Apple has released a fresh software update for iPhones and iPads to plug a critical flaw that could allow bad actors to extract data even from a locked device. The company says if granted physical access, an attacker could break past the safety of USB Restricted Mode on the target iPhone or iPad.
The aforementioned guardrail prevents USB accessories from pulling data from an iPhone that has been sitting in a locked state for over an hour. It seems there was an authorization flaw within Apple’s Accessibility framework that could allow an attacker to disable the USB Restricted Mode safety net.
“Update your iPhones.. again,” says Bill Marxzak, the security expert who discovered the vulnerability, which Apple confirms to have been exploited. The iOS 18.3.1 and iPadOS 18.3.1 updates are now rolling out globally, and you can install them by following this path: Settings > General > Software update.
Why should you care?
The vulnerability was reported by an expert hailing from Citizen Lab at The University of Toronto’s Munk School. And it seems the weakness has been exploited in the wild, but the specific details have not been revealed in typical Apple fashion.
“Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals,” Apple says in its release notes. Following is a list of devices that are eligible for the update:
- iPhone XS and later
- iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later
- iPad Air 3rd generation and later
- iPad 7th generation and later
- iPad mini 5th generation and later
Update your iPhones.. again! iOS 18.3.1 out today with a fix for an ITW USB restricted mode bypass (via Accessibility) https://t.co/jcrsab7RGu pic.twitter.com/ER42QQcsLj
— Bill Marczak (@billmarczak) February 10, 2025
Apple introduced USB Restricted Mode roughly seven years ago. This feature fundamentally blocks an external USB device from establishing a data connection with an iPhone. It also serves as a crucial line of defense against devices such as those offered by Cellebrite, which are often used by law enforcement agencies to brute-force their way into a locked iPhone and extract data.
In November, Apple strengthened the safety guardrails with an inactivity reboot system that was quietly introduced with the iOS 18.1 update. Essentially, it assesses the inactivity status of a device by inserting an automatic reboot protocol for iPhones that have not been unlocked in a while.
That rebooting is the key to the security magic. As soon as in iPhone restarts, it enters a Before First Unlock (BFU) state, which encrypts files stored on the device. Only after the device is unlocked, a decryption key is generated, which eventually allows access to the local data.
Even Cellebrite, which has long been a favorite of law enforcement agencies for cracking open locked devices, warns investigators that if they seize a device, they should keep it powered on so that meaningful data extraction is possible.
