One of the basic principles of computer security is that if someone has physical access to a machine, compromising it is simply a matter of time (yes, even technologies like whole-disk encryption via GPG/PGP, BitLocker, or TrueCrypt are often still susceptible to “Evil Maid” attacks). But while all devices are vulnerable to hands-on attacks, some devices are more vulnerable than others.
Innocuous-looking USB accessories for both PCs and smartphones have long been a preferred for attacks aiming to gain unauthorized access to a machine. Devices that look like USB sticks can easily direct a computer they’re plugged into to dump data to an external device or online file storage by mimicking a keyboard/mouse, an attack no antivirus or antimalware software can prevent. Smartphones have been susceptible to similar attacks, even from something as seemingly-innocent as a regular phone charger. These hardware-based attacks have been well-documented, and while a passcode on the device can mitigate such attempts, it’s no cure-all.
With iOS 7, Apple has introduced a new feature called “trusted devices” which requires the user to actually authorize the attached USB “charger”/accessory to access data on the device. When plugging in an iPhone to a computer (or a computer masquerading as a charger), the user sees a prompt as in the screen below:
Trust the currently connected computer?
Trusting this computer will allow it full access to your device and all of its data.
This prompt is only shown on an unlocked iPhone and until the user selects the “trust” option, the iPhone will treat the connected accessory as a “dumb” power source and not present any USB mass storage device interfaces, rendering USB-based attacks to a (locked) iPhone ineffective.
Combined with some of the other security improvements shipped in the next iOS update (“Find my iPhone” enabled even after full device format, iTunes account-based activation lock after full format, etc.), iOS 7 is shaping up to be the most security-centric release to date.