As we wrote back in May, Apple is toying with the idea of restricting USB access to iOS devices that have not been unlocked for a certain period of time. At the time of publication, our article received a lot of controversial reports. When this mode did not make it into the final build of iOS 11.4, we enjoyed a flow of sarcastic comments from journalistsand the makers of passcode cracking toolkits. Well, there we have it: Apple is back on track with iOS 11.4.1 beta including the new, improved and user-configurable USB Restricted Mode.ios
如咱們5月一篇文章所提到的,Apple正在考慮在iOS設備鎖定一段時間以後,限制USB訪問。這個新聞發佈後,咱們的文章收到了不少有爭議的報道,隨着iOS 11.4最終發佈版本並未加入這個功能,咱們也收到了記者們以及密碼破解工具廠商們的諷刺性言論,固然,咱們此次要說:蘋果在iOS 11.4.1beta版中從新加入了改進後的、用戶可配置的USB限制模式。安全
The USB Restricted Mode first made its appearance in iOS 11.3 beta. The idea behind this mode is well covered in our previous article iOS 11.4 to Disable USB Port After 7 Days: What It Means for Mobile Forensics. At the time of 11.3 beta, the feature had the following description:app
USb限制模式最先出如今iOS 11.3beta中,設計這個模式的目的在咱們上一篇文章中進行了詳細介紹,在11.3beta版中這一功能的詳細描述以下:ide
「To improve security, for a locked iOS device to communicate with USB accessories you must connect an accessory via lightning connector to the device while unlocked – or enter your device passcode while connected – at least once a week.」工具
「爲了加強安全性,對於鎖定的iOS設備與USB配件之間的通訊,必須在解鎖狀態下鏈接,或者鏈接時輸入密碼——每週至少一次」測試
The idea behind USB Restricted Mode was pretty ingenious. The feature appeared to be directly targeting passcode cracking solutions such as those made by Cellerbrite and GrayShift. The device running iOS 11.3 beta would disable the USB data connection over the Lightning port one week after the device has been last unlocked. The feature was not user-configurable, but it could be disabled via corporate policies and device management solutions.ui
增長這個USB限制模式的想法確實巧妙,看起來是矛頭直指針對諸如Cellebrite和GrayShift所提供的密碼破解服務,運行iOS 11.3beta的設備自上次解鎖一週後將被禁止經過USB進行數據鏈接;這個功能用戶不能干預,但能夠經過企業策略或者設備管理服務進行禁用。this
Apparently, the feature did not make it into the final release iOS 11.3. While we had reasons to believe it would be included with iOS 11.4, Apple skipped it in iOS 11.4, replacing it instead with a toned-down version that would require unlocking the iOS device after 24 hours in order for it to communicate with a USB accessory. While this toned-down feature would complicate the work of forensic experts by effectively disabling logical acquisition with lockdown records, it had zero effect on passcode cracking solutions such as those offered by Cellebrite and GrayShift.idea
不過很顯然,這個功能最終沒有出如今iOS 11.3發佈版中,儘管咱們有理由相信它會集成於iOS 11.4,但Apple在iOS 11.4中也跳過了這個功能,取而代之的是一個在鎖定設備24小時之後須要輸入密碼才能進行USB通訊的低調版本;儘管這個低調的功能將會有效防止使用移植lockdown記錄進行邏輯取證,從而給取證人員的工做帶來更大難度,不過對於Cellebrite和GrayShift這樣的密碼破解服務來講卻沒有任何影響。spa
The 「proper」 USB Restricted Mode, the one that would completely shut down all data communications between the iOS device and the computer, was still missing in iOS 11.4. Only to reappear – in a much refined form – in iOS 11.4.1 beta.
在iOS 11.4中,「像樣的」、可以徹底禁止計算機和iOS設備之間通訊的USB限制模式,仍是沒有出現,只是在iOS 11.4.1beta中以一種更精巧的形式重現了。
Our May publication made a lot of noise. Some users were excited to receive this additional protection levels, many asking for the feature to be even more restrictive, and most prompting for the feature to become user selectable.
咱們5月份的文章引發了很大反響,有些用戶對於這種額外的保護感到興奮,許多人還但願有更嚴的保護功能,且更但願這個功能變爲用戶可選擇的。
Here’s one example: 好比下面這個例子
Apple Insider: Apple’s iOS 11.4 update with ‘USB Restricted Mode’ may defeat tools like GrayKey (Apple Insider:藉助着「USB限制模式」,iOS 11.4擊垮GrayKey等工具)
「Can they go a step further and have a toggle that prevents any data connection via USB?」 asks one of the readers in the comments. 「I’m not a power user, but I can’t remember the last time I connected my phone to anything to transfer data. Everything is cloud based (backup, sync, etc), AirDrop, or just email/imessaged as far as I know.」
「他們能不能再改進一點,增長一個切換功能,阻止全部USB鏈接?」評論中有讀者問道,「我不是高級用戶,可是我已經記不起上次鏈接電腦傳數據是何時了,據我所知如今都是基於雲(備份、同步等等),AirDrop或者電子郵件和iMessage來傳輸了。
It seems that someone in Apple does read such publications, and does care about user’s voices (kudos to them if this is true). Without much fuss (「Bug fixes and improvements」 is all that’s mentioned in iOS 11.4 Release Notes), Apple introduces a major new security feature.
