Apple’s New Security Update Is Good News For iPhone Users

Apple has made serious mistakes this year, risking the usual blind trust in the security of its brand. But the iPhone maker has just addressed the most serious of those issues, while giving its billion-plus iPhone users a reason to check their firmware.

When Apple’s iMessage was reportedly targeted by Israeli spyware earlier this year, the iPhone maker was heavily criticized for its near silence on the attacks and for the lack of clarity for users. You’ll likely remember the iOS 14.7 debacle, the “is it fixed or isn’t” debate across security professionals, before concluding that it wasn’t, probably.

The issue for Apple was twofold. First, that its “black box” approach to keeping its OS locked down from security analysts and software made it difficult for anyone to conclude or confirm anything of consequence unless it came from Apple; and second, that Apple wasn’t saying much beyond a high-level statement. Confusion reigned.

I was critical of Apple at the time, arguing that the company had a duty of care to be more open with its users. Is there an issue and how serious is it? How can users check devices for compromises? When will it be fixed and what can be done in the meantime to stay safe? The fact that this particular attack was very targeted isn’t a get-out, not when we’re all encouraged to be cyberchondriacs by the current threat landscape.

WhatsApp’s boss weighed in at the time, having been very open on the issue after his platform was very publicly targeted in 2019, resulting in Facebook suing NSO. “I hope that Apple will start taking that approach too—be loud, join in,” he said. “It’s not enough to say, most of our users don’t need to worry about this. It’s not enough to say ‘oh this is only thousands or tens of thousands of victims’… If anyone’s phone is not secured that means everyone’s phone is not secure.”

Well Apple has now been very loud and is very much joining in. The company’s lawsuit against NSO, “to curb the abuse of state-sponsored spyware,” has been headline news. Not only does this see Apple join Facebook in seeking to use legal redress to dismantle commercialized attacks on their platforms, but it also marks a new and highly welcome level of openness from Apple—to an extent at least.

We now have confirmation that fraudulent iCloud accounts were used to target Apple’s ecosystem, essentially attacking iPhones from within its walled garden. Ironically, the acceptance of the terms and conditions to open those iCloud accounts is the rationale Apple gives for domiciling its lawsuit in California.

Of real note to the billion-plus iPhone users is conformation that Apple has addressed the vulnerabilities exposed by Pegasus. “iOS 15 includes a number of new security protections,” it says, “including significant upgrades to the BlastDoor security mechanism. While NSO Group spyware continues to evolve, Apple has not observed any evidence of successful remote attacks against devices running iOS 15 and later.”

Unsurprisingly, “Apple urges all users to update their iPhone and always use the latest software.” It’s this level of clarity that was sorely missing earlier in the year.

Apple has also used its lawsuit to reaffirm its security credentials, “security researchers agree that iPhone is the safest, most secure consumer mobile device on the market,” it says. “Over the past four years, Android devices were found to have 15 to 47 times more malware infections than iPhone. In addition, a recent study found that 98 percent of mobile malware targets Android devices.”

“iPhones will always remain the favorable target of choice,” ESET’s Jake Moore warned when news of the attack was reported. Apple’s lawsuit says the same. “The relative paucity of mobile malware targeting iOS users is not because Apple’s customers are undesirable targets for hackers… It is Apple’s dogged persistence to protect its customers… to create an ecosystem users can trust.”

As well as suing NSO, Apple says it will “contribute $10 million, as well as any damages from the lawsuit, to organizations pursuing cybersurveillance research and advocacy.” It calls out Citizen Lab, which raised the Pegasus alarm mid-year as an example of just siuch an organiztion it wants to help.

But there remains an issue. “iPhone is a much more closed system than Android,” Check Point’s CEO Gil Shwed told me in March. “With Android, it’s much easier to develop software, to use software, and that software can be more malicious than on iOS. But at the same time, on Android, you can build much better security software because the same openness exists also towards security systems.”

And so, while Apple’s latest move should be applauded, there’s much more to be done. There remains an “Apple knows best” vibe with the iPhone maker that’s less prevalent elsewhere. We saw the same with its ill-conceived CSAM and child safety proposals for iCloud Photos and iMessage. Experts lined up to raise issues, but it took an awkwardly long time for Apple to cede to the inevitable and (temporarily) back down.

While the NSO lawsuit can be taken at face value, there’s also plenty included to reaffirm the privacy and security message that Apple wraps around its devices. There’s mention of enhancements to BlastDoor, the iMessage sandbox that clearly failed to prevent Pegasus and so has been strengthened. Then there’s iPhone’s hardware innovations to protect core system processes and encryption keys.

And, interestingly, there’s also a commitment by Apple to warn individuals targeted by such nation state attacks, if those attacks are detected—many will not be given the small scale. “It’s possible,” Apple says, “that some threat notifications may be false alarms, or that some attacks are not detected. We are unable to provide information about what causes us to issue threat notifications, as that may help state-sponsored attackers adapt their behavior to evade detection in the future.”

It’s all a major improvement on where we were a few months ago.

NSO is seemingly on the back foot and the Pegasus threat has receded. All very good—and the message that you can’t thrive in the public domain while attacking devices from another company has been sent. Meanwhile, as reported by my STC colleague Davey Winder, “an iPhone 13 Pro running the latest and fully patched version of iOS 15.0.2 was hacked in record time, twice,” at China’s recent Tianfu Cup.

Source link

Leave a Reply