Apple released critical updates for iOS and iPadOS that patched a critical security flaw that theoretically would allow cybercriminals and others to evade the USB Restricted Mode on secured devices. That feature, initially rolled out in 2018, was enacted to prevent unwanted data transfer through USB unless the device had previously been unlocked in the last week.
The flaw was discovered by Bill Marczak of Citizen Lab, who explained that the flaw would have been exploited with physical access to the device and the use of forensic tools like Cellebrite or Graykey. The devices are traditionally used by law enforcement bodies for the iPhone unlocking but were previously misused in situations where they were being used by autocratic governments to track activists and reporters. For example, a report by Amnesty International had highlighted how Serbian officials were using Cellebrite to access journalists’ phones and implant malware on them to monitor their activities.
Apple’s response to the discovery also remains somewhat ambiguous. While the company has released security updates to address the flaw, they have refused to disclose just how prevalent its exploitation was or who were the victims. The release notes do suggest targeted and sophisticated attacks, and it is conceivably possible that the flaw was exploited by well-capitalized actors with physical access to the devices.
This threat illustrates one of the enduring challenges in cybersecurity: striking a balance between user privacy protection and helping law enforcement agencies combat crime with technology that can obtain access to encrypted data in investigations. Although such breaches are on the rise, it is clear that there must be greater protection and improved policies that safeguard personal privacy as well as national security interests.