Thursday, August 25, 2016

 

Apple devices now a juicy target for hackers

Apple's devices have a well-deserved reputation for security.

But if it wasn't clear before, it should be now: They're not invulnerable. And, in fact, they've become a prime target for hackers.

That was loud and clear Thursday with the news that a major trio of vulnerabilities -- dubbed "Trident" by security researchers -- had been discovered in iOS, the operating system underlying the iPhone and iPad. Apple already has a patch out, but reports indicate that the vulnerability has been around potentially for years and has been exploited.

Before I go any farther, if you have an iPhone or other iOS device and haven't yet installed the update Apple issued Thursday, do so right away. The security flaws it fixes are particularly dangerous and could allow a hacker to do some pretty scary stuff with your phone, such as viewing your text messages, listening in on your calls and reading your email -- all without your knowledge.

Using this kind of vulnerability, an attacker could "figure out how to spy on every corner of your phone," said Andrew Blaich, a staff researcher at Lookout, which helped identify and report the flaws.

"What we found is that's actually being done," he added. "It's very much being used for that sort of purpose."

The fact that Apple's devices can have such critical vulnerabilities is not news to the community of computer security experts. But it may be somewhat of a shock to the company's many fans.

In the 2000s, Apple helped to cultivate the notion that its devices were impervious to security problems. The company ran a series of ads contrasting the headaches Windows PC users faced due to the viruses and security problems plaguing those computers with the seemingly blissful experience the Mac's purportedly rock-hard security promised its users.

In more recent years, Apple has touted the security of its iOS devices and has been very public about the steps it's taken to better protect them, particularly during and in the wake of its dispute with the FBI over cracking the iPhone used by one of the San Bernardino shooters who killed 14 people in December.

The company's not just making empty boasts. Security experts generally give the company high marks for the efforts Apple's taken to secure its devices.

"Apple has some very strong claims they can make about being a secure platform," said Dan Cornell, chief technology officer of Denim Group, a computer security consulting firm. "When I look at my iPhone, I have a trust that a lot has been done to secure it."

And in some ways, the vulnerability revealed Thursday points to the efforts Apple has made. This wasn't some routine hack discovered or created by a teenager with time to kill. Instead, it was reportedly developed by a shadowy Israeli corporation backed by a San Francisco-based venture capital firm and used by the United Arab Emirates, which gives an indication of the sophistication of the exploit and the resources that went into developing or identifying it.

But the vulnerability also shows that for the effort Apple has made, its devices aren't invulnerable. And we shouldn't expect them to be.

As Cornell put it, "there is no such thing as perfect security."

It also emphasizes that hackers view Apple's devices much differently than they did when the company was running its Mac versus PC commercials. Then, users of Apple's devices really didn't have much to worry about. In part that was because of the security the company built into them. But an even bigger factor was that because relatively few people were using them, they weren't that attractive to hackers.

That situation has dramatically changed. According to Apple, there are now some 1 billion Apple devices in active use. And partly because Apple charges a premium for its products, the users of those devices tend to be more affluent and are more likely to be in positions of power or influence.

"Attackers are going to go where their targets are or their market share is," said Lookout's Blaich.

Apple is clearly aware of the increased scrutiny. Following past practices, the company is adding new layers of security into the next versions of iOS and the operating system underlying the Mac, building on what it's done before.

In response to the heightened threats, the company also appears to be rethinking its attitudes toward the larger security community. In the past, the company has been criticized for being something of a black box, for not engaging with the larger community of security researchers. It's also been taken to task for taking a long time to fix reported vulnerabilities and for not using a bug bounty program to encourage researchers to report security flaws.

But earlier this month, the company announced a "bug bounty" program. It did so in the context of a talk at the Black Hat conference that was reportedly one of its most open discussions to date of its security practices. And in the case of the Trident vulnerability, it fixed the bug and distributed a patch to users in a remarkable 10 days.

"Apple has started to take security much more seriously in recent years, especially this year," said Eva Galperin, global policy analyst at the Electronic Frontier Foundation. "The bug bounty is the best sign that they've turned over a new life."

Tags : ,

Share

Social

The idea behind the text.
Respect for the truth is almost the basis of all morality.
Nothing can come from nothing.



Follow

Popular Topics

Read

Well, the way they make shows is, they make one show. That show's called a pilot. Then they show that show to the people who make shows, and on the strength of that one show they decide if they're going to make more shows.

Like you, I used to think the world was this great place where everybody lived by the same standards I did, then some kid with a nail showed me I was living in his world, a world where chaos rules not order, a world where righteousness is not rewarded. That's Cesar's world, and if you're not willing to play by his rules, then you're gonna have to pay the price.

You think water moves fast? You should see ice. It moves like it has a mind. Like it knows it killed the world once and got a taste for murder. After the avalanche, it took us a week to climb out. Now, I don't know exactly when we turned on each other, but I know that seven of us survived the slide... and only five made it out. Now we took an oath, that I'm breaking now. We said we'd say it was the snow that killed the other two, but it wasn't. Nature is lethal but it doesn't hold a candle to man.

You see? It's curious. Ted did figure it out - time travel. And when we get back, we gonna tell everyone. How it's possible, how it's done, what the dangers are. But then why fifty years in the future when the spacecraft encounters a black hole does the computer call it an 'unknown entry event'? Why don't they know? If they don't know, that means we never told anyone. And if we never told anyone it means we never made it back. Hence we die down here. Just as a matter of deductive logic.