{"id":1873,"date":"2025-02-11T11:30:02","date_gmt":"2025-02-11T11:30:02","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1873"},"modified":"2025-02-11T11:30:02","modified_gmt":"2025-02-11T11:30:02","slug":"apple-issues-emergency-patches-to-contain-an-extremely-sophisticated-attack-on-targeted-individuals","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1873","title":{"rendered":"Apple issues emergency patches to contain an \u2018extremely sophisticated attack\u2019 on targeted individuals"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Apple has rolled out emergency security patches after discovering that an \u201cextremely sophisticated attack\u201d exploited a flaw in its USB Restricted Mode, potentially targeting specific individuals.<\/p>\n

The company released updates for iOS and iPadOS to fix the vulnerability, which could allow attackers with physical access to disable security protections on locked devices.<\/p>\n

\u201cA physical attack may disable USB Restricted Mode on a locked device. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals,\u201d Apple\u2019s advisory stated<\/a>.<\/p>\n

The flaw impacts multiple Apple devices, including iOS 18.3.1 and iPadOS 18.3.1: iPhone XS and later, iPad Pro (various models), iPad Air (3rd gen and later), iPad 7th gen and later, and iPad Mini (5th gen and later), iPadOS 17.7.5: iPad Pro 12.9-inch (2nd gen), iPad Pro 10.5-inch, and iPad 6th gen.<\/p>\n

Apple warns of physical attack bypassing USB-restricted mode<\/h2>\n

The flaw, tracked as CVE-2025-24200, allowed attackers to bypass USB Restricted Mode, a security feature designed to prevent unauthorized access via the Lightning or USB ports on locked iPhones and iPads.<\/p>\n

USB Restricted Mode was introduced in 2018<\/a> as a defense mechanism against forensic tools like Cellebrite and GrayKey, which have been used by law enforcement to access encrypted devices.<\/p>\n

The unusually strong language by Apple suggests a serious security concern, as Apple typically refers to vulnerabilities as \u201cactively exploited\u201d rather than specifying the sophistication or targeting of attacks.<\/p>\n

\u201cWhile the vulnerability requires physical access, sophisticated attackers could combine it with other remote exploits,\u201d said Sunil Varkey, an advisor at Beagle Security. \u201cPublic charging stations at airports, malls, or hotels can be modified or compromised to exploit connected devices. Attackers may also plant free chargers, cables, or adapters in public areas or distribute them as promotional gifts. A malicious accessory could force-enable USB data transfer and leverage the vulnerability when plugged in.\u201d<\/p>\n

Varkey also noted that repair shops, law enforcement agencies, or adversaries with brief physical access to a locked device could use this flaw to extract sensitive data \u2014 without needing the user\u2019s password.<\/p>\n

This raises significant concerns about potential misuse, especially in espionage or surveillance operations.<\/p>\n

Security researcher uncovers the exploit<\/h2>\n

The vulnerability was discovered by Bill Marczak, a senior researcher at Citizen Lab, a digital rights research group at the University of Toronto\u2019s Munk School.<\/p>\n

Marczak took to social media<\/a> to urge users to update their devices immediately, stating: \u201cUpdate your iPhones\u2026 again! iOS 18.3.1 out today with a fix for an ITW [in-the-wild] USB restricted mode bypass.\u201d<\/p>\n

Apple credited Marczak for reporting the issue but did not disclose details on how the exploit was used or who the targeted individuals were.<\/p>\n

The fix was implemented through improved state management, according to Apple\u2019s advisory.<\/p>\n

A persistent battle against device intrusions<\/h2>\n

Apple has long promoted the security and privacy of its devices, but vulnerabilities continue to surface, often exploited by government agencies and surveillance firms. Forensic technology providers like Cellebrite have built tools specifically to break into iPhones, allowing law enforcement to extract data from locked devices.<\/p>\n

