{
	"id": "59040a92-8027-4534-9911-9803dca9718c",
	"created_at": "2026-04-06T00:12:05.539679Z",
	"updated_at": "2026-04-10T03:21:41.61962Z",
	"deleted_at": null,
	"sha1_hash": "e9af609972c75595749c3539fa7b31fc2f2a638d",
	"title": "iOS 12 Enhances USB Restricted Mode",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 501684,
	"plain_text": "iOS 12 Enhances USB Restricted Mode\r\nBy Oleg Afonin\r\nPublished: 2018-09-20 · Archived: 2026-04-05 17:00:18 UTC\r\nThe release of iOS 11.4.1 back in July 2018 introduced USB Restricted Mode, a feature designed to defer\r\npasscode cracking tools such as those developed by Cellerbrite and Grayshift. As a reminder, iOS 11.4.1\r\nautomatically switches off data connectivity of the Lightning port after one hour since the device was last\r\nunlocked, or one hour since the device has been disconnected from a USB accessory or computer. In addition,\r\nusers could manually disable the USB port by following the S.O.S. mode routine.\r\niOS 12 takes USB restrictions one step further. According to the new iOS Security guide published by Apple after\r\nthe release of iOS 12, USB connections are disabled immediately after the device locks if more than three days\r\nhave passed since the last USB connection, or if the device is in a state when it requires a passcode.\r\n“In addition, on iOS 12 if it’s been more than three days since a USB connection has been established, the device\r\nwill disallow new USB connections immediately after it locks. This is to increase protection for users that don’t\r\noften make use of such connections. USB connections are also disabled whenever the device is in a state where it\r\nrequires a passcode to re-enable biometric authentication.”\r\nSource: Apple iOS Security, September 2018\r\nWhy the Additional Security Measures?\r\nAccording to Apple itself, the additional security measures were required because “the USB accessory ecosystem\r\ndoesn’t provide a reliable way to identify accessories before establishing a data connection”. Below is the full\r\nexplanation of how USB Restricted Mode works in iOS 11.4.1. According to Apple iOS Security, September\r\n2018:\r\nTo improve security while maintaining usability, iOS 11.4.1 or later requires Touch ID, Face ID, or passcode entry\r\nto activate the USB interface if USB hasn’t been used recently. This eliminates attack surface against physically\r\nconnected devices such as malicious chargers while still enabling usage of USB accessories within reasonable\r\ntime constraints. If more than an hour has passed since the iOS device has locked or since a USB connection has\r\nbeen detached, the device won’t allow any new connections to be established until the device is unlocked. This\r\nhour period:\r\nEnsures that frequent users of connections to a Mac or PC, to USB accessories, or wired to CarPlay won’t\r\nneed to input their passcodes every time they attach their device.\r\nhttps://blog.elcomsoft.com/2018/09/ios-12-enhances-usb-restricted-mode/\r\nPage 1 of 4\n\nIs necessary because the USB accessory ecosystem doesn’t provide a reliable way to identify accessories\r\nbefore establishing a data connection.\r\nBack in July, we discovered this was exactly the issue with USB Restricted Mode in iOS 11.4.1. In particular,\r\nUSB restricted mode could be deferred by using a digital Lightning adapter (more in This $39 Device Can Defeat\r\niOS USB Restricted Mode). Being aware of this situation, Apple attempted to address the issue in iOS 12.\r\nConsidering the lack of “reliable way to identify accessories before establishing a data connection”, this is the\r\nbest Apple could do:\r\n“In addition, on iOS 12 if it’s been more than three days since a USB connection has been established, the device\r\nwill disallow new USB connections immediately after it locks. This is to increase protection for users that don’t\r\noften make use of such connections. USB connections are also disabled whenever the device is in a state where it\r\nrequires a passcode to re-enable biometric authentication.”\r\nSource: Apple iOS Security, September 2018\r\niOS 12 USB Restricted Mode at a Glance\r\nBelow is a brief summary of USB Restricted Mode in iOS 12.\r\nIn iOS 12, USB Restricted Mode engages if any of the following conditions is met:\r\nOne hour after the phone has been is locked, or one hour since the phone was disconnected from a USB\r\naccessory (whichever is later). Basically, one hour since last unlock/last disconnect.