It Looks Like Apple's Tool That Stops Police From Hacking Your iPhone Isn't Coming to iOS 11.4

By Rhett Jones on at

Security researchers at a password-recovery firm claimed to have found an encryption feature in the beta of iOS 11.4 that would definitely make your device more secure and might even prevent authorities to use the cracking tools that have cropped up recently. Sadly, it appears the tool will not be included in the final release, as was previously reported—and it may have never been there at all.

The fifth beta for iOS 11.4 is out now for developers and public testers, but the full release notes contain no mention of the “USB Restricted Mode” that the team at mobile forensics firm Elcomsoft previously claimed was included in the beta. Gizmodo has repeatedly requested confirmation from Apple about the feature over the last week, but our messages have received no reply.

While Apple continues to fight back against authorities’ tiresome demands for an encryption backdoor, at least two services, GrayKey and Cellebrite, have begun offering expensive solutions for law enforcement to break into locked iPhones. No one seems to be certain how these services work, but Apple’s new feature is believed to be an effort to sideline their effectiveness.

USB Restricted Mode first appeared in the beta for iOS 11.3 and it was mentioned in the accompanying changelog before it was excluded from the final release. The security measure is intended to block access to the lightning port on an iPhone in the event that it hasn’t been connected to a USB device and unlocked for more than seven days. The port will also be disabled until the passcode is entered if the device is powered down.

Elcomsoft explained the abuse this feature is intended to prevent:

Before iOS 11, one could use an existing lockdown record to access the iPhone or iPad device for the purpose of creating a new local backup (logical acquisition). Essentially, this is exactly how experts perform logical acquisition in the vast majority of cases of iPhone and iPad devices that are locked with an unknown passcode. The lockdown record (a small file extracted from the suspect’s computer) allows accessing essential information about the device and initiating the backup sequence without the passcode.

In addition to iTunes-style backups, the lockdown record could be used for pulling media files (pictures and videos), list installed apps, and access general information about the device.

A photo of a GrayKey device provided by security firm MalwareBytes.

With USB Restricted Mode, lockdown records would receive new limitations. Previously, the lockdown records didn’t expire but weren’t as useful for an attacker if the phone went through its power cycle or was rebooted. In iOS 11, Apple introduced a seven-day time limit on how long the records last. USB Restricted Mode goes further and prevents you from connecting to any USB device or using an existing lockdown record. As mentioned, after seven days, you’ll have to use the passcode to unlock the device.

After Elcomsoft’s report spread across the internet, CyberScoop pointed out that there didn’t appear to be any mention of the feature in Apple’s public notes for the iOS 11.4 beta 4 release and asked Elcomsoft for more information. Vladimir Katalov, the firm’s CEO, appeared to admit that his team had not, in fact, confirmed the feature’s presence in the version four of iOS 11.4 beta. Katalov told Cyberscoop that he was relying on information that came from the people behind Cellebrite and GrayShift as well as their users. “Sometimes we even have to be provocative a little bit, because that seems to be the only way to get a public response from Apple,” he added.

Following the CyberScoop report, Elcomsoft seemed to imply on a computer forensics subreddit that the author was confused and insisted that USB Restricted Mode is present in iOS 11.4 but “in a bit softer mode.” But on Friday, the firm published a new blog post about Apple’s race to beat encryption workarounds, and it stated that “it is still in question whether this feature will be available in new iOS version or not; it seems it is not ready yet and may be delayed till iOS 12.” Elcomsoft hasn’t responded to any of Gizmodo’s questions about its claims.

At this point, it appears that Elcomsoft is feeling around in the dark here, and throwing out some claims to get Apple to make a statement. For its part, Apple is sticking with its usual strategy of making no comment on unfinished products. And everyone should understand that until further notice, this nice little feature won’t be in the next iOS release. [Elmcsoft (cache) via VentureBeat]