作者: Oleg Afonin
 

As we wrote back in May, Apple is toying with the idea of restricting USB access to iOS devices that have not been unlocked for a certain period of time. At the time of publication, our article received a lot of controversial reports. When this mode did not make it into the final build of iOS 11.4, we enjoyed a flow of sarcastic comments from journalistsand the makers of passcode cracking toolkits. Well, there we have it: Apple is back on track with iOS 11.4.1 beta including the new, improved and user-configurable USB Restricted Mode.

如我们5月一篇文章所提到的,Apple正在考虑在iOS设备锁定一段时间之后,限制USB访问。这个新闻发布后,我们的文章收到了很多有争议的报道,随着iOS 11.4最终发布版本并未加入这个功能,我们也收到了记者们以及密码破解工具厂商们的讽刺性言论,当然,我们这次要说:苹果在iOS 11.4.1beta版中重新加入了改进后的、用户可配置的USB限制模式。

What’s It All About? 这是关于什么的?

 

The USB Restricted Mode first made its appearance in iOS 11.3 beta. The idea behind this mode is well covered in our previous article iOS 11.4 to Disable USB Port After 7 Days: What It Means for Mobile Forensics. At the time of 11.3 beta, the feature had the following description:

USb限制模式最早出现在iOS 11.3beta中,设计这个模式的目的在我们上一篇文章中进行了详细介绍,在11.3beta版中这一功能的详细描述如下:

“To improve security, for a locked iOS device to communicate with USB accessories you must connect an accessory via lightning connector to the device while unlocked – or enter your device passcode while connected – at least once a week.”

“为了增强安全性,对于锁定的iOS设备与USB配件之间的通信,必须在解锁状态下连接,或者连接时输入密码——每周至少一次”

The idea behind USB Restricted Mode was pretty ingenious. The feature appeared to be directly targeting passcode cracking solutions such as those made by Cellerbrite and GrayShift. The device running iOS 11.3 beta would disable the USB data connection over the Lightning port one week after the device has been last unlocked. The feature was not user-configurable, but it could be disabled via corporate policies and device management solutions.

增加这个USB限制模式的想法确实巧妙,看起来是矛头直指针对诸如Cellebrite和GrayShift所提供的密码破解服务,运行iOS 11.3beta的设备自上次解锁一周后将被禁止通过USB进行数据连接;这个功能用户不能干预,但可以通过企业策略或者设备管理服务进行禁用。

Apparently, the feature did not make it into the final release iOS 11.3. While we had reasons to believe it would be included with iOS 11.4, Apple skipped it in iOS 11.4, replacing it instead with a toned-down version that would require unlocking the iOS device after 24 hours in order for it to communicate with a USB accessory. While this toned-down feature would complicate the work of forensic experts by effectively disabling logical acquisition with lockdown records, it had zero effect on passcode cracking solutions such as those offered by Cellebrite and GrayShift.

不过很显然,这个功能最终没有出现在iOS 11.3发布版中,尽管我们有理由相信它会集成于iOS 11.4,但Apple在iOS 11.4中也跳过了这个功能,取而代之的是一个在锁定设备24小时以后需要输入密码才能进行USB通信的低调版本;尽管这个低调的功能将会有效防止使用移植lockdown记录进行逻辑取证,从而给取证人员的工作带来更大难度,不过对于Cellebrite和GrayShift这样的密码破解服务来说却没有任何影响。

The “proper” USB Restricted Mode, the one that would completely shut down all data communications between the iOS device and the computer, was still missing in iOS 11.4. Only to reappear – in a much refined form – in iOS 11.4.1 beta.

在iOS 11.4中,“像样的”、能够完全禁止计算机和iOS设备之间通信的USB限制模式,还是没有出现,只是在iOS 11.4.1beta中以一种更精巧的形式重现了。

USB Restricted Mode to Optionally Disable USB Port after Just One Hour / USB限制模式甚至可以在1小时后关闭USB端口

Our May publication made a lot of noise. Some users were excited to receive this additional protection levels, many asking for the feature to be even more restrictive, and most prompting for the feature to become user selectable.

