By John Ahearne, Forensic Analyst When data is is needed for use as evidence, it…
USB Restricted Mode and Forensics – Is There a Workaround?
By John Ahearne, Forensic Analyst, and Bob Mehr, Sr. Legal Services Advisor
Apple confirmed on June 14 that a security feature announced at the June 4th Worldwide Developers Conference, called USB Restricted Mode, will come standard with the upcoming iOS 12 operating system for iPhone and iPad smart devices. This optional function disables communication with an iOS device via the USB lightning port when the device has not been used or logged into for at least an hour. A device in USB Restricted Mode can be unlocked using the passcode previously programmed into it by its user.
USB Restricted Mode is fully explained in a prior article by Jim Alcott, a DriveSavers data recovery/forensic engineer.
With this update, tools used by law enforcement that use the lightning port to connect and gain access to digital evidence on iPhones and iPads may no longer be useful. This will have particular impact in situations where a warrant was not issued prior to seizing a device, such as often occurs during probable cause arrests. If law enforcement has to wait for a warrant for a seized device before extracting data, the one-hour time frame may permanently prevent collection and examination of evidence.
This update may also impact digital forensics conducted internally by corporations and other organizations on company-owned devices.
However, there may be a workaround.
Exigent circumstances are exceptions to the general requirement of a warrant: “Those circumstances that would cause a reasonable person to believe that a warrantless search or entry (or other relevant prompt action) was necessary to prevent physical harm to the officers or other persons, the destruction of relevant evidence, the escape of a suspect, or some other consequence improperly frustrating legitimate law enforcement efforts.” United States v. McConney, 728 F.2d 1195 U.S. 824 (9th Cir.1984).
Using the criteria above, suspicion that USB Restricted Mode may be enabled on a suspect’s iPhone seized during arrest may constitute a reasonable fear of “destruction of relevant evidence” if the device isn’t immediately accessed and evidence collected in a forensically sound manner. If exigent circumstances exist, then law enforcement may be required to keep forensic tools handy that can image iPhones and iPads through the lightning port so evidence can be collected on the spot before the USB Restricted Mode goes into effect.
Thus far, the use of the exigent circumstances exemption for the search of mobile phones without a warrant has been a serious point of controversy in every level of criminal court.. As there should be, there has been much attention paid to the balance between the right to privacy and the concern over destruction of evidence.
In the Supreme Court case Riley v. California (2014) 573 U.S. __ [134 S.Ct. 2473], the Court determined that, in most instances where data is stored on a phone, exigent circumstances do not exist. However, the Court suggested that “If the police are truly confronted with a ‘now or never’ situation…they may be able to rely on exigent circumstances to search the phone immediately.” The new USB Restricted Mode may constitute one such “now or never” situation.
Since the iOS 12 update is not yet public, no instances have occurred to bring this specific circumstance to court and test this possible exception.
A corporation, company or other organization will reportedly have the option of disabling the USB Restricted Mode on company-owned iPhones and iPads updated to iOS 12 in a manner that it cannot be enabled by the users of the phones (employees of the company).
In cases where valuable proprietary information or intellectual property is stored on one of these devices, this will be a difficult decision to make. The company will want to ensure that every possible security hole is patched. This may mean ensuring that the USB Restricted Mode is enabled to prevent possible hacking of the device and theft of intellectual property. Or it may mean disabling the USB Restricted Mode so the company may be able to access the device if ever an employee leaves or becomes a suspect of corporate espionage or other harmful action.
Organizations should consider the possibilities and establish a written company-wide protocol prior to the release of iOS 12 and the USB Restricted Mode option.
Data Recovery of Devices with USB Restricted Mode Enabled
As long as the customer is able to provide a passcode for a smartphone or tablet, the new privacy protocol will not affect a data recovery company’s ability to bypass physical damage caused by water (fresh, salt or toilet), power surge, fire, drop or any other physical damage that may be caused to an iPhone or iPad.
This feature may, however, impact whether data can be recovered from a passcode-locked device updated to iOS 12. Situations where data recovery may not be possible would include data on an iPhone or iPad belonging to a deceased loved one or where the passcode has been forgotten.
Overcoming USB Restricted Mode
Grayshift, a manufacturer of digital imaging devices that access data on locked iPhones and iPads via the lightning port, has claimed that they have already overcome the USB Restricted Mode security feature. However, there is chatter of this statement being no more than a marketing ploy. We won’t know the truth until the function is public and we can see actual examples of data successfully extracted from an iPhone or iPad with USB Restricted Mode activated.
It is not unreasonable to believe that, like every security feature before it, someone, somewhere will discover a way to overcome the USB Restricted Mode feature. Until then, corporate forensics and law enforcement may find themselves with their hands tied.
On a brighter note, iPhone and iPad users can feel more confident that the personal data stored on their smart devices is safer from criminals with mal-intent. This is vital, as data stored on smartphones generally includes personal identity information like passwords, social security numbers, GPS locations and more. And when the USB Restricted Mode is eventually overcome, as all security features eventually are, we can expect Apple to step up to the plate and patch the loopholes.