• Apple released iOS 18.3.1 to patch a vulnerability in the Accessibility framework reported by Citizen Lab.
• The vulnerability affects iPhone XS and later, certain iPad models, and can disable USB restricted mode on a locked device. Apple is aware of an exploit against specific targeted individuals.
• USB restricted mode disables data connections through the port when the device is locked for over an hour. It mitigates attacks from forensic extractors.
• The patch addresses an authorization issue with improved state management and adds new basic blocks in relevant binaries.
• In the AXSpringBoardServerInstance framework, a function gained 4 new basic blocks with a check to ensure the device is unlocked before presenting an alert.
• In the profiled daemon, a function was patched and gained 6 basic blocks, checking that the device is unlocked before setting parameters.
• The attack vector involves the assistivetouchd daemon. Connecting an MFi-certified device through the -[SCATScannerManager handleUSBMFiDeviceConnected] function can trigger an alert to disable USB restricted mode.
• The function can be manually triggered using Frida on an iPhone X running iOS 16.7.10. The legitimate way to trigger it is by plugging an MFi-certified switch control device (formerly a lightning device).
• Disclaimers: The authors lack the necessary hardware to test, and restricted mode is not the only mitigation. Other attack vectors may exist, and it is advisable to update devices.
• References include Apple support articles and other security-related resources. For more on security audits, get in touch with Quarkslab.