Once upon a time, an attack vector for industrial sabotage involved the exfiltration of Mac data using a standard USB storage card. Researchers have also shown that it is possible to hijack computers with malware-infested cables. It's a jungle out there, so Apple has beefed up Mac (Apple Silicon) protection with USB Restricted Mode.
What is USB restricted mode?
Starting with macOS Ventura, the new layer of protection comes in the form of Restricted USB Mode, which should give corporate IT a bit of peace of mind and is enabled by default.
An Apple Developer Note explains this protection: "On portable Mac computers with Apple silicone, new USB and Thunderbolt accessories require user approval before the accessory can communicate with macOS for wired connections directly into the USB port. -C".
If that sounds familiar, it is. It already exists on iPad and iPhone. It's worth noting that support for mass storage devices on these two platforms has always lagged behind the Mac, and only since iOS 13 has it been able to use external storage with them.
On Mac, things worked the other way around. Macs have always supported external storage media, but now Apple has made it more secure through Apple Silicon Systems.
How USB restricted mode works
The idea is that when a new USB or Thunderbolt device is connected to the Mac, the user will be prompted to approve the connection. If a Mac is locked, the end user must unlock it before the accessory will be recognized by the computer. This uses the new allowUSBRestrictedMode restriction for newer Macs. Protection starts when your Mac has been locked for about an hour.
Apple says this doesn't apply to power adapters, displays, or connections to an approved hub, and devices will continue to charge even if you choose Don't allow use of a connected accessory. The idea is that the energy flows, but the data does not.
Why do you want it? The security environment continues to deteriorate, and the idea here is that this protection provides one more wall to protect Mac users and their data. It also puts an end to systems like GrayKey to break hardware security to access data.
make good people happy
In practice, most people will not encounter any problems. They'll plug in a USB device, approve it, and not have to think much more about it. (They may need to approve use intermittently, but that's about it.)
Apple's Technical Notes for Feature Implementation on iPad/iPhone explain:
"If you don't unlock your password-protected iOS device first, or if you haven't unlocked it and connected a USB accessory in the last hour, your iOS device won't communicate with the accessory or the computer, and in some cases, it may not charge. You may also see an alert asking you to unlock your device to use accessories."
The new protection works well with the soon-to-launch automatic device enrollment feature, which requires anyone trying to set up an enrolled Mac to participate in the enrollment process. This makes it much more difficult for unauthorized people to open a Mac to access data that doesn't belong to them.
Where is USB restricted mode controlled?
- Protection is enabled by default on Apple Silicon Macs.
- The protection enabled is for requesting new accessories, additional options include:
- Ask whenever you want.
- Automatically when unlocked.
- Yet.
- Requesting new accessories is the minimum protection that should exist, although high security companies will want to require authorization every time.
- You can disable/enable the setting in System Settings > Security & Privacy > Security.
- The Accessibility Switch Control setting sets the policy to always allow the use of accessories.
- Approved devices can connect to a locked Mac for up to three days.
What about updates? Apple explains that accessories attached to updating software from previous versions of macOS are automatically allowed. New accessories attached before the Mac restarts may work, but they won't be remembered until they're connected to an unlocked Mac and explicitly trusted.
This is just the latest security enhancement that Apple has managed to implement on its platforms.
Follow me on Twitter or join me at AppleHolic's bar & grill and Apple discussion groups on MeWe.
Copyright © 2022 IDG Communications, Inc.