Security news that informs and inspires

How iOS 11.4.1 Stops USB Attacks and Bad Emojis


There is a setting in the newest version of iOS released Monday that security and privacy conscious users should be very happy to see.

Known as USB Restricted Mode, the setting prevents any USB accessory from communicating with an iOS device that hasn’t been unlocked in the past hour. The feature is included in iOS 11.4.1 and it’s designed to prevent attackers or thieves who get physical access to a locked device from being able to dump the phone’s contents to a computer over USB. Restricted Mode is enabled by default. To disable it, go into the iOS Settings, then select the Touch ID and Passcode option and scroll down to the bottom and toggle the USB Accessories option.

The new feature also has the effect of defeating some of the more popular forensics tools that law enforcement officers and other investigators use to pull content from seized iOS devices. Those tools use custom software exploits for iOS that are delivered through a device connected through the USB Lightning port.

“If you don’t first unlock your password-protected iOS device—or you haven’t unlocked and connected it to a USB accessory within the past hour—your iOS device won’t communicate with the accessory or computer, and in some cases, it might not charge. You might also see an alert asking you to unlock your device to use accessories,” Apple said in the documentation for iOS 11.4.1.

In addition to the inclusion of Restricted Mode, iOS 11.4.1 brings with it a number of security patches. There are several vulnerabilities fixed in the WebKit framework, including some that can lead to arbitrary code execution, and a memory corruption flaw in the iOS Wi-Fi component that can allow an app to escape the sandbox.

One of the more interesting bugs patched in this release is a problem with the way that iOS handles some emojis. Security researcher Patrick Wardle discovered, with the help of a friend whose phone kept crashing when apps received certain characters, that iPhones whose location was set to China would crash hard when an emoji of the Taiwanese flag was sent over iMessage or other apps. The bug is a null pointer dereference in some code in iOS that’s designed to remove the Taiwanese flag emoji from various messages.

“Well looks like when a message is received, ResponseKit classifies the message, and (if some some classification is true?) invokes the +[RKUtilities removeEmoji:] method. This method calls into the CoreEmoji dylib in order to perform the actual removal of the emoji(s),” Wardle wrote in a post explaining the technical details of the bug.

The code is only active on phones whose region is set to China and the result is a denial-of-service, crashing the affected device. Wardle reported the vulnerability to Apple, which released the patch Monday.

“Does Apple really add code to iOS to appease the Chinese government? Of course! And when that code is buggy, their users suffer,” Wardle said.