As we wrote back in May, Apple is toying with the idea of restricting USB access to iOS devices that have not been unlocked for a certain period of time. At the time of publication, our article received a lot of controversial reports. When this mode did not make it into the final build of iOS 11.4, we enjoyed a flow of sarcastic comments from journalistsand the makers of passcode cracking toolkits. Well, there we have it: Apple is back on track with iOS 11.4.1 beta including the new, improved and user-configurable USB Restricted Mode.
如我们5月一篇文章所提到的,Apple正在考虑在iOS设备锁定一段时间之后,限制USB访问。这个新闻发布后,我们的文章收到了很多有争议的报道,随着iOS 11.4最终发布版本并未加入这个功能,我们也收到了记者们以及密码破解工具厂商们的讽刺性言论,当然,我们这次要说:苹果在iOS 11.4.1beta版中重新加入了改进后的、用户可配置的USB限制模式。
What’s It All About? 这是关于什么的?
The USB Restricted Mode first made its appearance in iOS 11.3 beta. The idea behind this mode is well covered in our previous article iOS 11.4 to Disable USB Port After 7 Days: What It Means for Mobile Forensics. At the time of 11.3 beta, the feature had the following description:
USb限制模式最早出现在iOS 11.3beta中,设计这个模式的目的在我们上一篇文章中进行了详细介绍,在11.3beta版中这一功能的详细描述如下:
“To improve security, for a locked iOS device to communicate with USB accessories you must connect an accessory via lightning connector to the device while unlocked – or enter your device passcode while connected – at least once a week.”
“为了增强安全性,对于锁定的iOS设备与USB配件之间的通信,必须在解锁状态下连接,或者连接时输入密码——每周至少一次”
The idea behind USB Restricted Mode was pretty ingenious. The feature appeared to be directly targeting passcode cracking solutions such as those made by Cellerbrite and GrayShift. The device running iOS 11.3 beta would disable the USB data connection over the Lightning port one week after the device has been last unlocked. The feature was not user-configurable, but it could be disabled via corporate policies and device management solutions.
增加这个USB限制模式的想法确实巧妙,看起来是矛头直指针对诸如Cellebrite和GrayShift所提供的密码破解服务,运行iOS 11.3beta的设备自上次解锁一周后将被禁止通过USB进行数据连接;这个功能用户不能干预,但可以通过企业策略或者设备管理服务进行禁用。
Apparently, the feature did not make it into the final release iOS 11.3. While we had reasons to believe it would be included with iOS 11.4, Apple skipped it in iOS 11.4, replacing it instead with a toned-down version that would require unlocking the iOS device after 24 hours in order for it to communicate with a USB accessory. While this toned-down feature would complicate the work of forensic experts by effectively disabling logical acquisition with lockdown records, it had zero effect on passcode cracking solutions such as those offered by Cellebrite and GrayShift.
不过很显然,这个功能最终没有出现在iOS 11.3发布版中,尽管我们有理由相信它会集成于iOS 11.4,但Apple在iOS 11.4中也跳过了这个功能,取而代之的是一个在锁定设备24小时以后需要输入密码才能进行USB通信的低调版本;尽管这个低调的功能将会有效防止使用移植lockdown记录进行逻辑取证,从而给取证人员的工作带来更大难度,不过对于Cellebrite和GrayShift这样的密码破解服务来说却没有任何影响。
The “proper” USB Restricted Mode, the one that would completely shut down all data communications between the iOS device and the computer, was still missing in iOS 11.4. Only to reappear – in a much refined form – in iOS 11.4.1 beta.
在iOS 11.4中,“像样的”、能够完全禁止计算机和iOS设备之间通信的USB限制模式,还是没有出现,只是在iOS 11.4.1beta中以一种更精巧的形式重现了。
USB Restricted Mode to Optionally Disable USB Port after Just One Hour / USB限制模式甚至可以在1小时后关闭USB端口
Our May publication made a lot of noise. Some users were excited to receive this additional protection levels, many asking for the feature to be even more restrictive, and most prompting for the feature to become user selectable.
我们5月份的文章引起了很大反响,有些用户对于这种额外的保护感到兴奋,许多人还希望有更严的保护功能,且更希望这个功能变为用户可选择的。
Here’s one example: 比如下面这个例子
Apple Insider: Apple’s iOS 11.4 update with ‘USB Restricted Mode’ may defeat tools like GrayKey (Apple Insider:借助着“USB限制模式”,iOS 11.4击垮GrayKey等工具)
“Can they go a step further and have a toggle that prevents any data connection via USB?” asks one of the readers in the comments. “I’m not a power user, but I can’t remember the last time I connected my phone to anything to transfer data. Everything is cloud based (backup, sync, etc), AirDrop, or just email/imessaged as far as I know.”
“他们能不能再改进一点,增加一个切换功能,阻止所有USB连接?”评论中有读者问道,“我不是高级用户,但是我已经记不起上次连接电脑传数据是什么时候了,据我所知现在都是基于云(备份、同步等等),AirDrop或者电子邮件和iMessage来传输了。
It seems that someone in Apple does read such publications, and does care about user’s voices (kudos to them if this is true). Without much fuss (“Bug fixes and improvements” is all that’s mentioned in iOS 11.4 Release Notes), Apple introduces a major new security feature.