我们5月份的文章引起了很大反响,有些用户对于这种额外的保护感到兴奋,许多人还希望有更严的保护功能,且更希望这个功能变为用户可选择的。

Here’s one example: 比如下面这个例子

Apple Insider: Apple’s iOS 11.4 update with ‘USB Restricted Mode’ may defeat tools like GrayKey (Apple Insider:借助着“USB限制模式”,iOS 11.4击垮GrayKey等工具)

“Can they go a step further and have a toggle that prevents any data connection via USB?” asks one of the readers in the comments. “I’m not a power user, but I can’t remember the last time I connected my phone to anything to transfer data.  Everything is cloud based (backup, sync, etc), AirDrop, or just email/imessaged as far as I know.”

“他们能不能再改进一点,增加一个切换功能,阻止所有USB连接?”评论中有读者问道,“我不是高级用户,但是我已经记不起上次连接电脑传数据是什么时候了,据我所知现在都是基于云(备份、同步等等),AirDrop或者电子邮件和iMessage来传输了。

It seems that someone in Apple does read such publications, and does care about user’s voices (kudos to them if this is true). Without much fuss (“Bug fixes and improvements” is all that’s mentioned in iOS 11.4 Release Notes), Apple introduces a major new security feature.

看起来Apple公司确实有人在看这些网上评论,而且挺在乎用户的意见(如果此事属实对他们有不是坏事),不哗众取宠地说(“iOS 11.4的更新说明只说了是修复bug与一些改进),Apple此次推出了全新的重要安全功能。

Say hello to the new and improved USB Restricted Mode.

来看看全新改进后的USB限制模式

Once the user toggles the “USB Accessories” switch, the iPhone will require you to “Unlock iPhone to allow USB accessories to connect when it has been more than an hour since your iPhone was locked”.

一旦用户打开了“USB配件”选项,iPhone就会要求“当设备锁定1小时后,解锁iPhone以允许USB配件连接”。

This is what happens if you activate the feature, wait for an hour and try connecting your iPhone to the computer:

打开这个选项后,等待一小时后把iPhone连接电脑,显示如下:

How do we know this is the “proper” USB Restricted Mode this time? Because, unlike before, there is zero data communicated over the USB port once this feature kicks in. iTunes does not see the device at all; no “unlock this device to access” and no pairing request. The iPhone just charges off the computer’s USB port, transmitting no information. We have not been able to access even the basic information about the device using the Elcomsoft iOS Forensic Toolkit I(nfo) command, the very same command that returns identification information about an iOS device even if it has never been paired with the computer.

你要问我们怎么判断这次是“像样的”USB限制模式?因为,与以往不同,这次开启该功能以后USB接口完全是零数据传输,iTunes完全看不到设备,也没有“解锁设备已连接”的配对提示,iPhone只是单纯的用电脑的USB接口充电,并无数据传输;通过Elcomsoft iOS Forensic Toolkit命令模式查看信息也看不到任何基本信息,(而以往)使用这个命令,即使iOS从未与电脑配对过,也可以看到基本的身份信息。

The End of Forensic Use of Lockdown Records? / 使用Lockdown记录方法取证的终结?

The police were frequently using lockdown records extracted from suspects’ computers to access the content of locked devices and produce iTunes-styles backups; all that without knowing the passcode or unlocking the phone with Touch ID/Face ID. The toned-down version of USB Restricted Mode that was included in previous versions of iOS already put a limit of only 24 hours, after which the iPhone would have to be unlocked (24-48 hours: with Touch ID/Face ID or passcode; after 48 hours: passcode only) in order to make use of the existing lockdown record.