Cellebrite\u2019s technology has been used in high-profile cases, including the attempted assassination of former US President Donald Trump, where the company reportedly unlocked the shooter\u2019s Android device in just 40 minutes.<\/p>\n

Experts emphasized the significance of Apple\u2019s rare emergency update, noting that it suggests high-value individuals or organizations \u2014 potentially in government or critical infrastructure \u2014 were the targets.<\/p>\n

\u201cIf it was a generic broad-based attack, Apple would not have mentioned the targeted nature of this,\u201d said Yugal Joshi, Partner at Everest Group. \u201cThough this does not reflect on Apple\u2019s otherwise strong security practices, it does shake customer confidence, given they think of Apple as one of the last bastions of secure devices.\u201d<\/p>\n

Joshi also pointed out that many enterprises allow Apple devices while restricting Android phones due to security concerns. However, the emergence of such vulnerabilities raises critical questions. \u201cIt will be interesting to know what was accessed through this mode and how grave the situation is. Though the attack may be targeted, its impact on high-value individuals and organizations can have a cascading effect,\u201d he added.<\/p>\n

While Apple does not directly engage with such firms, its security updates continually respond to their evolving capabilities. The company\u2019s latest fix suggests ongoing challenges in fully securing iOS devices against physical intrusion attempts.<\/p>\n

\u201cThis vulnerability, though considered significantly low likelihood, carries considerable severity and should not be underestimated simply because it involves a physical attack,\u201d said Shivraj Borade, Senior Analyst at Everest Group. \u201cIn today\u2019s interconnected world of IoT devices, no physical device is entirely isolated.\u201d<\/p>\n

Borade further highlighted that mobile devices are deeply integrated with a vast ecosystem of connected devices, creating an expanding attack surface:<\/p>\n

\u201cPhones and laptops are frequently linked to a vast ecosystem of internet-connected devices, from compact Ethernet cables to large-scale smart vehicles, often through USB connections. These attacks could be state-sponsored, targeting high-net-worth individuals and key national figures. This vulnerability proves that no device is truly air-gapped, with the attack surface expanding more than ever.\u201d<\/p>\n

Apple urged customers of the said devices to update their devices with the suggested patch. This patch follows Apple\u2019s recent fix for another zero-day vulnerability (CVE-2025-24085) that had been exploited against older iOS versions before iOS 17.2.<\/p>\n

The broader threat of commercial spyware<\/h2>\n

Zero-day vulnerabilities in Apple\u2019s ecosystem are highly sought after by commercial spyware vendors like NSO Group, which has been linked to government-backed surveillance operations. Spyware such as Pegasus has been used to monitor journalists, activists, and political figures worldwide.<\/p>\n

While NSO Group claims its technology is designed to combat terrorism and serious crime, multiple reports have exposed misuse against civil society members.<\/p>\n

Apple has been actively fighting back against such threats, previously suing NSO Group and notifying users potentially targeted by government spyware. The latest vulnerability underscores the persistent risk of highly sophisticated attacks, reinforcing the need for users to stay updated and vigilant.<\/p>\n

Apple remains silent on further details<\/h2>\n

Apple has not yet responded to inquiries about the nature of the attack or the individuals targeted.<\/p>\n

However, given the severity of the language used in its advisory, this case highlights a growing concern over physical access exploits that can compromise even the most secure consumer devices.<\/p>\n

For now, security experts advise iPhone and iPad users to install the latest patches immediately and remain cautious about physical access to their devices.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Apple has rolled out emergency security patches after discovering that an \u201cextremely sophisticated attack\u201d exploited a flaw in its USB Restricted Mode, potentially targeting specific individuals. The company released updates for iOS and iPadOS to fix the vulnerability, which could allow attackers with physical access to disable security protections on locked devices. \u201cA physical attack […]<\/p>\n","protected":false},"author":0,"featured_media":1874,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1873","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1873"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1873"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1873\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1874"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1873"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1873"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1873"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}