the people behind it, and who is buying it. Follow along here.

On Monday, at its Worldwide Developers Conference, Apple teased the upcoming release of the iPhone’s operating system, iOS 12. Among its most anticipated features are group FaceTime, Animoji, and a ruler app.

Advertisement

But iOS 12’s killer feature might be something that’s been rumored for a while and wasn’t discussed at Apple’s event. It’s called USB Restricted Mode, and Apple has been including it in some of the iOS beta releases since iOS 11.3.

The feature essentially forces users to unlock the iPhone with the passcode when connecting it to a USB accessory every time the phone has not been unlocked for one hour. That includes the iPhone unlocking devices that companies such as Cellebrite or GrayShift make, which police departments all over the world use to hack into seized iPhones.

“That pretty much kills [GrayShift’s product] GrayKey and Cellebrite,” Ryan Duff, a security researcher who has studied iPhone and is Director of Cyber Solutions at Point3 Security, told Motherboard in an online chat. “If it actually does what it says and doesn't let ANY type of data connection happen until it's unlocked, then yes. You can’t exploit the device if you can't communicate with it.”

“That pretty much kills GrayKey and Cellebrite.”

The last two iOS beta releases, 11.4.1 beta and 12 beta, have USB Restricted mode on by default. The feature is included in the Touch ID, Face ID and Passcode settings.

The one-hour time limit is a significant change from earlier tests, where the time limit was one week, according to several security researchers. This is significant because GrayShift had been advising its customers to simply make sure they unlocked the iPhone soon after obtaining it, according to documents reported by Motherboard earlier this year. That’s easy with a week-long limit, much harder with a time limit of just an hour.

“Unlock iPhone to allow USB accessories to connect when it has been more than an hour since your iPhone was locked,” reads an explainer in the settings.

In the 11.3 beta release notes, this is how Apple described the feature:

Advertisement

“To improve security, for a locked iOS device to communicate with USB accessories you must connect an accessory via lightning connector to the device while unlocked—or enter your device passcode while connected—at least once a week.”

Apple did not respond to a request for comment, asking whether USB Restricted Mode will make it to the final release.

Until today, despite being in some of the betas, the feature did not make it to 11.3 nor 11.4, the latest public release of iOS.

“I think it's clear they want to include it but are just trying to figure out what the implications of it will be and are obviously taking their time to get it right,” Duff said. “It's a pretty radical security change and I'm sure they want to make sure it's the right move to make before pushing it. They definitely don't want the scandal of removing a security feature because of something they didn't anticipate.”

Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at lorenzo@jabber.ccc.de, or email lorenzo@motherboard.tv

In April, when USB Restricted Mode was first introduced and it looked like it was going to end up in the public release of iOS 11.3, the makers of GrayKey, a relatively cheap tool to unlock iPhones that police departments all over the United States are buying, got worried.

Advertisement

“If a full seven days (168 hours) elapse [sic] since the last time iOS saved one of these events, the Lightning port is entirely disabled,” Thomas wrote in a blog post published in a customer-only portal, which Motherboard obtained at the time. “You cannot use it to sync or to connect to accessories. It is basically just a charging port at this point.”

An employee of GrayShift did not respond to a request for comment. A Cellebrite spokesperson did not respond to a voicemail requesting comment.

Get six of our favorite Motherboard stories every day by signing up for our newsletter.

More from motherboard