A new feature in iOS 11.4.1, which Apple released earlier this week, is designed to protect against unwanted intrusions through the iPhone’s Lightning Port. However, the protection may be weak at best.
The feature, called “USB Restricted Mode,” disables data transfer through the Lightning Port after an hour of inactivity.
A password-protected iOS device that has not been unlocked and connected to a USB accessory within the past hour will not communicate with an accessory or computer, and in some cases might not charge, according to Apple. Users might see a message directing them to unlock the device to use accessories.
One possible use for USB Restricted Mode could be to foil passcode-cracking solutions made by companies like Cellebrite and Grayshift, which reportedly have been used by law enforcement authorities to crack iPhones.
Users can turn off the USB Restricted Mode capability if they desire to do so.
Thwarting Data Port Intruders
Although the Lightning port may be a sweet spot for law enforcement, USB Restricted Mode has a broader purpose than protecting users from police probes, maintained Will Strafach, president of Sudo Security Group, an iOS security company in Greenwich, Connecticut.
“Exploits and vulnerabilities can be seized on by anyone,” he told TechNewsWorld. “Criminals may want to steal data from the device or wipe it, so this mode is for mitigation of any kind of USB-based vulnerability.”
USB Restricted Mode is “first and foremost” designed to protect its users’ phones and data, maintained Andrew Blaich, head of device intelligence at Lookout, a maker of mobile security products in San Francisco.
“Law enforcement has recently been using new tools, such as GrayKey, to guess the passcode of a device to access it,” he told TechNewsWorld.
However, the vulnerabilities and technical bypasses used by GrayKey — and by solutions from Cellebrite and others — are still unknown, he pointed out.
The code GrayKey uses to break the passcode on an iPhone is a closely held secret, but it appears to load through the Lightning Port.
“So Apple’s idea is to make a user enter a passcode after an hour. Otherwise the Lightning Port can only be used for power,” said Sudo’s Strafach.
“Without a data connection, there’s no way to communicate with the data services running on the phone, so there’s no way to access any vulnerabilities on the phone,” he explained.
“Instead of trying to address individual vulnerabilities, Apple is addressing a whole class of vulnerabilities that need the data link to be exploited,” Strafach pointed out.
“That’s smart,” he said. “It’s taking a long-term outlook on vulnerabilities. Rather than squashing vulnerabilities as they come up, they’re taking a proactive approach and mitigating the method by which these vulnerabilities are exploited.”
Breaking Restricted Mode
Once USB Restricted Mode is engaged, it appears to be impossible to break, so the key to foiling the security measure is to prevent it from engaging.
Oleg Afonin, a security researcher at ElcomSoft, has described exactly how to do that in an online post.
“What we discovered is that iOS will reset the USB Restrictive Mode countdown timer even if one connects the iPhone to an untrusted USB accessory, one that has never been [connected] to the iPhone before,” he wrote.
If USB Restricted Mode hasn’t been engaged, a police officer can seize an iPhone and immediately connect a compatible USB accessory to prevent the USB Restricted Mode lock from engaging after one hour, he explained. Then the device can be taken to a location where a passcode cracker can be used.
What’s the likelihood that a phone hasn’t been unlocked within an hour of it being seized by a law enforcement agent? Quite high, according to Afonin, who noted the average user unlocks a phone around 80 times a day.
Apple did not respond to our request to comment for this story.
“Nothing is a silver bullet,” warned Lookout’s Blaich.
“There is no perfect solution, but it’s best to assume that if someone has physical access to your phone, they will eventually be able to find a way to get in,” he said. “So users need to remember to use a strong passcode to minimize unintended access when they lose possession of their device.”
Security Risks in a Technology-Driven World
Technology has certainly changed how the world works, influencing almost every aspect of modern life. But while modern technology undeniably brings a number of advantages across multiple sectors, it also has its share of downsides. The inter-connectivity that ties all devices and systems to the internet has invited malicious forces into the mix, exposing users and businesses to a wide range of threats. How do you stay safe and secure?
From the comforts of home (the tech in your home)
Your mobile phone’s alarm wakes you up in the morning, but you get up to check updates from your social media network. News and updates used to come via the morning paper and conversations over the phone. More than a decade later, scanning social media feeds is the new norm for a lot of people.Home appliances like televisions and air conditioners can now be controlled using your phone via an app, and it is just one of the many examples of IoT technology reaching the market. Alexa, Amazon’s voice control system that powers the wireless speaker called Echo, allows users to search the Web, shop online, get weather reports, and control smart-home products without having to use a remote or phone. Reports say that over 24 million voice-enabled machines were shipped in 2017, and the growth shows no sign of stopping.
Meanwhile, other IoT-powered devices are designed to eliminate regular configuration or setting. Smart thermostats can automatically regulate temperature, while smart fridges are capable of informing users whenever supplies are low.
