Patch for Vulnerable iPhone Update Released

A new iPhone update has been released, addressing a security flaw that could have been exploited to turn off the nearly seven-year-old USB security feature. The update, iOS 18.3.1 and iPadOS 18.3.1, patches a bug that allowed attackers to deactivate USB Restricted Mode, a feature introduced in iOS 11.4.1 to protect iPhone and iPad users from law enforcement devices.

Understanding USB Restricted Mode

USB Restricted Mode is a security feature that prevents USB accessories from accessing a device’s data if it hasn’t been unlocked for an hour. This feature is designed to protect users from law enforcement devices such as Cellebrite and Graykey, which are used to extract data from iPhones and iPads. The feature is also the reason for the message asking users to unlock their device before connecting it to a Mac or Windows PC.

The Patched Flaw

The bug, which was discovered by security researcher Bill Marczak of the University of Toronto’s Citizen Lab, allowed attackers to exploit the USB Restricted Mode feature. The attack required the device to be in the attacker’s physical possession, as the feature relied on the device being unlocked. Marczak reported the flaw in 2016, while in grad school, and discovered the iPhone’s first known zero-day remote jailbreak.

Who Exploited the Flaw?

While Apple did not disclose who or what entity exploited the flaw, the company noted that it is aware of a report that the issue may have been exploited. This suggests that the attack was targeted and specific, rather than a widespread exploit.

Activating USB Restricted Mode

To activate USB Restricted Mode, users can head to Settings > Face ID (or Touch ID) & Passcode and scroll down to “Accessories”. The toggle should be off, which is the default setting. It’s worth noting that toggling the setting off means the security feature is on.

Installing the Update

To install the update, users can head to Settings > General > Software Update on their iPhone or iPad.

Key Takeaways

• The new iPhone update patches a security flaw that could have been exploited to turn off the USB security feature.
• The feature is designed to protect users from law enforcement devices.
• The attack required the device to be in the attacker’s physical possession.
• The update is available for iOS 18.3.1 and iPadOS 18.3.1.