Apple Addresses Vulnerability Exploited in an “Extremely Sophisticated Attack” on iPhones and iPads
On Monday, Apple rolled out updates for its mobile operating systems, iOS and iPadOS, addressing a vulnerability that the company indicated “may have been exploited in a highly sophisticated attack targeting specific individuals.”
According to the release notes for iOS 18.3.1 and iPadOS 18.3.1, the flaw could disable USB Restricted Mode “on a locked device.” This feature, introduced in 2018, is designed to prevent an iPhone or iPad from transferring data over a USB connection if the device remains locked for seven days. Additionally, last year, Apple introduced another security measure that restarts the devices if they aren’t unlocked for 72 hours, complicating access to data for both law enforcement and criminals utilizing forensic tools.
Apple’s wording in the security update suggests that the attacks likely required physical access to the victim’s device. This means that the perpetrators had to connect a forensic device, such as Cellebrite or Graykey, to the person’s Apple devices to exploit the vulnerability. These systems are employed by law enforcement to unlock and retrieve data from iPhones and other devices.
The vulnerability was identified by Bill Marczak, a senior researcher at Citizen Lab, a University of Toronto team that studies cyberattacks on civil society.
Contact Us
If you have additional information regarding this flaw, other iPhone zero-days, or cyberattacks, feel free to reach out to Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or through email. TechCrunch can also be contacted via SecureDrop.
As of the time of publication, Apple has not commented on the matter.
Marczak informed TechCrunch that he cannot comment on the record at this time.
It remains unclear who exploited this vulnerability and against whom it was used. There are documented instances in the past where law enforcement has employed forensic tools that typically exploit such zero-day vulnerabilities in devices like the iPhone to unlock them and access stored data.
In December 2024, Amnesty International published a report detailing a series of attacks conducted by Serbian authorities using Cellebrite to unlock phones belonging to activists and journalists in the country and subsequently implant malware on those devices.
Security researchers indicated that the Cellebrite forensic devices were likely used “extensively” on individuals within civil society, as reported by Amnesty.