警方通常会使用从嫌疑人计算机中提取的Lockdown记录来访问锁定的iOS设备并制作iTunes备份,这种情况下都不知道设备密码,也无法用TouchID或FaceID解锁;之前版本中包含的USB限制功能在这个版本中加入了24小时限制,24小时后设备必须解锁(24-48小时:使用TouchID/FaceID或密码;48小时以上:必须使用密码)才能够继续使用原有的Lockdown记录。

The new USB Restricted Mode puts significantly more severe limitations in place. Not only will the experts have an extremely small window of opportunity of just one hours, but they may  lose the ability to do just about anything with the device once it shuts down the USB port – including the ability to run a password cracking tool.

全新的USB限制模式增加了更严格的限制,取证人员现在仅能获得区区1小时的时间窗口,而且,在设备USB功能关闭后他们什么都无能为力,包括使用密码破解设备。

The End of Forensic Unlocks? / 法证解锁工具的终结?

Will this really be it? Will the new USB Restricted Mode really prevent tools such as Cellebrite and GrayShift from breaking passcodes on devices running iOS 11.4.1 (beta)? At this time, we have no idea. But it certainly looks like this was what Apple planned all along.

真的是这样么?新的USB限制模式是否真的能够限制诸如Cellebrite和GrayShift这样的工具破解iOS 11.4.1 beta的密码?现时情况下我们还不知道,但是目前看来Apple一直以来都是这么打算的。

A Workaround? / 解决方案?

As was the case in iOS 11.3 beta, the clock starts ticking after the device is lockedor after the device is disconnected from a trusted (paired) computer or USB accessory (we were able to positively verify the latter by running a simple test). In order to keep the USB port unlocked, the police would have to connect the iPhone to a trusted device during the first one hour, and keep it connected at all times before they have a chance to attempt acquisition.

与iOS 11.3beta版本情况一样,开始计时的时间是从设备锁定后或者设备从受信任(已配对)的计算机或配件断开连接以后开始(我们可以通过一个简单的测试来验证后者),为了保持USB接口不锁定,警方现在必须在一小时内把手机连到受信任的设备上,并且在他们能找到机会开始取证之前保持连接。

Conclusion / 结论

The exact effect of USB Restricted More on the forensic community remains to be seen. While we currently don’t know how (or if) the new mode will affect unlocking efforts performed by Cellebrite and GrayShift, one thing is for sure: lockdown records will lose much of their forensic appeal due to severely restricted lifespan. It is still to early to say if this option will make it into the final release of iOS 11.4.1, and how exactly it will work if it gets included.

USB限制模式为取证带来的影响目前还有待观察,我们目前也不清楚新的限制会对Cellebrite以及GrayShift的解锁服务能否产生影响或者产生何种影响,但有一点可以确定:由于时间限制,Lockdown记录将会失去它在取证方面的多数价值。而现在判断在最终的iOS 11.4.1中是否有此限制、以及它究竟能发挥多大作用还为时尚早。

[译] iOS 11.4.1 Beta:全新的USB限制模式的更多相关文章

  1. iOS 11 & iPhone X 适配资料集

    本文主要简单谈谈并收集一些关于 iOS 11 & iPhone X 的适配及设计指南. iPhone X 众所周知,iPhone X 屏幕与其他的 iPhone 设备均不同,苹果称 iPhon ...

  2. 这是您一直期待的所有iOS 11功能的屏幕截图

    Tips 原文作者:Chris Mills 原文地址:Here's all the iOS 11 screenshots you've been waiting for 除非你已经深陷VR其中,否则现 ...

  3. 浅酌iOS 11兼容性

    WeTest导读 苹果在WWDC2017大会,公布了最新的iOS 11,系统新特性肯定是让不少果粉充满期待.在网上已能看到不少关于iOS 11的体验文章,那么iOS 11的新特性会对APP产生什么兼容 ...

  4. iOS 11: CORE ML—浅析

    本文来自于腾讯Bugly公众号(weixinBugly),未经作者同意,请勿转载,原文地址:https://mp.weixin.qq.com/s/OWD5UEiVu5JpYArcd2H9ig 作者:l ...

