A security flaw has been identified in the USB-C port controller found in the iPhone 15 and 16 models. While this vulnerability could theoretically be exploited, both Apple and the researcher who uncovered it agree that it is not a real-world risk due to the complexity involved.
Conversely, a significant concern for iPhone users is a method that scammers are using to circumvent Apple’s inherent security features. Update: A surge in E-ZPass scam messages appears to have been prompted by a phishing kit from China – see the new section below…
Vulnerability in iPhone’s USB-C Controller
The USB-C controller chip, introduced into Apple’s supply chain in 2023, has been flagged by security researcher Thomas Roth as having a vulnerability. According to Cyber Security News, it could potentially be used against an iPhone.
Researchers have successfully compromised Apple’s proprietary ACE3 USB-C controller. This chip, released with the iPhone 15 and iPhone 15 Pro, represents a major advancement in USB-C technology, managing power delivery and functioning as a complex microcontroller with access to vital internal systems […]
Roth’s team was able to achieve code execution on the ACE3 chip. By meticulously measuring electromagnetic signals during its startup, they pinpointed the exact moment firmware validation happened.
Employing electromagnetic fault injection at this crucial moment, they managed to bypass the validation checks and load modified firmware onto the chip’s CPU.
In theory, this could grant an attacker total control over an iPhone.
Nonetheless, it would necessitate physical access to the device and is highly challenging to execute. Macworld states that Apple came to the conclusion that the method was not a credible threat after analyzing it, a sentiment echoed by Roth.
Scammers’ Tactic to Bypass iMessage Protections
Scammers frequently utilize SMS and iMessage to distribute links intended for phishing attacks and malware installation on iPhones.
To safeguard users, if you receive an iMessage from someone not in your contacts and with whom you’ve had no prior communication, your iPhone automatically disables any links within that message. These links appear as plain text and are non-tappable.
However, scammers have devised a way to circumvent this protection. If they can persuade you to respond to the message, even with a simple STOP command meant to request a legitimate sender to stop messaging you, this security feature is deactivated.
BleepingComputer reports that by sending even a one-character reply, your iPhone recognizes the sender as legitimate and re-enables the links.
Apple informed BleepingComputer that should a user reply to that message or add the sender to their contacts, the links will be activated.
Recently, BleepingComputer has noted an increase in smishing attacks aimed at tricking users into replying to texts, thereby reactivating the links.
The site provided examples of fraudulent texts appearing to be from USPS and toll road companies, each prompting the recipient to respond with a Y, which would activate the links.
This phenomenon is prevalent enough that I discovered similar examples readily in my deleted messages folder.
Update: E-ZPass Scams Linked to Chinese Phishing Kit
Krebs on Security reports that a wave of E-ZPass and other toll road scam messages may be stemming from a phishing kit available in China.
Researchers have observed that the rise in SMS spam coincides with new functionalities introduced to a widely-used commercial phishing kit sold in China, simplifying the process of creating convincing lures that fake toll road operators across various U.S. states.
Ways to Protect Yourself
Avoid clicking or tapping any links received via email or other messages unless you were expecting them. The best practice is to rely solely on your bookmarks or manually type URLs, and only do so if you have sufficient reason to believe the message is authentic. If unsure, contact the company directly using known contact information to confirm.
Photo: DMN
FTC: We utilize income-generating auto affiliate links. More.
