Apple released a critical update on Thursday, August 26th, to address a series of flaws in the iPhone 6. The flaws, while individually of little concern, combined to allow hackers to remotely jailbreak the iPhone.
The vulnerability was discovered and reported to Apple about a week and a half ago, after a United Arab Emirates human rights activist was targeted by the attack. Ahmed Mansoor reported the issue to researchers at the University of Toronto’s Citizen Lab, who in turn found and reported the issues to Apple.
Mansoor received a text message containing a link. Following the link would have installed a program that would have allowed remote access to his phone, thanks to three previously unknown flaws in the iOS operating system. Once installed, the hackers would have had access to a number of iPhone services, including being able to control the camera and listen in on conversations using the microphone.
The spying goes beyond those services, however. Once the exploit is installed, hackers have access to the location of the phone and can listen in and record conversations. Even apps using end-to-end encryption, like Whatsapp and Viber, would be subject to access. Additional assets at risk include stored photos, files, and messages in mobile chat apps.
As the number of features available on smartphones increase, so do the number of potential risks. Each of the flaws in iOS flew under the radar – Citizen Lab stated they believed these flaws to have been part of the OS since 9.3.3 or before. (iOS 9.3.3 was released on July 18th, 2016.)
It was the combination of several flaws that enabled the creation of the larger – and far more dangerous – exploit.
At this time the reported cases are limited to Mansoor, a Mexican journalist and a minority party politician from Kenya. But now that the flaws are known, it is only a matter of time before the larger community attempts to use the security hole on a larger scale.
This is why it is critical that iPhone users ensure they update to the new patch, version 9.3.5. With the smartphone becoming the holder of our credit card information and other personal data, anything providing unfettered access to your phone is a major concern and an opening for identity theft, credit card fraud, and even, with this current issue, corporate espionage.
In 2015, there were over 94 million iPhones in the hands of users. Many of these are in use, on a daily basis, by executives and leaders in enterprises across the country, and the globe. With an unpatched iPhone company files and messages could be harvested from your phone. Even meetings could be eavesdropped on with a compromised phone using the device’s mic.
And this goes beyond executives, to all levels of the organization. It is critical for your IT security teams to encourage all iPhone users, whether issued by the company or not, to update their phones.
Consider having your security teams send an organization-wide message alerting users to the threat and including simple instructions on how to apply the update to their phone. Also, remind your users about good security practices. Reinforcing messages should be an important part of your enterprise security training, especially when the opportunity to do it in the context of a real world example presents itself.
One last note. As of the time of this writing, the vulnerability has not been found in iOS 10 beta. So an alternative is to upgrade to the new OS. But because it is still in beta, the usual caveats and cautions for early adopters apply.