Initially, it was believed that this could seriously handicap the functionality of the GrayKey box used to crack iPhone passcodes; however, forensics experts tell Motherboard that Grayshift has already circumvented the feature in a beta build.
“Grayshift has gone to great lengths to future proof their technology and stated that they have already defeated this security feature in the beta build. Additionally, the GrayKey has built in future capabilities that will begin to be leveraged as time goes on,” a June email from a forensic expert reads.
“They seem very confident in their staying power for the future right now,” the email adds.
A second source said that Grayshift addressed USB Restricted Mode in a webinar a few weeks ago.
The GrayKey box has two ways of accessing data on a device: Before First Unlock (BFU) or After First Unlock (AFU). If a phone has not been unlocked after boot, it takes the device 10 minutes per passcode try and limited data is accessible. If the phone has been unlocked since being booted, a fast brute force mode allows for 300,000 tries and allows "parallel extraction of pre-unlock data." If AFU works, "95% of the user’s data is available instantly."
Hopefully, Apple's USB Restricted Mode will largely prevent AFU attacks. Please follow iClarified on Twitter, Facebook, Google+, or RSS for updates.