  5. 一起来给iOS 11找bug: 苹果还是乔布斯时代的细节控吗?

    众所周知,前几天苹果在位于苹果公园的Steve Jobs剧院召开了一年一度的新品发布会,正式揭幕了全屏的iPhoneX, 随后又把iOS 11推送给了测试员(Beta Tester)(正式版将于几周后 ...

  6. 适配 iOS 11 & iPhone X 大全

    1.升级iOS11后造成的变化 1. 1升级后,发现某个拥有tableView的界面错乱,组间距和contentInset错乱,因为iOS11中UIViewController的automatical ...

  7. iOS 11开发教程(一)

    iOS 11开发概述 iOS 11是目前苹果公司用于苹果手机和苹果平板电脑的最新的操作系统.该操作系统的测试版于2017年6月6号(北京时间)被发布.本章将主要讲解iOS 11的新特性.以及使用Xco ...

  8. iOS 11.4.1 正式版越狱

    在 2018 年 Electra 最新能支持到 11.3.1 越狱,很长的一段时间 11.4 只能支持 Beta 版本,临近春节给了我们一个大礼物,终于支持 iOS 11.4-11.4.1,目前 iO ...

  9. H.264格式,iOS硬编解码 以及 iOS 11对HEVC硬编解码的支持

    H.264格式,iOS硬编解码 以及 iOS 11对HEVC硬编解码的支持 1,H.264格式 网络表示层NAL,如图H.264流由一帧一帧的NALU组成: SPS:序列参数集,作用于一系列连续的编码 ...

随机推荐

  1. 总结React写参数的几种方式

    1.在render方法内 class Text extends Component{ render(){ const data=[1,2,3]; return( { data.map((item,in ...

  2. Python 列表(List)

    Python 列表(List) 序列是Python中最基本的数据结构.序列中的每个元素都分配一个数字 - 它的位置,或索引,第一个索引是0,第二个索引是1,依此类推. Python有6个序列的内置类型 ...

  3. HBase学习笔记2 - HBase shell常用命令

    转载请标注原链接:http://www.cnblogs.com/xczyd/p/6639397.html 扫表的时候限定行数 scan } 即为扫表的时候,限定只输出五条数据 ============ ...

  4. CentOS 7 / RHEL 7:修改OpenSSH 默认端口

    1.备份sshd_config cp -p /etc/ssh/sshd_config /etc/ssh/sshd_config.orig.$(date +%F) 2.vi /etc/ssh/sshd_ ...

  5. python 8

    一.文件操作初识 1. path 文件路径 F:\文件.txt encoding 编码方式 utf-8, gbk ... mode 操作方式 只读,只写,读写,写读,追加... f1 = open(r ...

  6. 记一次网络原因导致的mysql连接中断问题(druid)

    date: 2018-04-19 21:00 tag: java,mysql,exception,mat,调试,jvm 工具: gceasy.io, MAT 线上系统出现一个诡异的bug,通过heap ...

  7. python excle读

    #!/usr/bin/env python # -*- coding: utf-8 -*- # @Time : 2019/4/24 9:57 # @File : Excel读.py # @Softwa ...

  8. Git学习之第一次使用PR

    发起PR的流程 1.Fork想要pr的项目,在自己的仓库里建立一个相同的项目. 2.Clone我们Fork的项目,在本地建立一个项目,方便修改. 3.将修改后的本地项目上传到github上. 4.向原 ...

  9. TensorFlow机器学习实战指南之第一章

    TensorFlow基础 一.TensorFlow算法的一般流程 1.导入/生成样本数据集 2.转换和归一化数据:一般来讲,输入样本数据集并不符合TensorFlow期望的形状,所以需要转换数据格式以 ...

  10. 谷歌浏览器可以google了

    做为一个开发者好多疑问点或者难点大多数时间 都在进行百度,百度也能解决问题,但是呢如果让我能够google呢?我肯定会优先google的,这里面能够搜到一些国外技术人的文章可供参考. 下面是一个能够支 ...