Out on the Road
When you leave home for work, the thought of commuting comes with a feeling of dread because of expected traffic and pollution. Modern transportation network companies like Uber and Lyft found a way to increase the per capita utility of a car, reduce congestion and carbon emission, and eliminates the need for parking spaces. The power of interconnectivity has provided car-sharing and car-pooling services an online platform that connects passengers to commercial drivers, which makes life more convenient for people who commute to work.Smart traffic management already exists in some cities. Smart traffic management requires a centralized system to control traffic lights and sensors that regulate traffic throughout a city, optimizing traffic flow and reducing waiting time for pedestrians who want to cross streets.
At the workplace, biometric systems such as fingerprint scanners and facial recognition systems are being utilized for employee verification. Obscuring knowledge-based passwords to securely enter the office is just one of the many uses of biometric authentication. It’s also seeing increasing patronage among industries and governments across the globe with its integration in smartphones, adoption of biometric systems by government facilities, and the rising use of biometric technology in financial and critical sectors, among others.
Security Technologies for the Financial Sector
For financial institutions, keeping an ever-stronger security posture has become a necessity, but the technologies that support web security change as rapidly as the threats. Even an institution that thinks it has solid web security tools and practices in place needs to periodically reassess them to keep pace.
Several core IT security controls must be included in any robust solution to provide multi-layered security. Having multiple layers of security is more important than ever because no single security tool is effective against most threats.
UNIFIED THREAT MANAGEMENT
UTM technologies bundle several security capabilities into a single network-based device to protect both web servers and web client devices. UTM capabilities include firewalling, intrusion detection and prevention, virtual private networks, anti-malware and web content filtering. These functions are all critical for any modern IT environment, and by bundling them into a single device, greater performance and lower costs can be achieved. Examples of UTM technologies include Palo Alto Networks’ PA-5000 series, Cisco Systems’ Adaptive Security Appliance and Fortinet’s Unified Threat Management solution.
These solutions are similar to UTM technologies in that they bundle multiple security capabilities into a single product, but endpoint security solutions are software-based and are targeted toward user devices, such as desktop and notebook computers, smartphones and tablets. Symantec Endpoint Protection, Trend Micro Enterprise Security for Endpoints and McAfee Total Protection for Endpoint are examples of products in this space.
Typical capabilities offered by endpoint security solutions include anti-malware functions, firewalling, and intrusion detection and prevention. Because they are host-based, not network-based, endpoint security solutions travel with the device, so they can protect it from threats no matter where the device may be used, including external environments that do not provide network-based security controls. Keeping web client devices “clean” of malware and other forms of attack is key to reducing web server and application compromises caused by leveraging user access.
WEB AND EMAIL SECURITY
Dedicated devices or server add-ons can examine web and email traffic for suspicious or malicious content and handle this traffic appropriately. It may not be immediately obvious that email security is necessary for web security, but many of the attacks that involve malicious web activity are initiated through malicious emails. Examples of email security gateways are Cisco’s Email Security Appliance, Proofpoint’s Enterprise Protection and McAfee’s Email Protection. Web security gateways include Cisco’s Web Security Appliance and McAfee’s Web Gateway.
ENCRYPTION OF DATA AT REST
Most financial institutions are well aware of the need to encrypt sensitive data in transit over unprotected networks, but it is increasingly important to encrypt sensitive data at rest (on storage) as well. Banks and credit unions have a wide variety of enterprise storage encryption products to choose from. While they all provide the same basic encryption and key management functionality, these tools support encryption of different kinds of storage. Some products support endpoint encryption only (for example, hard drives or removable media), while others also support encryption on file shares, cloud storage and other network-accessible locations. Examples of products that possess this functionality include Sophos SafeGuard Enterprise Encryption, the Symantec Encryption family, RSA Data Protection Manager and McAfee Complete Data Protection (for endpoints only).
Vendors such as RSA and 2FA provide a variety of software and hardware-based products for enterprise authentication services. These services support web security because they enable the use of diverse authentication methods, including multifactor authentication with cryptographic tokens, smart cards and biometrics. Using multifactor authentication greatly reduces the chances that an attacker can steal a legitimate user’s credentials and reuse them. Some enterprises choose to use multifactor authentication for administrators only, while others have moved toward multifactor authentication for all internal users
The Dismal State of Healthcare IoT Security
The healthcare industry has been moving toward medical equipment connectivity to speed up data entry and recording, as well as improve data accuracy. At the same time, there has been a shift toward incorporating consumer mobile devices, including wearables, so that healthcare providers can monitor patients’ health more closely and improve treatment.
“The demand for connected devices has increased rapidly in recent years,” noted Leon Lerman, CEO of Cynerio.
