Recent news of a major iOS vulnerability that allowed hackers access to a significant amount of data from compromised iPhones has shaken some people’s confidence in iOS security.
The now-patched vulnerability, discovered by a group of white hat cybersecurity professionals known as Google Project Zero who work to uncover zero-day vulnerabilities, allowed hackers to install spyware on fully updated iPhones if users visited certain websites.
Once the spyware was in place, hackers had access to a significant amount of iPhone data, including password banks, user location data and iMessages. The attack was a highly targeted effort from the Chinese government that likely didn’t have major effects on enterprise organizations, but it raised the question of whether hackers could target a wide range of iPhone users with a similar vulnerability.
Apple patched the iOS vulnerability within 10 days of Project Zero notifying them back in February 2019, and it posted a message stating that Project Zero’s blog overstated the scope of the attack and unnecessarily stoked fear in Apple’s customer base.
In this Q&A, Patrick Hevesi, senior director analyst at Gartner, discusses what mobile admins should take away from the iOS vulnerability news, the state of mobile OS security in general, and key mobile security tools and policies that IT professionals should know.
Google Project Zero’s recent blog post said certain sites have been hacking iOS devices for more than two years. What is your initial reaction to this news?
Patrick Hevesi: The perception that iOS hasn’t seen these types of attacks before is not accurate. We’ve seen low-level attacks in the past, such as Pegasus, and others that have found kernel-mode exploits or Safari browser exploits that are tied to the operating system. We are starting to see more bug bounties, and even Apple is asking for people to help find these low-level vulnerabilities.
The [mobile threat defense (MTD)] vendors have been discovering attacks and building threat intelligence from the other white hat researchers, as well as black hat organizations. I expect that we’re going to start finding exploits as more people are using mobile devices — especially since Apple has put out that bounty for low-level vulnerabilities.
Does this event shake your confidence in the security of iOS moving forward?
Hevesi: Apple continues to add security layers in the hardware, firmware and software layers, but the attackers were able to find some security holes. All OSes can be exploited; iOS is no different. One set of events should not change your perspective on the OS, but it should make organizations more aware that even mobile devices need to be protected.
Part of it is applications, as well. WhatsApp stores data in iCloud. So, if a hacker was able to get into your iCloud account or put a key logger onto the device and you type in a password, then the hacker has your data.
One of the other challenges — not just with iOS, but with any operating system — is that there are some things that are shared. Think about it from a kill chain perspective: Attackers are looking to see, ‘What’s the easiest thing for me to get into the mobile device?’ If I do a man-in-the-middle attack and I get onto your device, that network or keyboard layer can compromise other aspects of the device.
There are different attack vectors for getting at [mobile] passwords. In this particular case, they got to a level that was shared. So, even if the application was encrypted, the hackers could access it if the app stored credentials in clear text somewhere on the device or in iCloud.
Let’s just say you went to the extreme, and you have a password manager [on the iOS device] that was encrypted with a key that you generate. If I get a low-level attack onto that device where I’m at that kernel mode and I unlock that with a fingerprint, I could possibly try to replay that attack and get into your vault, as well. So, unfortunately, there’s nothing that can be perfectly secure.
So, password security is only as strong as the weakest link?
Patrick HevesiSenior director analyst, Gartner
Hevesi: Exactly. And that’s why some of the MTD tools out there are looking for that. You have to look at the apps. Is it a malicious application or an unwanted application that could later be exploited to give me access to a backup, cloud storage or some kind of insecure API? Is somebody trying to man-in-the-middle me?
At a coffee shop or an airport, someone might try to have me join a fake public Wi-Fi and then, using DNS or Address Resolution Protocol cache poisoning, trick me into installing a malicious certificate. But even if it’s a zero-day, it may be that the mobile security engine on the device missed the attack because the hacker found some obfuscation or way to get by the security tool.
We also need to think about the behavior. Similar to [endpoint detection and response (EDR)] on a traditional endpoint, MTD vendors are starting to think about new ways to detect mobile attacks. For example, maybe a profile gets installed, a certificate gets installed or the user is prompted with a pop-up, and the user clicked ‘yes.’ And, all of a sudden, an application or a bit of code is trying to load. That behavior should be identified as abnormal. [MTD tools are] not as advanced as [endpoint protection platforms] or EDR is on the traditional endpoints, but that’s where mobile security needs to go to.
Apple recently upped its bug bounty to $1 million. Do you think this effort will have any effect on Apple’s overall security state?
Hevesi: Other vendors have done similar things. Microsoft did it with [Windows] XP. Google has been really focusing on security. Rather than coming out and saying, ‘It’s all safe, and you don’t need antimalware and other security products,’ they realize that somebody wrote this code, and attackers will always find ways around it.
It’s showing that [Apple] wants more input and more people to help. They realize that people are using these mobile devices a lot more than the traditional laptops and desktops now. This action is [a] good sign for the security of iOS.
Should organizations make mobility decisions based on iOS vulnerability news like this?
Hevesi: There’s definitely some strengths and weaknesses in all the mobile OSes. This [Project Zero] news is good in that it’s educating people to not assume that something is perfectly secure because of a marketing statement or a perception.
Five years ago, we didn’t have any data to show what the true vulnerabilities were. The MTDs were in startup mode, and Verizon was making broad, sweeping statements saying there were no issues. In reality, there have always been issues, because it’s software. People write it, and people find ways around the software.
Now that we have agents on the devices and people focusing on [mobile security], this is kind of like it was back in the XP days. More people are starting to publish what they’re finding, follow the standards of disclosure and report back to the vendor directly what they’ve found. Companies like Apple and Google are being more proactive in fixing the issues on mobile devices, which is great.
We need to start thinking about it like this: Would you deploy a laptop or a desktop without some kind of endpoint protection or EDR? No. So, why would you deploy a mobile device without some kind of mobile security capability?
Organizations are seeing these exposures, and they know it’s going to continue on all OSes. They need to think about how to secure the device, how to scan applications that get onto the device and [how to] make sure the network and other connections are protected. This is making people aware that they need to think of mobile devices just like any other endpoint in their enterprise organizations.