CVE-2024-44171

Vulnerability

A state management flaw in accessibility features on Apple devices allowed an attacker with physical access to a locked device to control nearby devices. Affected versions include iOS and iPadOS prior to 17.7 and 18, and watchOS prior to 11. The issue was addressed through improved state management. [1][2][3]

Exploitation

An attacker must have physical access to a locked device. By leveraging accessibility features, the attacker could interact with the device to send commands to nearby devices without unlocking the device. No authentication is bypassed on the attacker's device, but the locked state's restrictions are circumvented for controlling nearby devices. [1][2][3]

Impact

A successful exploit allows the attacker to control nearby devices, which may lead to disclosure or manipulation of information on those devices, depending on the attacker's actions and the capabilities of the accessibility features used. The attacker does not gain code execution or escalate privileges on the locked device itself. [1][2][3]

Mitigation

Apple released fixes in iOS 17.7 and iPadOS 17.7 on September 16, 2024, and in iOS 18, iPadOS 18, and watchOS 11 on the same date. Users should update their devices to the latest available versions as soon as possible. No workarounds have been disclosed. [1][2][3]