On Monday, Apple released updates for its mobile operating systems for iOS and iPadOS, which fixed a flaw that the company said “may have been exploited in an extremely sophisticated attack against specific targeted individuals.”
In the release notes for iOS 18.3.1 and iPadOS 18.3.1, the company said the vulnerability allowed the disabling of USB Restricted Mode “on a locked device.” Introduced in 2018, USB Restricted Mode is a security feature that blocks the ability for an iPhone or iPad to send data over a USB connection if the device isn’t unlocked for seven days. Last year, Apple released another security feature that reboots devices if they are not unlocked for 72 hours, making it harder for law enforcement or criminals using forensic tools to access data on those devices.
Based on its language used in its security update, Apple hints that the attacks were most likely carried out with physical control of a person’s device, meaning whoever was abusing this flaw had to connect to the person’s Apple devices with a forensics device like Cellebrite or Graykey, two systems that allow law enforcement to unlock and access data stored on iPhones and other devices.
The vulnerability was discovered by Bill Marczak, a senior researcher at the Citizen Lab, a University of Toronto group that investigates cyberattacks against civil society.
Contact Us
Do you have more information about this flaw, or other iPhone zero-days and cyberattacks? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email. You also can contact TechCrunch via SecureDrop.
Apple did not respond to a request for comment by press time.
Marczak told TechCrunch that he couldn’t comment on the record at this point.
It’s unclear at this point who was responsible for abusing this flaw, and against whom it was used. But there have been documented cases in the past where law enforcement agencies have used forensic tools, which usually abuse so-called zero-day flaws in devices like the iPhone, to unlock the devices and access the data inside.
In December 2024, Amnesty International released a report documenting a series of attacks by Serbian authorities where they used Cellebrite to unlock the phones of activists and journalists in the country, and then install malware on them.
Security researchers said that the Cellebrite forensic devices were likely used “widely” on individuals in civil society, according to Amnesty.
Lorenzo Franceschi-Bicchierai is a Senior Writer at TechCrunch, where he covers hacking, cybersecurity, surveillance, and privacy. You can contact Lorenzo securely on Signal at +1 917 257 1382, on Keybase/Telegram @lorenzofb, or via email at lorenzo@techcrunch.com.