Digital forensics firm Elcomsoft has discovered that betas of iOS 11.4 include a “USB Restricted Mode” that makes it impossible to extract data from an iOS device after it has been locked for 7 consecutive days. The company is uncertain of the exact mechanism:
At this point, it is still unclear whether the USB port is blocked if the device has not been unlocked with a passcode for 7 consecutive days; if the device has not been unlocked at all (password or biometrics); or if the device has not been unlocked or connected to a trusted USB device or computer. In our test, we were able to confirm the USB lock after the device has been left idle for 7 days. During this period, we have not tried to unlock the device with Touch ID or connect it to a paired USB device. What we do know, however, is that after the 7 days the Lightning port is only good for charging.
Elcomsoft speculates that this feature is a response to firms like Grayshift that provide iPhone-cracking tools to law enforcement (see “Thoughts on Tim Cook’s Open Letter Criticizing Backdoors,” 17 February 2016).