“The number of connected medical devices, currently estimated to be approximately 10 billion, is expected to increase to 50 billion over the next 10 years,” he told the E-Commerce Times.
Worldwide, consumer interest in smart wearables — those from Apple, Fitbit and various fashion brands — has been growing, according to IDC.
Wearables sales in Q1 exceeded 25 million units. Sales of smart wearables in that period were more than 28 percent higher year over year, while sales of basic wearables fell by about 9 percent.
The smarter devices from major brands such as Apple and Fitbit incorporate more sensors and improved algorithms, and have access to historical underlying data, noted Jitesh Ubrani, senior research analyst for IDC mobile device trackers, which makes them useful for monitoring user health.
Wearable makers increasingly have been incorporating cellular connectivity into their products, leading to the emergence of new use cases. About one third of all wearables sold in Q1 included cellular connectivity.
Apple has been pushing deeper into healthcare with the Apple Watch, which connects wirelessly with an iPhone.
Fitbit has partnered with Google on a range of enterprise and consumer health solutions.
Further, medical equipment manufacturers increasingly have been incorporating connectivity into their products.
However, connecting wearables to networks comes at the cost of increased security risks.
“With the number of IoT and connected devices being used within hospitals constantly increasing and diversifying in their nature, the exposure to potential devices is great,” Cynerio’s Lerman noted.
Such devices range from MRI machines to insulin pumps, and “the sheer number of devices in a single hospital also means that staff are often unaware of threats, so breaches can go undetected,” he pointed out.
Network-connected medical devices “promise an entirely new level of value for patients and doctors, but they also introduce new cyber security vulnerabilities that could affect clinical operations and put patient care at risk,” Kamaljit Behera, healthcare industry analyst at Frost & Sullivan, told the E-Commerce Times.
Last year, 75 percent of healthcare organizations experienced a cybersecurity incident, noted Frost & Sullivan healthcare industry analyst Siddharth Shah.
Attitudes toward cyber security have been mixed, however. Seventy-one percent of the healthcare organizations that responded to an HIMSS survey last year indicated they had allocated a budget for cyber security, Shah told the E-Commerce Times.
However, based on the firm’s research, 53 percent of healthcare providers and 43 percent of medical device manufacturers “do not test their medical devices for security, and few are doing anything about being hacked,” he said.
“Some improvement” in cybersecurity is expected this year, Shah said. The healthcare industry “is gradually moving from a reactive approach to a proactive one, but there’s still lots to be done.”
Hospitals’ IT security budgets are relatively low, Lerman pointed out. So, hospitals “have a relaxed security posture, with unsecured connected medical devices being the golden ticket for hackers.”
Patient data is “valued at approximately 10 times the value of a standard credit card,” he remarked.
The lure of riches has spurred hackers’ creativity, observed Sean Newman, director of product management at Corero Network Security.
“Evidence of continued cybercriminal investment and innovation … reinforces the need for organizations requiring continuous Internet availability to deploy the latest generation of real-time, automatic DDoS protection solutions,” he told the E-Commerce Times.
There already are cybersecurity frameworks in use at hospitals, Shah said.
Further, the United States government has been working to improve the situation: The U.S. Food and Drug Administration has published a medical device safety action plan, for example. It also collaborates with the U.S. Department of Homeland Security on medical device cybersecurity issues.
Wearables Are Low Risk
The risk from wearables is low level, “assuming the healthcare entity is segmenting the data flow from remote personal healthcare devices into a separate data repository and not their electronic health records,” said Greg Caressi, global business unit leader for transformational health at Frost & Sullivan.
That’s the “more likely architecture” to be adopted for both analytics and security purposes, he told the E-Commerce Times.
The increasing trend toward consumerism in healthcare has given rise to a new debate, said Frost’s Behera, over whether to make individuals the actual owners of their data, with sole access control to promote interoperability.
“It’s a great vision,” said Behera, “but the bigger question is, how well are individuals prepared, equipped and educated to protect access to their health data on their smartphones or their home Internet networks?”
A Possible Healthcare Security Strategy
Each device maker implements its own security solutions, and the medical device industry “is struggling to take what they’ve learned and apply it,” noted Rod Schultz, chief product officer at Rubicon Labs.
What’s needed is a paradigm shift, he told TechNewsWorld.
Every connected medical device maker should not attempt to reinvent the cybersecurity wheel, Schultz said. Instead, they all should rely on mobile phones, which are “the natural cornerstone of security for a connected medical device.”
Finding a way for mobile phones to do as much of the heavy cybersecurity lifting as possible “will work — but will require device makers to concede and cooperate with Apple, Google, Microsoft and Amazon,” he pointed out.
“Standardization may eventually spin out of this,” Schultz suggested, “but in the short and medium term, looking for a halo of security from the biggest mobile device and cloud providers seems like a viable security strategy.”