Apple Addresses Vulnerability Exploited in Advanced iPhone and iPad Attack
On Monday, Apple rolled out updates for its mobile operating systems, iOS and iPadOS, to fix a vulnerability that the company indicated “may have been exploited in a highly sophisticated attack targeting specific individuals.”
The release notes for iOS 18.3.1 and iPadOS 18.3.1 reveal that the flaw could potentially disable USB Restricted Mode “on a locked device.” This feature, introduced in 2018, is intended to prevent an iPhone or iPad from transferring data over a USB connection if the device is locked for a week. Additionally, last year Apple added another layer of security that restarts devices if they stay unlocked for 72 hours, complicating access for both law enforcement and criminals using forensic tools.
Apple’s wording in the security update suggests that such attacks likely required physical access to the victim’s device. This means that attackers may have needed to connect a forensic tool, like Cellebrite or Graykey, to target the individual’s Apple devices to take advantage of the vulnerability. These systems are commonly used by law enforcement to unlock and extract information from iPhones and similar devices.
The vulnerability was identified by Bill Marczak, a senior researcher at Citizen Lab, a research group at the University of Toronto dedicated to studying cyberattacks against civil society.
Contact Us
If you have any further details regarding this flaw, other iPhone zero-days, or cyberattacks, please feel free to reach out to Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or through email. TechCrunch is also accessible via SecureDrop.
As of now, Apple has not made any public statements about the issue.
Marczak informed TechCrunch that he is currently not in a position to comment on the matter publicly.
It remains unclear who exploited this vulnerability and which individuals were targeted. There have been previous instances where law enforcement utilized forensic tools that typically exploit such zero-day vulnerabilities on devices like the iPhone to unlock them and access stored data.
In December 2024, Amnesty International published a report outlining a series of attacks executed by Serbian authorities using Cellebrite to unlock phones belonging to activists and journalists in the area, and then implanting malware on those devices.
Security researchers suggested that Cellebrite forensic devices were possibly used “extensively” on individuals within civil society, according to reports from Amnesty.