看起来Apple公司确实有人在看这些网上评论,而且挺在乎用户的意见(如果此事属实对他们有不是坏事),不哗众取宠地说(“iOS 11.4的更新说明只说了是修复bug与一些改进),Apple此次推出了全新的重要安全功能。
Say hello to the new and improved USB Restricted Mode.
来看看全新改进后的USB限制模式
Once the user toggles the “USB Accessories” switch, the iPhone will require you to “Unlock iPhone to allow USB accessories to connect when it has been more than an hour since your iPhone was locked”.
一旦用户打开了“USB配件”选项,iPhone就会要求“当设备锁定1小时后,解锁iPhone以允许USB配件连接”。
This is what happens if you activate the feature, wait for an hour and try connecting your iPhone to the computer:
打开这个选项后,等待一小时后把iPhone连接电脑,显示如下:
How do we know this is the “proper” USB Restricted Mode this time? Because, unlike before, there is zero data communicated over the USB port once this feature kicks in. iTunes does not see the device at all; no “unlock this device to access” and no pairing request. The iPhone just charges off the computer’s USB port, transmitting no information. We have not been able to access even the basic information about the device using the Elcomsoft iOS Forensic Toolkit I(nfo) command, the very same command that returns identification information about an iOS device even if it has never been paired with the computer.
你要问我们怎么判断这次是“像样的”USB限制模式?因为,与以往不同,这次开启该功能以后USB接口完全是零数据传输,iTunes完全看不到设备,也没有“解锁设备已连接”的配对提示,iPhone只是单纯的用电脑的USB接口充电,并无数据传输;通过Elcomsoft iOS Forensic Toolkit命令模式查看信息也看不到任何基本信息,(而以往)使用这个命令,即使iOS从未与电脑配对过,也可以看到基本的身份信息。
The End of Forensic Use of Lockdown Records? / 使用Lockdown记录方法取证的终结?
The police were frequently using lockdown records extracted from suspects’ computers to access the content of locked devices and produce iTunes-styles backups; all that without knowing the passcode or unlocking the phone with Touch ID/Face ID. The toned-down version of USB Restricted Mode that was included in previous versions of iOS already put a limit of only 24 hours, after which the iPhone would have to be unlocked (24-48 hours: with Touch ID/Face ID or passcode; after 48 hours: passcode only) in order to make use of the existing lockdown record.
警方通常会使用从嫌疑人计算机中提取的Lockdown记录来访问锁定的iOS设备并制作iTunes备份,这种情况下都不知道设备密码,也无法用TouchID或FaceID解锁;之前版本中包含的USB限制功能在这个版本中加入了24小时限制,24小时后设备必须解锁(24-48小时:使用TouchID/FaceID或密码;48小时以上:必须使用密码)才能够继续使用原有的Lockdown记录。
The new USB Restricted Mode puts significantly more severe limitations in place. Not only will the experts have an extremely small window of opportunity of just one hours, but they may lose the ability to do just about anything with the device once it shuts down the USB port – including the ability to run a password cracking tool.
全新的USB限制模式增加了更严格的限制,取证人员现在仅能获得区区1小时的时间窗口,而且,在设备USB功能关闭后他们什么都无能为力,包括使用密码破解设备。
The End of Forensic Unlocks? / 法证解锁工具的终结?
Will this really be it? Will the new USB Restricted Mode really prevent tools such as Cellebrite and GrayShift from breaking passcodes on devices running iOS 11.4.1 (beta)? At this time, we have no idea. But it certainly looks like this was what Apple planned all along.
真的是这样么?新的USB限制模式是否真的能够限制诸如Cellebrite和GrayShift这样的工具破解iOS 11.4.1 beta的密码?现时情况下我们还不知道,但是目前看来Apple一直以来都是这么打算的。
A Workaround? / 解决方案?
As was the case in iOS 11.3 beta, the clock starts ticking after the device is lockedor after the device is disconnected from a trusted (paired) computer or USB accessory (we were able to positively verify the latter by running a simple test). In order to keep the USB port unlocked, the police would have to connect the iPhone to a trusted device during the first one hour, and keep it connected at all times before they have a chance to attempt acquisition.
与iOS 11.3beta版本情况一样,开始计时的时间是从设备锁定后、或者设备从受信任(已配对)的计算机或配件断开连接以后开始(我们可以通过一个简单的测试来验证后者),为了保持USB接口不锁定,警方现在必须在一小时内把手机连到受信任的设备上,并且在他们能找到机会开始取证之前保持连接。
Conclusion / 结论
The exact effect of USB Restricted More on the forensic community remains to be seen. While we currently don’t know how (or if) the new mode will affect unlocking efforts performed by Cellebrite and GrayShift, one thing is for sure: lockdown records will lose much of their forensic appeal due to severely restricted lifespan. It is still to early to say if this option will make it into the final release of iOS 11.4.1, and how exactly it will work if it gets included.
USB限制模式为取证带来的影响目前还有待观察,我们目前也不清楚新的限制会对Cellebrite以及GrayShift的解锁服务能否产生影响或者产生何种影响,但有一点可以确定:由于时间限制,Lockdown记录将会失去它在取证方面的多数价值。而现在判断在最终的iOS 11.4.1中是否有此限制、以及它究竟能发挥多大作用还为时尚早。