作者: Oleg Afonin
 

As we wrote back in May, Apple is toying with the idea of restricting USB access to iOS devices that have not been unlocked for a certain period of time. At the time of publication, our article received a lot of controversial reports. When this mode did not make it into the final build of iOS 11.4, we enjoyed a flow of sarcastic comments from journalistsand the makers of passcode cracking toolkits. Well, there we have it: Apple is back on track with iOS 11.4.1 beta including the new, improved and user-configurable USB Restricted Mode.

如我们5月一篇文章所提到的,Apple正在考虑在iOS设备锁定一段时间之后,限制USB访问。这个新闻发布后,我们的文章收到了很多有争议的报道,随着iOS 11.4最终发布版本并未加入这个功能,我们也收到了记者们以及密码破解工具厂商们的讽刺性言论,当然,我们这次要说:苹果在iOS 11.4.1beta版中重新加入了改进后的、用户可配置的USB限制模式。

What’s It All About? 这是关于什么的?

 

The USB Restricted Mode first made its appearance in iOS 11.3 beta. The idea behind this mode is well covered in our previous article iOS 11.4 to Disable USB Port After 7 Days: What It Means for Mobile Forensics. At the time of 11.3 beta, the feature had the following description:

USb限制模式最早出现在iOS 11.3beta中,设计这个模式的目的在我们上一篇文章中进行了详细介绍,在11.3beta版中这一功能的详细描述如下:

“To improve security, for a locked iOS device to communicate with USB accessories you must connect an accessory via lightning connector to the device while unlocked – or enter your device passcode while connected – at least once a week.”

“为了增强安全性,对于锁定的iOS设备与USB配件之间的通信,必须在解锁状态下连接,或者连接时输入密码——每周至少一次”

The idea behind USB Restricted Mode was pretty ingenious. The feature appeared to be directly targeting passcode cracking solutions such as those made by Cellerbrite and GrayShift. The device running iOS 11.3 beta would disable the USB data connection over the Lightning port one week after the device has been last unlocked. The feature was not user-configurable, but it could be disabled via corporate policies and device management solutions.

增加这个USB限制模式的想法确实巧妙,看起来是矛头直指针对诸如Cellebrite和GrayShift所提供的密码破解服务,运行iOS 11.3beta的设备自上次解锁一周后将被禁止通过USB进行数据连接;这个功能用户不能干预,但可以通过企业策略或者设备管理服务进行禁用。

Apparently, the feature did not make it into the final release iOS 11.3. While we had reasons to believe it would be included with iOS 11.4, Apple skipped it in iOS 11.4, replacing it instead with a toned-down version that would require unlocking the iOS device after 24 hours in order for it to communicate with a USB accessory. While this toned-down feature would complicate the work of forensic experts by effectively disabling logical acquisition with lockdown records, it had zero effect on passcode cracking solutions such as those offered by Cellebrite and GrayShift.

不过很显然,这个功能最终没有出现在iOS 11.3发布版中,尽管我们有理由相信它会集成于iOS 11.4,但Apple在iOS 11.4中也跳过了这个功能,取而代之的是一个在锁定设备24小时以后需要输入密码才能进行USB通信的低调版本;尽管这个低调的功能将会有效防止使用移植lockdown记录进行逻辑取证,从而给取证人员的工作带来更大难度,不过对于Cellebrite和GrayShift这样的密码破解服务来说却没有任何影响。

The “proper” USB Restricted Mode, the one that would completely shut down all data communications between the iOS device and the computer, was still missing in iOS 11.4. Only to reappear – in a much refined form – in iOS 11.4.1 beta.

在iOS 11.4中,“像样的”、能够完全禁止计算机和iOS设备之间通信的USB限制模式,还是没有出现,只是在iOS 11.4.1beta中以一种更精巧的形式重现了。

USB Restricted Mode to Optionally Disable USB Port after Just One Hour / USB限制模式甚至可以在1小时后关闭USB端口

Our May publication made a lot of noise. Some users were excited to receive this additional protection levels, many asking for the feature to be even more restrictive, and most prompting for the feature to become user selectable.

