Apple Vulnerability Places All of Apple iOS at Risk
A recently discovered Apple vulnerability put all users of Apple iOS and virtually every Apple device at risk from direct attack without user action.
The vulnerability affected all major Apple devices, including Apple Watches and iPhones. Moreover, it is the first officially documented and studied example of a “zero-click” attack – an attack that does not require a user to click a link or open a file to activate.
According to researchers at the University of Toronto’s Citizen Lab, the vulnerability was already exploited by an Israeli hacker-for-hire group to plant spyware on a Saudi activist’s iPhone. This group discovered the vulnerability and alerted Apple. The vulnerability appears to be closed at this time via an urgently published update to all devices.
Ivan Krstić, head of Apple Security Engineering and Architecture, gave a statement on the vulnerability. “Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals.” He also commended the efforts of Citizen Lab.
Nick Tausek, Security Solutions Architects at Swimlane, shared his perspective with Solutions Review.
“This zero-day, zero-click vulnerability is significant because it requires no user interaction and impacts all versions of Apple’s iOS, OSX, and watchOS. While the first inclination is to focus the impact to consumers, the much larger danger lies within companies whose employees are using their personal apple devices for work.
Amid the pandemic, the adoption of bring you own device (BYOD) policies has exploded across industries. Even organizations that previously shied away from this type of program have been pushed to adopt it to better accommodate remote work.
To prevent vulnerabilities such as this one from compromising employees and the organization’s sensitive data, companies should look to centralize and automate their current security threat detection, response and investigation protocols into a single platform. Automated detection and response workflows can help enterprises stop the otherwise hidden cross-pollination between personal device communications and access to sensitive corporate resources and information. By embracing comprehensive security automation, security teams can also free up time to keep up with the evolution of threat tactics, ultimately enhancing security preparedness.”
Learn more about cybersecurity here.