Apple warns 'extremely sophisticated attack' may be targeting iThings Apple has warned that some iPhones and iPads may have been targeted by an “extremely sophisticated attack” and has posted patches that hopefully prevent it. The patches fix a flaw in USB Restricted Mode, a feature Apple introduced in 2018 and which disables the Lightning or USB ports on iPhones and iPads if they’re locked for …
If you have physical access, security is already compromised.
I'm reassured to know that this attack can only take place in the real world, not by malformed SMS or some other Internet-based hack.
Sure, it's an issue, and it's good that Apple is doing something about it, but honestly, no Russian/Chinese/North Korean hacker is going to be able to take advantage of this.
So who can ? Your spouse, close friend or whatever other enemy already lives next to you.
Not nice, but you just might find out who you really can't trust.
You don't HAVE to give them the login - if they really want it for some reason and you don't give it to them then it will likely have negative consequences, but, if those consequences are not as bad as whoever it is seeing what's on the device, then it's the best of a bad job. If they can login anyway due to a vulnerability in the device then you've lost that choice.
Or what? You won't get your phone back?
Let's all be good security practitioners here. Would you want your phone back after an unknown 3rd party had full permissions to access it? Who knows what they could have installed. Seems to me you could never fully trust the device again.
If you have physical access, security is already compromised
Apple's ultimate goal is make that no longer the case.
You may never get there, but the higher the bar for breaking into a device you have physical access to the fewer who are able to do so. You may never stop someone with the resources of the NSA or China's equivalent from getting in, because if they find a way in they can keep it a secret. If a company sells devices that can unlock a phone then it is only a matter of time before that method gets out and it can be patched (as may be the case with this update) That pretty much protects you unless you are someone that a major nation state would consider expending resources on, which safe to say probably doesn't include anyone who reads The Reg.
That's very annoying that there seems to be no security update for iOS 17. I'm sure I'm not alone in wanting to put off the so-called "upgrade" to iOS 18, with all of its Artificial Idiocy tentacles intertwined through it (and default-on for some aspects of it (coughs in GDPR)), for as long as possible!
So upgrade and disable Apple Intelligence. Why do you care if it is default on unless there is no off switch? Apple only supports the old OS for a few months unless it is the last version for some models. After that if you want the security updates you have to upgrade. I mean how far back do you think they should go, if you wanted to stick with iOS 13 on a phone that is able to run iOS 18 that choice is on you.
I'm more curious if they will release an iOS 16 and iOS 15 version of this, to handle the phones that can't run iOS 18. They usually do for 0 days that are actively being exploited, though the fixes usually arrive the following week.
Apple are being extra hard on this I think which is good to see. Hopefully they'll tell the UK govt to piss off about access into their cloud too.
What idiots like the UK security services don't realise its that it's actually people's lives that are protected by these security measures but I guess they're only journalists & dissidents fighting against some of our arms customers so I assume they don't count
What we need is a secondary emergency passcode that wipes the phone.
Put some guardrails around it - FaceID is shut off, warnings around data since last backup will be lost, force the use of a passcode to unlock, etc. Make it inconvenient so that the feature is only activated when a user knows they are going in to a high risk situation.
"Give me your passcode or go to jail!!!"
"Sure, but this is a burner phone and there is nothing on it."
Gives emergency passcode.
"See, I told you so."
A good idea, but if you do find yourself in that situation, it's possibly a situation where you unfortunately might find yourself on the receiving end of the scenario in xkcd: Security regardless (see also: suspect accidentally fell down the stairs, defensive restraint as the suspect was 'resisting arrest', etc, etc).
Some folks have *already* been jailed under RIPA 2016 because their iThing wouldn't unlock, then quietly freed because their story about 'The phone not working since the last iOS update' was due to a previous repair that swapped a component like the screen assembly with one from another device to fix another issue without an official Apple repair agent carrying it out.
This has been a big problem and unfortunately Apple have made it worse by 'Refusing' to help law enforcement in this situation.
Right to repair works both ways, if a company intentionally makes things difficult by putting in trap doors then sooner or later they will be punished.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