我们5月份的文章引起了很大反响,有些用户对于这种额外的保护感到兴奋,许多人还希望有更严的保护功能,且更希望这个功能变为用户可选择的。

Here’s one example: 比如下面这个例子

Apple Insider: Apple’s iOS 11.4 update with ‘USB Restricted Mode’ may defeat tools like GrayKey (Apple Insider:借助着“USB限制模式”,iOS 11.4击垮GrayKey等工具)

“Can they go a step further and have a toggle that prevents any data connection via USB?” asks one of the readers in the comments. “I’m not a power user, but I can’t remember the last time I connected my phone to anything to transfer data.  Everything is cloud based (backup, sync, etc), AirDrop, or just email/imessaged as far as I know.”

“他们能不能再改进一点,增加一个切换功能,阻止所有USB连接?”评论中有读者问道,“我不是高级用户,但是我已经记不起上次连接电脑传数据是什么时候了,据我所知现在都是基于云(备份、同步等等),AirDrop或者电子邮件和iMessage来传输了。

It seems that someone in Apple does read such publications, and does care about user’s voices (kudos to them if this is true). Without much fuss (“Bug fixes and improvements” is all that’s mentioned in iOS 11.4 Release Notes), Apple introduces a major new security feature.

看起来Apple公司确实有人在看这些网上评论,而且挺在乎用户的意见(如果此事属实对他们有不是坏事),不哗众取宠地说(“iOS 11.4的更新说明只说了是修复bug与一些改进),Apple此次推出了全新的重要安全功能。

Say hello to the new and improved USB Restricted Mode.

来看看全新改进后的USB限制模式

Once the user toggles the “USB Accessories” switch, the iPhone will require you to “Unlock iPhone to allow USB accessories to connect when it has been more than an hour since your iPhone was locked”.

一旦用户打开了“USB配件”选项,iPhone就会要求“当设备锁定1小时后,解锁iPhone以允许USB配件连接”。

This is what happens if you activate the feature, wait for an hour and try connecting your iPhone to the computer:

打开这个选项后,等待一小时后把iPhone连接电脑,显示如下:

How do we know this is the “proper” USB Restricted Mode this time? Because, unlike before, there is zero data communicated over the USB port once this feature kicks in. iTunes does not see the device at all; no “unlock this device to access” and no pairing request. The iPhone just charges off the computer’s USB port, transmitting no information. We have not been able to access even the basic information about the device using the Elcomsoft iOS Forensic Toolkit I(nfo) command, the very same command that returns identification information about an iOS device even if it has never been paired with the computer.

你要问我们怎么判断这次是“像样的”USB限制模式?因为,与以往不同,这次开启该功能以后USB接口完全是零数据传输,iTunes完全看不到设备,也没有“解锁设备已连接”的配对提示,iPhone只是单纯的用电脑的USB接口充电,并无数据传输;通过Elcomsoft iOS Forensic Toolkit命令模式查看信息也看不到任何基本信息,(而以往)使用这个命令,即使iOS从未与电脑配对过,也可以看到基本的身份信息。

The End of Forensic Use of Lockdown Records? / 使用Lockdown记录方法取证的终结?

The police were frequently using lockdown records extracted from suspects’ computers to access the content of locked devices and produce iTunes-styles backups; all that without knowing the passcode or unlocking the phone with Touch ID/Face ID. The toned-down version of USB Restricted Mode that was included in previous versions of iOS already put a limit of only 24 hours, after which the iPhone would have to be unlocked (24-48 hours: with Touch ID/Face ID or passcode; after 48 hours: passcode only) in order to make use of the existing lockdown record.

