Photo by Steve Johnson
USB Restricted Mode Can Block iOS Device Charging
Since the release of iOS 11.4.1, some readers have complained that their iOS devices aren’t charging, or are charging only after being unlocked. There’s a simple explanation: the new USB Restricted Mode, a security feature introduced in iOS 11.4.1 (see “Apple Releases macOS 10.13.6, iOS 11.4.1, tvOS 11.4.1, and watchOS 4.3.2,” 9 July 2018).
If USB Restricted Mode is bothering you, you can disable it by turning on USB Accessories in Settings > Touch/Face ID & Passcode. Before you do that, let’s look at what USB Restricted Mode does and why Apple added it to iOS.
Apple and the FBI
Longtime TidBITS readers know that Apple and law enforcement agencies have long been at loggerheads. Usually, I’d link to one of our old articles here, but many are relevant, including:
- “Apple and Google Spark Civil Rights Debate,” 10 October 2014
- “The FBI’s War on Encryption Continues,” 10 December 2015
- “Thoughts on Tim Cook’s Open Letter Criticizing Backdoors,” 17 February 2016
- “Details Emerge in Dispute between Apple and FBI,” 22 February 2016
As far as law enforcement is concerned, Apple’s iOS device encryption is too good because only authorized users can access data on a device that’s properly secured. So the FBI and other law enforcement agencies tried to compel Apple to install a backdoor that they insist would only be used by them and not by criminals. Apple refused, and because of that, some government figures even have accused Apple of aiding and abetting terrorists.
The problem is that if Apple were to put in a backdoor, foreign governments and savvy criminals would eventually find it. It’s the digital equivalent of hiding a house key under a rock in your walkway—it’s not in plain sight, but a dedicated criminal who knows the key has been hidden somewhere will eventually unearth it. Now imagine that same key could unlock every house in the country. That’s how big a problem creating a backdoor would be for Apple.
In fact, this scenario has already happened. The WannaCry ransomware that infected hundreds of thousands of computers was made possible by backdoors stolen from the National Security Agency, the very agency in charge of America’s electronic security—see “WannaCry Ransomware Vindicates Apple’s Battle with the FBI” (16 May 2017). To make matters worse, law enforcement has made it clear that it’s unable or uninterested in dealing with malware threats—see “The FBI Isn’t Much Help with Ransomware” (5 November 2015).
Apple’s lack of cooperation didn’t stop the FBI. What finally ended that standoff was the Israeli firm Cellebrite, which found a way to crack iPhone encryption at the cost of $5000 per device. In 2017, a new player entered the iPhone-cracking game, Atlanta-based Grayshift, which sells a product called the GrayKey to law enforcement. It’s a physical box that can extract information from a connected iPhone in a matter of hours or days. The box costs between $15,000 and $30,000, making it a pretty good deal compared to Cellebrite.
Consider what this means from Apple’s perspective: the invention of GrayKey meant that there was a big security hole in every iOS devices—an actual hole in this case— the Lighting port. Hence USB Restricted Mode.
What USB Restricted Mode Does
Put simply, USB Restricted Mode makes it so that a computer—or a GrayKey-like device—cannot access data from your iOS device unless you have unlocked it within the last 60 minutes. The timeout means that most of the time, you shouldn’t have to unlock your device explicitly before connecting it to your Mac or a USB accessory.
In theory, the way USB Restricted Mode locks down access shouldn’t prevent charging, but in reality, it can, particularly when used with third-party cables. Apple acknowledges this problem.
Will USB Restricted Mode Be Effective?
There’s another problem with USB Restricted Mode: attackers can easily circumvent it if they capture the device before the 60-minute timer has expired. Security firm ElcomSoft discovered that plugging Apple’s Lightning to USB 3 Camera Adapter into a device’s Lightning port disables the timer. Unfortunately, the nature of the Lighting port makes a software fix unlikely. ElcomSoft explains:
While we cannot know for sure, the issue appears to lie in Apple’s Lightning communication protocol. If the iPhone talks to a computer, the two devices must establish trust by exchanging unique cryptographic keys. This, however, does not apply to the majority of existing Lightning accessories. Existing accessories share public keys for trust; many of them are simply not designed to exchange cryptographic keys the way computers do. As a result, before USB Restricted Mode kicks in, an iPhone can check if the accessory is MFi certified–but that is pretty much it. It appears that there are no key pairs to be exchanged, and this is probably by design.
So, what should you do, now that USB Restricted Mode is a fact of life in iOS?
Disable USB Restricted Mode… Or Not
If USB Restricted Mode isn’t causing you any trouble, leave it on. Although it doesn’t offer complete protection against an alert attacker who can get access to your device quickly, it’s not worthless. Once your device has been locked for more than 60 minutes, nothing we know of can crack it.
If unlock alerts are nagging you, or if your device fails to charge because you didn’t unlock it, the easiest solution is to turn USB Restricted Mode off. Just go into Settings > Touch/Face ID & Passcode and enable USB Accessories.
Finally, for those who have an iPhone 8, iPhone 8 Plus, or iPhone X, you can work around issues with USB Restricted Mode by getting a Qi wireless charger. Check “13 Qi Wireless Chargers for the iPhone Reviewed” (22 February 2018) for some recommendations. They bypass the Lightning issues entirely and offer a number of other advantages.
Since I rely on charging my iDevices via the Lightning port, USB Restricted Mode (URM) WILL be disabled on any iDevice that has iOS 11.4 and greater. I use non-Apple 0.5 meter cables for overnight charging at home and when traveling I use a 4-USB port charger (so I don’t have to carry 4 individual chargers) to charge my iDevices. Apple needs to GUARANTEE that URM will be fixed to NEVER impede charging no matter who’s cables and chargers are used before I enable URM on my iDevices.
