Apple has rolled out an urgent iPhone and iPad update to patch a hidden security flaw that may have already been exploited.
The vulnerability allows attackers to tamper with a locked device via the charging port — an alarming loophole Apple admits may have been used in a high-stakes cyberattack.
Here’s what you need to know about the crucial update, titled iOS 18.3.1, which experts are urging iPhone and iPad owners to download immediately.
How to download iOS 18.3.1
Grabbing the update is a cinch. If automatic updates are enabled, your iPhone will download and install new software overnight when it’s plugged in and connected to Wi-Fi.
You can check by heading to Settings > General > Software Update > Automatic Updates and making sure the option is switched on.
If you want it immediately, open Settings > General > Software Update, tap Download and Install, enter your passcode if asked, and hit Install Now. Just make sure your phone is charged (or plugged in), and you’re good to go.
iOS 18.3.1 - what’s new?
While iOS 18.3 might not introduce any eye-catching new features, it’s still an important update.
The fix targets a zero-day vulnerability uncovered by Bill Marczak of the University of Toronto’s Munk School.
The university’s research group, the Citizen Lab, is known for uncovering cyberattacks, spying, and privacy violations by governments and corporations. Apple’s description of the flaw indicates that it could be another example of the same type of threat.
“A physical attack may disable USB Restricted Mode on a locked device. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals,” the iPhone maker said.
The good news is that anyone looking to break into an iPhone using the flaw would need to gain physical access to the device. That’s according to Adam Boynton, Senior Security Strategy Manager EMEIA at Jamf, a software company that specialises in Apple device management for businesses and other organisations.
“By taking advantage of this flaw, an attacker could obtain full admin access to the device, enabling them to impersonate the owner and execute any software on their behalf,” he said.
“The attacker would most likely need physical control of the user’s device to disable USB Restricted Mode on a locked device. As this is a sophisticated, physical attack, it is likely to target select high-value individuals.”
The Citizen Lab previously uncovered several high-profile iOS vulnerabilities that Apple later patched.
These included a zero-click exploit discovered in 2021 that targeted iOS devices via iMessage, allowing spyware to be deployed without any input from users. Apple released a fix shortly after, protecting millions of users.
In addition, the lab identified another serious flaw in 2023 that enabled Pegasus spyware to be covertly installed on devices.
What about iOS 18.4?
iOS 18.3.1 is bookended by two major updates: iOS 18.3 and the upcoming iOS 18.4. The latter will arrive in the spring with an upgraded Siri that can recognise and interact with what’s on your screen. So, when someone sends you their details in a text, the digital helper will add numbers or addresses to a contact card automatically.
The assistant will also handle multiple actions in a single command, like sending photos or surfacing articles from Safari, making it more intuitive.
Additionally, Siri will track your emails, messages, and photos, offering timely reminders when you need them.
Notably, Apple still hasn’t reinstated the AI-generated notification summaries for news and entertainment that it paused with iOS 18.3 following a raft of misleading headlines. Maybe it’s saving that for its next update, too.