警方通常会使用从嫌疑人计算机中提取的Lockdown记录来访问锁定的iOS设备并制作iTunes备份,这种情况下都不知道设备密码,也无法用TouchID或FaceID解锁;之前版本中包含的USB限制功能在这个版本中加入了24小时限制,24小时后设备必须解锁(24-48小时:使用TouchID/FaceID或密码;48小时以上:必须使用密码)才能够继续使用原有的Lockdown记录。

The new USB Restricted Mode puts significantly more severe limitations in place. Not only will the experts have an extremely small window of opportunity of just one hours, but they may  lose the ability to do just about anything with the device once it shuts down the USB port – including the ability to run a password cracking tool.

全新的USB限制模式增加了更严格的限制,取证人员现在仅能获得区区1小时的时间窗口,而且,在设备USB功能关闭后他们什么都无能为力,包括使用密码破解设备。

The End of Forensic Unlocks? / 法证解锁工具的终结?

Will this really be it? Will the new USB Restricted Mode really prevent tools such as Cellebrite and GrayShift from breaking passcodes on devices running iOS 11.4.1 (beta)? At this time, we have no idea. But it certainly looks like this was what Apple planned all along.

真的是这样么?新的USB限制模式是否真的能够限制诸如Cellebrite和GrayShift这样的工具破解iOS 11.4.1 beta的密码?现时情况下我们还不知道,但是目前看来Apple一直以来都是这么打算的。

A Workaround? / 解决方案?

As was the case in iOS 11.3 beta, the clock starts ticking after the device is lockedor after the device is disconnected from a trusted (paired) computer or USB accessory (we were able to positively verify the latter by running a simple test). In order to keep the USB port unlocked, the police would have to connect the iPhone to a trusted device during the first one hour, and keep it connected at all times before they have a chance to attempt acquisition.

与iOS 11.3beta版本情况一样,开始计时的时间是从设备锁定后或者设备从受信任(已配对)的计算机或配件断开连接以后开始(我们可以通过一个简单的测试来验证后者),为了保持USB接口不锁定,警方现在必须在一小时内把手机连到受信任的设备上,并且在他们能找到机会开始取证之前保持连接。

Conclusion / 结论

The exact effect of USB Restricted More on the forensic community remains to be seen. While we currently don’t know how (or if) the new mode will affect unlocking efforts performed by Cellebrite and GrayShift, one thing is for sure: lockdown records will lose much of their forensic appeal due to severely restricted lifespan. It is still to early to say if this option will make it into the final release of iOS 11.4.1, and how exactly it will work if it gets included.

USB限制模式为取证带来的影响目前还有待观察,我们目前也不清楚新的限制会对Cellebrite以及GrayShift的解锁服务能否产生影响或者产生何种影响,但有一点可以确定:由于时间限制,Lockdown记录将会失去它在取证方面的多数价值。而现在判断在最终的iOS 11.4.1中是否有此限制、以及它究竟能发挥多大作用还为时尚早。

[译] iOS 11.4.1 Beta:全新的USB限制模式的更多相关文章

  1. iOS 11 & iPhone X 适配资料集

    本文主要简单谈谈并收集一些关于 iOS 11 & iPhone X 的适配及设计指南. iPhone X 众所周知,iPhone X 屏幕与其他的 iPhone 设备均不同,苹果称 iPhon ...

  2. 这是您一直期待的所有iOS 11功能的屏幕截图

    Tips 原文作者:Chris Mills 原文地址:Here's all the iOS 11 screenshots you've been waiting for 除非你已经深陷VR其中,否则现 ...

  3. 浅酌iOS 11兼容性

    WeTest导读 苹果在WWDC2017大会,公布了最新的iOS 11,系统新特性肯定是让不少果粉充满期待.在网上已能看到不少关于iOS 11的体验文章,那么iOS 11的新特性会对APP产生什么兼容 ...

  4. iOS 11: CORE ML—浅析

    本文来自于腾讯Bugly公众号(weixinBugly),未经作者同意,请勿转载,原文地址:https://mp.weixin.qq.com/s/OWD5UEiVu5JpYArcd2H9ig 作者:l ...

  5. 一起来给iOS 11找bug: 苹果还是乔布斯时代的细节控吗?

