iOS 16.5 Fixes Serious Security Hole Left Unpatched by Previous ‘Fix’

Last August, Apple released iOS 15.6.1 to fix two major security vulnerabilities. However, it turns out the update only blocked a known way of exploiting the security flaws but failed to address the actual security hole used by the exploits — one of which could have allowed a rogue app to execute arbitrary code with kernel privileges.

Last week’s iOS 16.5 update actually provides a fix for the security flaw, even if it is nearly 10 months later.

The security flaw is known as “ColdIntro.” While Apple had patched iOS against the specific ColdIntro attack, it did not fix the actual security issue that was exploited by ColdIntro. Security researchers at both Jamf and Google’s Project Zero later discovered that similar attacks had succeeded even after the iOS 15.6.1 update had been installed. The new attacks discovered by the security researchers used a variation of ColdIntro which carries the moniker of “ColdInvite.”

The attack could be performed as follows: A bad guy would first trick mobile carrier Vodafone into disabling the plan of a victim. A fake message would then be sent to the victim informing them that they’d need to install the My Vodafone app to restore their phone service. While the Vodafone app is a genuine app in the App Store, the victim was sent a link to a fake version of the Vodafone app,  which included a malware payload.

The ColdInvite attack first gains access to the iPhone’s Display Co-Processor (DCP). It uses that access to gain access to the handset’s Application Processor (AP).

Apparently, while Apple had blocked the one attack vector, it failed to fix the vulnerability that was used by the attack. Jamf report this tidbit to Apple, which eventually fixed the issue in the iOS 16.5 release.

It should be noted that the ColdInvite exploit does not immediately provide access to the iPhone. Instead, as noted by Jamf the exploit simply gets an attacker one step closer to being able to take control of the targeted iPhone.

[Both exploits allow] an attacker to exploit other vulnerabilities within the AP Kernel. Though it’s not sufficient for a full device takeover on its own, this vulnerability can be exploited to leverage the co-processor in order to obtain read/write privileges to the kernel, allowing a bad actor to get closer to realizing their ultimate goal of fully compromising the device.

Bad guys would need to trick a targeted victim into installing their malicious app, meaning that it would likely be necessary to target specific individuals, making this vulnerability a low risk to the average iPhone user.

Nevertheless, we still strongly recommend installing the iOS 16.5 update, as it fixes the security flaw that allows the method of compromising one processor in order to gain access to another from being performed on your device.