A vulnerability has been identified within the USB-C port controller on the iPhone 15 and 16 models. Although technically exploitable, the complexity involved leads both Apple and the security analyst who uncovered the issue to believe it does not pose a practical threat to users.
On the other hand, a pressing concern for iPhone users relates to a method scammers are utilizing to circumvent Apple’s built-in protections…
Security Vulnerability in iPhone’s USB-C Port
The USB-C controller chip, introduced into Apple’s supply chain in 2023, has been found to harbor a vulnerability by security expert Thomas Roth. As reported by Cyber Security News, this flaw could theoretically allow for the compromise of an iPhone.
Security researchers successfully exploited Apple’s proprietary ACE3 USB-C controller, which marks a significant advancement in USB-C technology by managing power delivery and functioning as a complex microcontroller with access to essential internal systems. […]
[Roth’s team achieved] code execution on the ACE3 chip by meticulously measuring electromagnetic signals during the chip’s startup, pinpointing the exact moment firmware validation took place.
By employing electromagnetic fault injection at this critical stage, they effectively bypassed validation checks and loaded a modified firmware patch into the chip’s CPU.
In theory, this could allow an attacker full control over an iPhone.
However, executing this attack would necessitate physical access to the device and would be exceedingly challenging. According to Macworld, Apple deemed it an unrealistic threat after reviewing the exploit technique, and Roth concurred.
Scammer Tactics Bypassing Protections via iMessage
Scammers frequently leverage SMS and iMessage to disseminate links designed for phishing attacks and potential malware installation on iPhones.
To safeguard against these threats, if you receive an iMessage from an unknown contact with whom you’ve had no prior communication, your iPhone will automatically disable any links within the message, rendering them as plain text and non-interactable.
Nevertheless, scammers have discovered a workaround. If they manage to convince you to respond to the message, even with a simple “STOP” command meant to ask a legitimate sender to halt further communications, this protective feature is disabled.
BleepingComputer reports that by replying, even minimally, the iPhone considers the sender to be authentic, thereby enabling any link associated with the message.
Apple informed BleepingComputer that if a user replies or adds the sender to their contact list, the links will become active.
In recent months, BleepingComputer has observed an increase in smishing attacks aimed at tricking users into responding to texts, thus reactivating links.
The site showcased instances of fraudulent texts purporting to be from USPS and a toll road company, each urging the recipient to reply with “Y” to reactivate links.
This issue is prevalent enough that I found examples simply by browsing through my deleted messages folder.
Preventative Measures
Always avoid clicking on links received in emails or messages unless you fully expect them. It’s wise to use personal bookmarks or manually enter URLs. Only do this if you have substantial reason to trust the message is legitimate. When in doubt, contact the organization directly using verified contact details to confirm.
Photo: DMN
: . More.
