Un trucco con le frodi di iMessage, alimentata da un kit di phishing cinese [U]

A security vulnerability has been discovered in the integrated USB-C controller of the iPhone 15 and 16. However, exploiting it would be so complex that both Apple and the security researcher who found it concluded that it does not represent a real threat.

However, a security issue threatening iPhone users is a tactic used by fraudsters to evade one of Apple's integrated protections. Update: A rapid series of fraudulent E-ZPass messages seems to have been guided by a Chinese phishing kit – see the new section below...

Security Vulnerability in the iPhone USB-C Port

The security researcher Thomas Roth has discovered a vulnerability in the USB-C controller chip introduced for the first time in Apple's supply chain in 2023. In principle, it could be used to compromise an iPhone, as reported by Cyber Security News.

Security researchers were able to hack the owner of the ACE3 USB-C controller chip from Apple. This chip, introduced with the iPhone 15 and iPhone 15 Pro, represents a significant step forward in USB-C technology, managing energy delivery and acting as a sophisticated microcontroller with access to critical internal systems [...]

Roth's team was able to execute code on the ACE3 chip. Through precise measurement of electromagnetic signals during the chip startup process, they identified the exact moment when firmware validation occurred.

At this critical point, they used electromagnetic error injection to bypass the validation checks and boot a modified firmware patch into the chip processor.

Theoretically, this could give an attacker full control of an iPhone.

However, it would require physical access to the device and would be extremely difficult to execute. Macworld reported that Apple concluded after examining the method used that it was not a real threat, and Roth agreed.

Fraudsters' iMessage tactic can bypass protections

The SMS messaging system and iMessage are commonly used by con artists to send intentional phishing links and attempt to install malware on iPhone devices.

To protect yourself from this, if you receive an iMessage from someone not in your contact list and with whom you have never exchanged messages, your iPhone automatically disables all links in the message. They appear as regular text that must be manually clicked or typed in to access them.

Researchers note that the spam SMS surge coincides with the introduction of new features in a popular commercial phishing kit sold in China, making it easy to create attractive traps simulating highway operators in multiple US states.

How to Protect Yourself

Never touch or click on a link received in an email or other messages unless you are expecting it. The best practice is always to use your own bookmarks or manually type URLs, and only do so if you have a good reason to believe the message is authentic. When in doubt, call or send a message to the company using known contact details for verification.

• Here’s how to protect yourself from iPhone password reset attacks.
• Apple's guide on how to protect your Apple ID, avoid bad intentions, and other frauds.