What is USB Restricted Mode in macOS Ventura, and why do you want it?
Credit to Author: Jonny Evans| Date: Mon, 15 Aug 2022 06:35:00 -0700
Once upon a time, one attack vector for industrial sabotage consisted of exfiltrating data from Macs using a standard-issue USB storage card. Researchers have also shown that it’s possible to hijack computers with malware-infested cables. It’s a jungle out there, so Apple has toughened up (Apple Silicon) Mac protection with USB Restricted Mode.
Beginning with macOS Ventura, the new layer of protection comes in the form of USB Restricted mode, which should provide a little reassurance to enterprise IT and is enabled by default.
An Apple developer note explains this protection: “On portable Mac computers with Apple silicon, new USB and Thunderbolt accessories require user approval before the accessory can communicate with macOS for connections wired directly to the USB-C port.”
If this sounds familiar, it is. It already exists on iPads and iPhones. It’s worth noting that support for mass storage devices on both those platforms always lagged the Mac, and it’s only since iOS 13 that you have been able to use external storage with those.
On the Mac, things have kind of worked in the other direction. Macs have always supported external storage media, but Apple has now made this more secure — though Apple Silicon systems.
The idea is that when a new USB or Thunderbolt device is connected to the Mac, the user will be asked to approve the connection. If a Mac is locked the end user must unlock it before the computer will recognize the accessory. This uses the new-to-the-Mac allowUSBRestrictedMode restriction. The protection is initiated when your Mac has been left locked for an hour or so.
Apple says it doesn’t apply to power adapters, displays, or connections to an approved hub, and devices will still charge even if you choose Do Not Allow for use of a connected accessory. The idea is that energy flows, but data does not.
Why do you want it? The security environment continues to deteriorate, and the idea here is that this protection provides one more wall to protect Mac users and their data. It also puts a stop to systems such as GrayKey to crack hardware security to get to the data.
In practice, most people won’t encounter a problem. They will attach a USB device, approve it, and won’t need to think about it much beyond that. (They may need to approve the use intermittently, but that’s it.)
Apple’s tech notes for the iPad/iPhone implementation of the feature explain:
“If you don’t first unlock your password-protected iOS device – or you haven’t unlocked and connected it to a USB accessory within the past hour – your iOS device won’t communicate with the accessory or computer, and in some cases, it might not charge. You might also see an alert asking you to unlock your device to use accessories.”
The new protection works well alongside the also-soon-to-debut Automated Device Enrollment feature, which forces anyone attempting to setup an enrolled Mac to engage with the enrollment process. This makes it much harder for unauthorized people to open a Mac in an attempt to get to data that is not theirs to grab.
What about updates? Apple explains that accessories attached during software update from prior versions of macOS are allowed automatically. New accessories attached prior to rebooting the Mac might work, but won’t be remembered until connected to an unlocked Mac and explicitly approved.
This is just the latest security enhancement Apple has now managed to put in place across its platforms.
Please follow me on Twitter, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.