Sounds like 60 minutes might be too long and explains why I have never had a problem. Might be nice to activate manually and in minutes actually. But my charging is at night and I routinely delete all unused apps before plugging it in.
Note that charging from a charging only device should never be disabled by this feature. It absolutely has never been a problem for my iPad Pro or iPhone 7 using the charger that came with it.
When I plug them into my iMac after an hour, I’m informed that I need to unlock my phone and charging is disabled until I do that.
The difference being that chargers are not able to also access data, but the computer does. If the charging device cannot be positively identified as charge only, then it should be prevented, IMHO.
I believe that you can by pressing the sleep/wake button 5 times in succession (on TouchID iPhones) or squeeze the sleep/wake and one of the volume buttons (on the iPhone X) to completely lock the device from TouchID/FaceID.
However, Apple said that use of non-Apple cables will not charge with URM enabled, but didn’t say whether or not the unlock notice is triggered. So you are using non-Apple cables and are getting the unlock notice?
Not the OP.
I first noticed this new feature with a non-Apple iPhone device that allows both a USB cable with power plus a headphone cable to connect my iPhone 7 to my car.
Now I know why I got the popup message.
At least the device still works as intended.
Will eventually upgrade my 2010 car to work better with my next iPhone.
Are you being prompted to unlock your devices to charge with iOS 11.4.1? If not, there’s no win in turning off a security feature that isn’t hampering your everyday usage.
Also, with Touch ID and Face ID, unlocking your device often happens in the background when you’re not even thinking about it.
I suppose this is why I’ve never noticed problems with playing music/charging in my 2009 car: I tend to unlock the phone (check email, queue up songs, look up an address, etc.) right before I plug it in. If I could break my long-time habit, and wait 60 minutes, maybe I’d be able to trigger this message.
And as the article mentions, the Qi option of wirelessly charging works great (albeit slowly, but for an overnight charge, that’s no problem)
Not yet, Adam. I’ve been staying away from iOS 11.4.1 and higher due to the other reported problems. My iPhone 10 is still on 11.2, while my iPad Mini 3 is on 10.x, and my iPad Mini 4 is on 11.4. I’m waiting to see how iOS 12 does next month before deciding to install it or wait for 12.1.
I only have one non-Apple lightning cable and it did give me the notice when I plugged it in after over an hour of not being used. Further, although it said it was not charging my iPad, it actually was, just slow since the source apparently wasn’t supplying full iPad level wattage.
I’ve not had any problems at all with 11.4.1 over 11.4, nor do I recall reading about any. Do you have a reference to such problems? I’d like to see if I can replicate them in case it’s something I don’t normally try.
I raised this issue in another thread.
My concern was that my usual practice (for years) of dropping my iPhone into a Belkin charging dock resulted in the iPhone not charging overnight. I thought I had not docked it correctly but next time noticed the message that I needed to unlock the iPhone in order to charge it. I complained that this was an unannounced and pointless change with 11.4.1 but it was pointed out to me that Apple had “announced” it as part of the update. The security “feature” can be disabled, as Josh points out but I think that many people will be stuck with uncharged iPhones until they figure out the problem.
It is becoming increasingly frustrating that software we have become accustomed to suddenly changes its UI and simple actions have become more complicated. I had the same problem with Skype (Microsoft - say no more!) where the method of logging out became more tedious in a recent “update”.
The silver lining to changes like this, from our perspective, is that people who see our coverage will learn these things! If Apple was documenting everything really well, there’d be much less reason for TidBITS to exist.
Al, I get the same “Not charging” indication even with Apple cables when I either connect to an USB port on my iMac or if I use a 5 watt Apple charger. Apple says you need to use a 10 watt minimum charger with iPads, but a 5 watt WILL charge them albeit more slowly as you discovered. My travel charger has two 1 Amp and two 2 Amp ports, so I can charge my iPad, iPhone, and Watch without lugging 3 separate chargers.
Sorta of a “Missing Manual” supplement!
Actually, the problems were when 11.4 was released and were discussed extensively regarding their effect. I did put 11.4 on my iPad Mini 4 but I don’t use it that much yet. It really is a backup to my Mini 3. I’m just being cautious with my daily use hardware.
When did this update come out, and is there a way for me to know when I actually applied it?
I normally charge my phone nightly with an Anker PowerLine cable into an iPad charger. I transported both pieces on a trip 2.5 weeks ago with no issues and used them fine when I got back home. Last Friday I started a housesitting gig and brought them along with me, and it wouldn’t charge the phone. I tried the cable in my laptop and it wouldn’t work either. I plugged it in the car in the morning (Anker ultra-compact 24W 2 port charger with a connected lightning cable) and it worked fine.
After seeing pieces of this thread, I decided to pull the cable that failed out of my bag and try again at home. It still won’t charge, but twice I got 3 beeps/vibrates and a message to unlock the phone to use accessories. When I unlocked the phone, it still wasn’t charging.
I can charge the phone fine from an Apple cable into an Anker PowerPort 5
I can plug the Apple cable into the iPad charger and that works.
So it’s possible my Anker cable has failed… just trying to explore options before seeking a replacement.
It is part of the iOS 11.4.1 update released on 10 Jul 18. Did you install the update? If so, try going to Settings and disabling the USB Restriction. If your cables work, then that was the problem. If the cables still don’t work then you most likely either have bad cables or a bad Lightning port.
You can always check your iOS version in Settings > General > About > Version.
Yes, I’m completely aware of all that. I was simply making the point that the non-Apple cable was able to charge my iPad.
OK, Al, I misinterpreted what you were saying.
I did install it and it was probably before we went away. I’ll try to disable and see what it does - thanks!
Join the discussion in the TidBITS Discourse forum