\r\nImmediately after the phone is locked if 72 hours or more have passed since the phone last established\r\nconnection with a USB device. If the 72 hours have passed, USB Restricted Mode will engage immediately\r\nevery time the iPhone’s screen is locked.\r\nAfter S.O.S. mode\r\nIf the iPhone is in a state where it requires a passcode to re-enable biometric authentication (“Your\r\npasscode is required to enable Touch ID/Face ID” message is displayed); basically, USB Restricted Mode\r\nnow engages under the same rules as Touch ID/Face ID expiry. Comprehensive analysis of Touch ID\r\nexpiration rules in Fingerprint Unlock Security: iOS\r\nWhat Happens Once USB Restricted Mode Is Engaged\r\nOnce USB Restricted Mode is engaged on a device, no data communications occur over the Lightning port. A\r\nconnected computer or accessory will not detect the iPhone as a “smart” device. If anything, an iPhone in USB\r\nRestricted Mode acts as a dumb battery pack: in can be charged, but cannot be identified. Moreover, once an\r\niPhone engages USB Restricted Mode, it may be unable to charge from the computer’s USB port (most ‘dumb’\r\nchargers will work as usual).\r\nUSB restricted mode effectively deters the ability of third-party forensic tools to crack iPhone’s passcodes.\r\nIs It Still Possible to Fool USB Restricted Mode with a USB Accessory?\r\nhttps://blog.elcomsoft.com/2018/09/ios-12-enhances-usb-restricted-mode/\r\nPage 2 of 4\n\nIn This $39 Device Can Defeat iOS USB Restricted Mode, we recommended connecting the seized iPhone to a\r\ncompatible accessory in order to defer USB Restricted Mode. Prior to iOS 11.4.1, isolating the iPhone inside a\r\nFaraday bag and connecting it to a battery pack would be enough to safely transport it to the lab. For iOS 11.4.1,\r\nwe recommended the following procedure:\r\n1. Connect the iPhone to a compatible Lightning accessory (such as the official Lightning to USB 3 Camera\r\nAdapter).\r\n2. Plug external battery pack to the adapter (to avoid iPhone battery drain).\r\n3. Place the entire assembly in a Faraday bag.\r\nThis main goal of this procedure was deferring the activation of USB Restricted Mode, allowing safely\r\ntransporting the iPhone to the lab. The key word here is “deferring”. If USB Restricted Mode has already engaged\r\n(for any reason), there is literally nothing you can do to enable the USB port other than unlocking the phone.\r\nBelow is the new recommended procedure.\r\nVerifying whether the phone engaged USB Restricted Mode:\r\n1. Attempt to connect the iPhone to a compatible Lightning accessory (such as the official Lightning to USB\r\n3 Camera Adapter).\r\n2. If the iPhone issues a triple vibration and displays the message below, USB Restricted Mode is already\r\nactive. At this point, there is nothing you can do to defer USB Restricted Mode other than asking the owner\r\nto unlock the device.\r\nhttps://blog.elcomsoft.com/2018/09/ios-12-enhances-usb-restricted-mode/\r\nPage 3 of 4\n\n3. If the iPhone was able to connect to the accessory, immediately place the device into the Faraday bag and\r\nconnect it to the charger. By using a compatible accessory, you will be able to safely transport the phone to\r\nthe lab without USB Restricted Mode being engaged.\r\nConclusion\r\niOS 12 is not only a major update, it’s a major upgrade as well. Delivering significant performance improvements\r\nto older devices and supporting devices as old as the iPhone 5s, iOS 12 will undoubtedly become the most popular\r\nversion of iOS on all compatible devices, old and new. Law enforcement and forensic specialists will have to\r\nadapt to this situation by at least being aware of the potential issues brought by this version of Apple’s mobile\r\noperating system.\r\nSource: https://blog.elcomsoft.com/2018/09/ios-12-enhances-usb-restricted-mode/\r\nhttps://blog.elcomsoft.com/2018/09/ios-12-enhances-usb-restricted-mode/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://blog.elcomsoft.com/2018/09/ios-12-enhances-usb-restricted-mode/"
	],
	"report_names": [
		"ios-12-enhances-usb-restricted-mode"
	],
	"threat_actors": [],
	"ts_created_at": 1775434325,
	"ts_updated_at": 1775791301,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e9af609972c75595749c3539fa7b31fc2f2a638d.pdf",
		"text": "https://archive.orkl.eu/e9af609972c75595749c3539fa7b31fc2f2a638d.txt",
		"img": "https://archive.orkl.eu/e9af609972c75595749c3539fa7b31fc2f2a638d.jpg"
	}
}