Apple has released an urgent security update addressing a significant zero-day vulnerability (CVE-2025-24200) that enabled attackers to bypass the USB Restricted Mode protection on locked iOS devices. This critical security feature, designed to prevent unauthorized data access, could be compromised through sophisticated targeted attacks when physical access to the device was obtained.
Understanding USB Restricted Mode and Its Security Implications
USB Restricted Mode, implemented in iOS 11.4.1 approximately seven years ago, serves as a fundamental security mechanism for Apple devices. The feature automatically disables data transmission through Lightning and USB-C ports when a device remains locked for more than an hour. While charging capabilities remain functional, any data interaction requires device authentication by the legitimate owner.
Technical Analysis of the Vulnerability
The security flaw, discovered by Bill Marczak from Citizen Lab, has been categorized as an authorization bypass vulnerability. Apple has addressed this issue through security updates iOS 18.3.1, iPadOS 18.3.1, and iPadOS 17.7.5. While specific exploitation details remain confidential to prevent misuse, the vulnerability required physical device access for successful exploitation.
Impact on Device Security and Forensic Tools
This vulnerability raises significant concerns regarding device security, particularly in the context of forensic tools like Graykey and Cellebrite, commonly employed by law enforcement agencies for data extraction. In response to emerging threats, Apple implemented additional security measures in late 2024, including an automatic device restart feature following extended periods of inactivity.
The discovery highlights the ongoing challenges in mobile device security, particularly given Citizen Lab’s track record of identifying critical vulnerabilities in Apple products targeted at journalists and activists. A notable example includes the identification of CVE-2023-41061 and CVE-2023-41064, which were exploited in the BLASTPASS attack chain to deploy Pegasus spyware. Users are strongly advised to install the latest security updates immediately to protect against potential exploitation attempts. This incident underscores the critical importance of maintaining current security patches and remaining vigilant against sophisticated security threats targeting mobile devices.
