Apple Rolls-Out USB Restricted Mode in iOS
12.7.2018 securityweek Apple
Apple on Monday released patches for various security vulnerabilities in iOS, macOS, tvOS, watchOS, and Safari, as well as for iCloud and iTunes for Windows.
In addition to fixes for 22 issues, the iOS 11.4.1 software update also introduces the long expected USB Restricted Mode, a feature that should boost the security of its platform and improve privacy.
“Starting with iOS 11.4.1, if you use USB accessories with your iPhone, iPad, or iPod touch, or if you connect your device to a Mac or PC, you might need to unlock your device for it to recognize and use the accessory. Your accessory then remains connected, even if your device is subsequently locked,” Apple says.
The new feature should prevent the use of USB devices that connect over the Lightning port to crack the device’s passcode and access user data, should the connection attempt occur one hour after the device was locked.
The new feature can be found in Settings > Face ID (or Touch ID) & Passcode > USB Accessories. Users should leave the toggle disabled to take advantage of USB Restricted Mode.
With the roll-out of this new capability on iOS, it would be more difficult for forensics analysis to access data on a suspect’s devices, as they would only have a one-hour window at their disposal to attempt to crack the available protections.
Once it has kicked in, USB Restricted Mode persists through reboots and even if the device software has been restored via Recovery mode, ElcomSoft’s Oleg Afonin explains.
However, it is possible to reset the USB Restrictive Mode countdown timer if an untrusted USB accessory is connected to the device within the first hour.
The 22 vulnerabilities addressed with the release of iOS 11.4.1 impact CFNetwork, Emoji, Kernel, libxpc, LinkPresentation, WebKit, WebKit Page Loading, and Wi-Fi. WebKit was impacted the most, with 14 vulnerabilities addressed in it.
The addressed issues include unexpected persistence of cookies in Safari, denial of service, elevation of privileges, access to restricted memory, address bar spoofing, arbitrary code execution, unexpected Safari crashes, exfiltration of audio data cross-origin, and sandbox escape.
The new iOS release is available for iPhone 5s and later, iPad Air and later, and iPod touch 6th generation.
Apple also patched 11 security flaws with the release of macOS High Sierra 10.13.6, Security Update 2018-004 Sierra, Security Update 2018-004 El Capitan. The bugs impact AMD, APFS, ATS, CFNetwork, CoreCrypto, DesktopServices, IOGraphics, Kernel, libxpc, and LinkPresentation.
The most important of the issues is CVE-2018-3665, a vulnerability that impacts Intel processors. Dubbed LazyFP and detailed last month, the bug is similar to Meltdown Variant 3a and could be exploited to access floating point unit (FPU) state data, which can contain sensitive information, such as cryptographic keys.
“Systems using Intel Core-based microprocessors may potentially allow a local process to infer data utilizing Lazy FP state restore from another process through a speculative execution side channel,” Apple notes.
The newly released watchOS 4.3.2 resolves a total of 14 vulnerabilities, while tvOS 11.4.1 addresses 18. Apple resolved 16 flaws with the release of Safari 11.1.2, and patched 14 bugs in both iCloud for Windows 7.6 and iTunes 12.8 for Windows.