    众所周知,前几天苹果在位于苹果公园的Steve Jobs剧院召开了一年一度的新品发布会,正式揭幕了全屏的iPhoneX, 随后又把iOS 11推送给了测试员(Beta Tester)(正式版将于几周后 ...

  6. 适配 iOS 11 & iPhone X 大全

    1.升级iOS11后造成的变化 1. 1升级后,发现某个拥有tableView的界面错乱,组间距和contentInset错乱,因为iOS11中UIViewController的automatical ...

  7. iOS 11开发教程(一)

    iOS 11开发概述 iOS 11是目前苹果公司用于苹果手机和苹果平板电脑的最新的操作系统.该操作系统的测试版于2017年6月6号(北京时间)被发布.本章将主要讲解iOS 11的新特性.以及使用Xco ...

  8. iOS 11.4.1 正式版越狱

    在 2018 年 Electra 最新能支持到 11.3.1 越狱,很长的一段时间 11.4 只能支持 Beta 版本,临近春节给了我们一个大礼物,终于支持 iOS 11.4-11.4.1,目前 iO ...

  9. H.264格式,iOS硬编解码 以及 iOS 11对HEVC硬编解码的支持

    H.264格式,iOS硬编解码 以及 iOS 11对HEVC硬编解码的支持 1,H.264格式 网络表示层NAL,如图H.264流由一帧一帧的NALU组成: SPS:序列参数集,作用于一系列连续的编码 ...

随机推荐

  1. 信号报告-java

    无线电台的RS制信号报告是由三两个部分组成的: R(Readability) 信号可辨度即清晰度. S(Strength) 信号强度即大小. 其中R位于报告第一位,共分5级,用1-5数字表示. 1-- ...

  2. es6学习笔记-set和map数据结构

    ES6 提供了新的数据结构 Set.它类似于数组,但是成员的值都是唯一的,没有重复的值. Set 本身是一个构造函数,用来生成 Set 数据结构. const s = new Set(); [2, 3 ...

  3. Dart 中dynamic 的使用

    void main(){ var a; a=10; b ="Dart"; dynamic b =20; b ="JavaScript" var list =ne ...

  4. c# 获取某进程占用的内存(任务管理器显示的内存一致)

    最近写了看门狗的winform程序,需求要求显示监测的进程所占的内存大小 找了好几个方法,都和任务管理器显示的内存不一致 最后找到了一个解决方法 PerformanceCounter pf1 = ne ...

  5. Linux防火墙开启关闭查询

    1.centos7防火墙 命令含义: –zone #作用域 –add-port=80/tcp #添加端口,格式为:端口/通讯协议 –permanent #永久生效,没有此参数重启后失效 服务与端口的启 ...

  6. vue cli3.0配制axios代理

    今天学习时,想访问网易新闻接口,结果显而易见,因为跨域被浏览器拒绝了. 去网上找一下结果一开始找到的是2.x版本的配置,生硬的放进去,给我各种报错.编译阶段就炸了.浪费好多时间 再按3.0版本去搜索才 ...

  7. 使用JBolt新建Maven版工程步骤

    一.打开新建对话框 在左侧右键new中可以找到JFinal创建工程的菜单 JBoltHome页面也有快捷按钮用来弹出创建工程对话框. 二.填写Maven和其他信息配置 填写工程name 主包名 下面有 ...

  8. Ubuntu网络不通解决办法

    如下问题: 尝试和Host主机互ping也不通, Ubuntu: vmware 桥接模式 IP:192.168.1.202/24 gateway:192.168.1.1 Host主机:网络正常 IP: ...

  9. next()方法 执行下一个中间件 类似than

    next()方法出现在express框架中的中间件部分,由于node异步的原因,我们需要提供一种机制,当当前中间件工作完成之后,通知下一个中间件执行,因此一个基本的中间件应该是这种形式 var mid ...

  10. session,cookie,sessionStorage,localStorage的区别及应用场景

    session,cookie,sessionStorage,localStorage的区别及应用场景 浏览器的缓存机制提供了可以将用户数据存储在客户端上的方式,可以利用cookie,session等跟 ...