The latest version of iOS is now available to all iOS users with eligible devices (iPhone 5s and up). This release not only brings bug fixes, but also includes at least one new feature that might be of interest to security-minded users.
The new feature is called “USB Restricted Mode,” and it lives quietly in the security settings of your iPhone (look for it under “Touch ID & Passcode”). Apple’s description of this new feature toggle:
If you don’t first unlock your password-protected iOS device – or you haven’t unlocked and connected it to a USB accessory within the past hour – your iOS device won’t communicate with the accessory or computer, and in some cases, it might not charge. You might also see an alert asking you to unlock your device to use accessories.
Upon updating to iOS 11.4.1, the default setting for this feature is to not allow USB accessories to work with the iPhone or iPad when locked for more than an hour.
To understand why this feature now exists, let’s review how USB accessories generally work with iPhones and iPads. When you plug a USB accessory into your iPhone or iPad, that item will not work unless the iDevice is unlocked first and the user answers a prompt on their iDevice to recognize the new USB device.
After completing this prompt successfully, that USB device will be able to work with the iDevice without issue in the future even when the phone is locked.
This is helpful for users (who no doubt wouldn’t want to go through this process every single time they plug in a device) and a neat little backdoor for hackers or anyone else who might want to access a locked iPhone with hacking tools like GrayKey.
Though we don’t know all the internal workings of hacking tools like GrayKey (the makers keep the details for law enforcement’s ears only), it’s purported to benefit from this USB-lock-bypassing behavior.
So by enabling a feature that requires a user to unlock the phone to use any USB accessories again, Apple seem to be making a new attempt to keep both hackers and government agencies out of their users’ iPhones, though it’s not clear if GrayKey would be deterred by this new feature. (You may remember that the heat was on Apple after the San Bernardino mass murder when the US government wanted access to the terrorists’ locked iPhones.)
Perhaps this is a better-than-nothing feature for the security minded; however, it’s already been shown to be rather easily circumvented with a USB accessory. Was this an oversight or is this feature working as intended? No word from Apple just yet, but keep an eye on the next iOS update to see if there’s a fix for this.
On the bug front, one of the flaws fixed in this update may be a curious after-effect of Chinese government censorship. In some versions of iPhones with specific region settings in place, just typing the word “Taiwan” or using the Taiwan flag emoji would cause the phone to completely crash. This flaw was discovered and written up by security researcher Patrick Wardle, who examined the code and found that this phone-crashing behavior was not the intent of the censorship code (it should merely not render the censored emoji or text), and disclosed the flaw to Apple.
The bug was then assigned CVE-2018-4290 and addressed in this patch – not to remove the censorship, but to fix the flaw in the code that was causing it to crash phones in certain configurations. Writes Wardle:
Though [this bug’s] impact was limited to a denial of service (NULL-pointer dereference) it made for an interesting case study of analyzing iOS code …and if Apple hadn’t tried to appease the Chinese government in the first place, there would be no bug!
The full details of the security updates for iOS 11.4.1 can be found in Apple’s article about the security content of iOS 11.4.1. Several of the CVEs are for issues found in WebKit, used by Safari and iOS mail, including denial of service and arbitrary code execution flaws.
Apple release iOS 11.4.1 on 9 July, so if you have an iPhone 5s or iPad Air or newer, you’ll find the update via “Software Updates” in the Settings app.