看起來Apple公司確實有人在看這些網上評論,並且挺在意用戶的意見(若是此事屬實對他們有不是壞事),不譁衆取寵地說(「iOS 11.4的更新說明只說了是修復bug與一些改進),Apple這次推出了全新的重要安全功能。
Say hello to the new and improved USB Restricted Mode.
來看看全新改進後的USB限制模式
Once the user toggles the 「USB Accessories」 switch, the iPhone will require you to 「Unlock iPhone to allow USB accessories to connect when it has been more than an hour since your iPhone was locked」.
一旦用戶打開了「USB配件」選項,iPhone就會要求「當設備鎖定1小時後,解鎖iPhone以容許USB配件鏈接」。
This is what happens if you activate the feature, wait for an hour and try connecting your iPhone to the computer:
打開這個選項後,等待一小時後把iPhone鏈接電腦,顯示以下:
How do we know this is the 「proper」 USB Restricted Mode this time? Because, unlike before, there is zero data communicated over the USB port once this feature kicks in. iTunes does not see the device at all; no 「unlock this device to access」 and no pairing request. The iPhone just charges off the computer’s USB port, transmitting no information. We have not been able to access even the basic information about the device using the Elcomsoft iOS Forensic Toolkit I(nfo) command, the very same command that returns identification information about an iOS device even if it has never been paired with the computer.
你要問咱們怎麼判斷此次是「像樣的」USB限制模式?由於,與以往不一樣,此次開啓該功能之後USB接口徹底是零數據傳輸,iTunes徹底看不到設備,也沒有「解鎖設備已鏈接」的配對提示,iPhone只是單純的用電腦的USB接口充電,並沒有數據傳輸;經過Elcomsoft iOS Forensic Toolkit命令模式查看信息也看不到任何基本信息,(而以往)使用這個命令,即便iOS從未與電腦配對過,也能夠看到基本的身份信息。
The police were frequently using lockdown records extracted from suspects’ computers to access the content of locked devices and produce iTunes-styles backups; all that without knowing the passcode or unlocking the phone with Touch ID/Face ID. The toned-down version of USB Restricted Mode that was included in previous versions of iOS already put a limit of only 24 hours, after which the iPhone would have to be unlocked (24-48 hours: with Touch ID/Face ID or passcode; after 48 hours: passcode only) in order to make use of the existing lockdown record.
警方一般會使用從嫌疑人計算機中提取的Lockdown記錄來訪問鎖定的iOS設備並製做iTunes備份,這種狀況下都不知道設備密碼,也沒法用TouchID或FaceID解鎖;以前版本中包含的USB限制功能在這個版本中加入了24小時限制,24小時後設備必須解鎖(24-48小時:使用TouchID/FaceID或密碼;48小時以上:必須使用密碼)纔可以繼續使用原有的Lockdown記錄。
The new USB Restricted Mode puts significantly more severe limitations in place. Not only will the experts have an extremely small window of opportunity of just one hours, but they may lose the ability to do just about anything with the device once it shuts down the USB port – including the ability to run a password cracking tool.
全新的USB限制模式增長了更嚴格的限制,取證人員如今僅能得到區區1小時的時間窗口,並且,在設備USB功能關閉後他們什麼都無能爲力,包括使用密碼破解設備。
Will this really be it? Will the new USB Restricted Mode really prevent tools such as Cellebrite and GrayShift from breaking passcodes on devices running iOS 11.4.1 (beta)? At this time, we have no idea. But it certainly looks like this was what Apple planned all along.
真的是這樣麼?新的USB限制模式是否真的可以限制諸如Cellebrite和GrayShift這樣的工具破解iOS 11.4.1 beta的密碼?現時狀況下咱們還不知道,可是目前看來Apple一直以來都是這麼打算的。
As was the case in iOS 11.3 beta, the clock starts ticking after the device is lockedor after the device is disconnected from a trusted (paired) computer or USB accessory (we were able to positively verify the latter by running a simple test). In order to keep the USB port unlocked, the police would have to connect the iPhone to a trusted device during the first one hour, and keep it connected at all times before they have a chance to attempt acquisition.
與iOS 11.3beta版本狀況同樣,開始計時的時間是從設備鎖定後、或者設備從受信任(已配對)的計算機或配件斷開鏈接之後開始(咱們能夠經過一個簡單的測試來驗證後者),爲了保持USB接口不鎖定,警方如今必須在一小時內把手機連到受信任的設備上,而且在他們能找到機會開始取證以前保持鏈接。
The exact effect of USB Restricted More on the forensic community remains to be seen. While we currently don’t know how (or if) the new mode will affect unlocking efforts performed by Cellebrite and GrayShift, one thing is for sure: lockdown records will lose much of their forensic appeal due to severely restricted lifespan. It is still to early to say if this option will make it into the final release of iOS 11.4.1, and how exactly it will work if it gets included.
USB限制模式爲取證帶來的影響目前還有待觀察,咱們目前也不清楚新的限制會對Cellebrite以及GrayShift的解鎖服務可否產生影響或者產生何種影響,但有一點能夠肯定:因爲時間限制,Lockdown記錄將會失去它在取證方面的多數價值。而如今判斷在最終的iOS 11.4.1中是否有此限制、以及它究竟能發揮多大做用還爲時尚早。