Secure USB-C on iPhone and Mac: MDM admins can reduce security
The so-called USB restricted mode actually ensures that Apple devices are difficult to attack via the USB-C port. Admins can prevent this.
iPhone 15 with USB-C port: Attack surface data cable.
(Image: Sebastian Trepesch)
Mobile Device Management (MDM) allows administrators to set up and control Apple devices to a large extent. This also includes a number of functions that are actually for security purposes, as can be seen from Apple's MDM documentation. Nevertheless, IT departments and other MDM managers should carefully consider whether to make the appropriate settings. One particularly important setting is the USB restricted mode. This can also be switched off by admins using MDM settings if desired.
Connection permission on the Mac
Both the Mac and an iPhone or iPad ask for permission when a USB-C device is plugged in. This is important because there are various methods of attack that work via cable. This starts with hacking "toys" such as Rubber Ducky or Flipper Zero and ends with professional opening tools used by police authorities and secret services. It is therefore important that these prompts prevent a device connection that could then be used to carry out attacks. Although the prompts annoy many users, they do serve security purposes.
According to Apple's documentation, admins on Macs are now allowed to set the so-called "allowUSBRestrictedMode" flag. It prevents the request from coming at all. According to Apple, the purpose of this is that it is necessary to allow this in "some environments". Although users can basically do this themselves, they would have to go into the depths of the system settings, which very few people are likely to do.
Videos by heise
iPhone and iPads and the "host computer"
With iPhones and iPads, admins can control what is known as host pairing. You should also be extremely careful here. The restriction setting "Allow pairing with non-Apple Configurator hosts" makes it possible to connect the device to potentially problematic other machines. Apple recommends prohibiting this to ensure that a company device does not connect to problematic other devices.
Since iOS 14.5 and iPadOS 14.5, Apple has also implemented a safeguard so that computers without pairing cannot put the devices into recovery mode. Admins also have a choice to make when selecting possible additional accessory products. This includes, for example, permission to connect Ethernet adapters to the iPhone and iPad, which can be used to connect to the network even when locked.
Empfohlener redaktioneller Inhalt
Mit Ihrer Zustimmung wird hier ein externer Preisvergleich (heise Preisvergleich) geladen.
Ich bin damit einverstanden, dass mir externe Inhalte angezeigt werden. Damit können personenbezogene Daten an Drittplattformen (heise Preisvergleich) übermittelt werden. Mehr dazu in unserer Datenschutzerklärung.
(bsc)
