<iMessage詐欺の危険性：中国のスパムツールによる [U]</i>

The security vulnerability was discovered in the USB-C port controller of the iPhone 15 and 16. However, it is very complex to exploit this vulnerability, and Apple and security researchers who discovered the flaw concluded that it is not an actual threat.

However, security concerns aimed at threatening iPhone users are a strategy used by fraudsters. This strategy avoids the protection features provided by Apple. Update: The surge in E-ZPass scam messages appears to be driven by phishing kits from China (see the new section below).

Security Vulnerability of USB-C Port on iPhones

Security researcher Thomas Ross discovered a vulnerability in the USB-C controller chip introduced by Alibaba's supply network in 2023. According to cybersecurity news, this vulnerability could potentially be used to attack an iPhone.

Security researchers successfully hacked Apple's proprietary ACE3 USB-C controller. This chip was introduced in the iPhone 15 and iPhone 15 Pro and represents a significant step forward in USB-C technology. The chip handles power supply, functions as an advanced microcontroller, and has access to important internal systems.

Ross's team achieved code execution on the ACE3 chip. By precisely measuring electromagnetic signals during the chip's startup process, they identified the moment when firmware verification occurs.

By using electromagnetic fault injection, they launched a modified firmware patch on the chip's CPU without passing the validity checks.

Theoretically, this means that an attacker could potentially gain complete control over the iPhone.

However, it requires physical access to the device and is extremely difficult. Macworld investigated the method used by Apple and concluded that it was not a realistic threat. Roth also agreed with this assessment.

iMessage Scammers Bypass Protection Using Fake Techniques

SMS and iMessages are commonly used by fraudsters to send phishing links or attempt to install malware on iPhones.

As a countermeasure, if you receive an iMessage from someone not in your contact list and have never exchanged messages before, the iPhone automatically invalidates all links in the message. The links appear as plain text and cannot be tapped.

However, fraudsters are exploring this method. If they can get you to reply to a message, even if it is a STOP command from a legitimate sender instructing them not to resend the message, this protection will be invalid.

BleepingComputer reports that even a single character response to a message is enough for the iPhone to consider the user legally blocked and unblocked.

Apple informed BleepingComputer that if a user responds to a message or sends an email, the link will become active. They observe an increase in the number of fake email kits being sold in China with new features added at the same time as the increase in SMS spam.

Fake Site-Driven E-ZPass Scam from China

Curves reported in a security report that a large number of E-ZPass and other toll road scam messages are being generated by fake site kits from China.

Researchers note that the increase in SMS spam coincides with the addition of new features to popular commercial fake email kits sold in China. These kits make it easy to create deceptive invitations mimicking those of multiple American state transportation authorities.

How to Protect Yourself

Never click on or tap links received via email or other messages. The best practice is always to use your bookmarks or manually enter the URL. Only do this if you believe the message is genuine for a reason. If it's unclear, contact a known contact and call or send a message to the company to verify.

• How to Protect Yourself from iPhone Password Reset Attacks
• "Alibaba Cloud introduces how Apple ID is protected and safeguarded against fake emails and other scams"