Fixed bricking bug on the iPhone: "One line of code" should have been enough
Apple has closed a dangerous security gap with iOS 18.4. A legacy API made it possible to paralyze devices.
iPhone with black screen (symbolic image): Bug enabled bricking by program.
(Image: Erstellt durch Mac & i mit Grok)
The well-known leak expert and security researcher Guilherme Rambo has discovered a problematic vulnerability in iOS in which so-called Darwin notifications can be used to paralyze iPhones. The bug with the CVE ID CVE-2025-24095 was fixed as part of iOS 18.4, iPadOS 18.4 and visionOS 2.4 and is an example of a legacy problem that only (re)appears after a while.
With one command into recovery mode
According to Rambo, the discovered vulnerability is “his favorite bug” because it is “so easy to implement an exploit”. The attack also targets a public legacy API “that many components in Apple's core operating system still rely on”. Darwin notifications are simpler than more modern notifications handled by NSNotificationCenter and NSDistributedNotificationCenter, which are familiar to most developers. Darwin notifications are used, among other things, to exchange simple messages between processes at a low level.
Videos by heise
The flaw is that it has long been possible to send Darwin notifications at system level without the processes requiring further privileges or the entitlements used by Apple for security. The biggest danger, according to Rambo: It was even possible to trigger powerful system functions such as the so-called “Restore in Progress” mode (i.e., Apple's restore process) via Darwin notifications. This was possible with a single notify_post command. As this activates the restore mode, but no actual restore takes place, the iPhone hangs – and the user has to restart it.
Widget forces restart and then restarts immediately
As part of a proof-of-concept (PoC) exploit, which Rambo called “VeryEvilNotify”, he implemented the simple code as part of a widget extension for iOS. These are regularly woken up by the system as a background process. This allowed the device to actually be “bricked”: Widget calls “Restore in Progress”, user restarts, widget starts running again. A kind of internal denial-of-service attack that you can only escape if you are fast enough and delete the widget immediately after system startup.
However, it remains unclear whether Apple would have allowed such code into its App Store or whether it would have been detected by the software scanners used by the company. According to Rambo, before his bug report, Darwin notifications could be received and sent without the need for special system privileges. There was also no way to identify the sender process. According to Rambo, his PoC already stopped working with iOS 18.3, but according to the CVE report, the bug was fixed in its entirety with iOS 18.4, iPadOS 18.4 and visionOS 2.4. The problem was solved by requesting specific entitlements for Darwin notifications as well. The exploit has not yet been seen “in the wild”. Nevertheless, users should update their iPhone to iOS 18.4.1 as soon as possible, which closes another serious gap.
Empfohlener redaktioneller Inhalt
Mit Ihrer Zustimmung wird hier ein externer Preisvergleich (heise Preisvergleich) geladen.
Ich bin damit einverstanden, dass mir externe Inhalte angezeigt werden. Damit können personenbezogene Daten an Drittplattformen (heise Preisvergleich) übermittelt werden. Mehr dazu in unserer Datenschutzerklärung.
(bsc)
