CSC News Table of Contents
Apple has confirmed that an ‘extremely sophisticated’ Apple USB Restricted Mode exploit has been used in targeted attacks, potentially putting iPhone and iPad users at risk.
Apple Issues Critical Patch for ‘Extremely Sophisticated’ USB Restricted Mode Exploit
This exploit tracked as CVE-2025-24200, allows attackers with physical access to bypass Apple’s USB security protections on locked devices.
Apple has released a patch for iOS 18.3.1 and iPadOS 18.3.1 to address this flaw, urging users to update their devices immediately.
Key Takeaway to Apple USB Restricted Mode Exploit:
- Apple has patched a critical vulnerability that allowed attackers to disable USB Restricted Mode on locked iPhones and iPads, potentially exposing user data to unauthorized access.
Apple USB Restricted Mode Exploit: What You Need to Know
Apple’s latest security advisory confirms that attackers have actively exploited a major flaw in Apple USB Restricted Mode, a key protection mechanism designed to block unauthorized USB access.
The security vulnerability, assigned CVE-2025-24200, allows attackers with physical access to an iPhone or iPad to bypass USB Restricted Mode without needing a passcode.
This opens the door for unauthorized data extraction and forensic hacking tools to be used on a locked device.
Apple has categorized the attack as “extremely sophisticated” and directed at specific high-profile individuals.
How USB Restricted Mode Works
USB Restricted Mode is a security feature introduced by Apple to prevent data access through the iPhone or iPad’s Lightning or USB-C port after an hour of inactivity.
It was specifically designed to counter hacking tools like GrayKey, which law enforcement agencies and bad actors have used to crack iPhone passcodes.
When enabled, the feature:
- Disables data transfer through USB after one hour of inactivity
- Turns the Lightning or USB-C port into a charge-only interface
- Requires the user to unlock the device before allowing USB data connections
This feature has been a critical line of defense against unauthorized access, but the recent Apple USB Restricted Mode exploit rendered it ineffective.
How Attackers Exploited the Flaw
Apple described the issue as an “authorization issue” that could allow an attacker with physical possession of a locked device to disable USB Restricted Mode. In practical terms, this means:
- Attackers could plug in a malicious device that tricks iOS into disabling USB security protections.
- This action reactivates data access on the USB port, even if the device has been locked for more than an hour.
- From there, attackers could use forensic tools to extract sensitive data or install spyware.
Apple’s Response and the Urgent Update
Apple has released iOS 18.3.1 and iPadOS 18.3.1 to patch this vulnerability. The company has not provided detailed indicators of compromise (IOCs) but credited Bill Marczak from The Citizen Lab at The University of Toronto’s Munk School for discovering the flaw.
The involvement of Citizen Lab suggests that this exploit was likely used in advanced surveillance operations, possibly by nation-state actors.
Apple’s official security update page emphasizes that the flaw has been fixed with improved state management to prevent unauthorized changes to USB Restricted Mode settings.
A Real-Life Example of USB Exploits in the Past
This isn’t the first time USB-based exploits have been used against iPhones. In 2018, Apple introduced USB Restricted Mode specifically to counter tools like GrayKey, which was used by law enforcement agencies to unlock iPhones.
Reports indicated that hacking groups and state-sponsored attackers developed workarounds to these restrictions.
What This Means for iPhone and iPad Users
If you own an iPhone or iPad, this exploit highlights the importance of keeping your device updated.
Security flaws like the Apple USB Restricted Mode exploit are highly valuable to attackers and can be used to target journalists, activists, and high-profile individuals.
To stay protected:
- Update your device immediately to iOS 18.3.1 or iPadOS 18.3.1.
- Enable USB Restricted Mode (Settings > Face ID & Passcode > USB Accessories > Toggle Off).
- Avoid connecting your device to untrusted USB accessories.
About Citizen Lab
Citizen Lab is a research group based at the University of Toronto’s Munk School, specializing in cybersecurity, surveillance, and human rights.
The lab has previously uncovered sophisticated spyware campaigns, including Pegasus, used by governments to monitor individuals.
Rounding Up
Apple’s quick response to the Apple USB Restricted Mode exploit demonstrates the growing sophistication of cyber threats targeting mobile devices. This case serves as a reminder that physical access to a device remains a major security risk.
While Apple has fixed this flaw, the persistence of attackers means users must remain vigilant by keeping their devices updated and using security features effectively.
FAQs
What is the Apple USB Restricted Mode exploit?
- It is a security vulnerability that allowed attackers to disable USB Restricted Mode on locked iPhones and iPads, enabling unauthorized data access.
How was the USB Restricted Mode exploit used?
- Attackers with physical access to a device could use a malicious USB accessory to bypass Apple’s security and extract data from a locked phone.
Has Apple fixed the USB Restricted Mode exploit?
- Yes, Apple patched the vulnerability in iOS 18.3.1 and iPadOS 18.3.1.
How can I protect my iPhone from USB exploits?
- Update your iPhone or iPad immediately.
- Keep USB Restricted Mode enabled.
- Avoid connecting your device to unknown or suspicious USB devices.
Where can I find more details about this Apple security update?
- You can read Apple’s official advisory here.
