Turns out we were all deluding ourselves that Apple products connected to the internet were somehow invulnerable to malware attacks, including hacking. Am attaching articles from Slate, ZDNet and Forbes. Slate’s article is fairly objective. ZDNet’s article sounds like someone’s feelings are hurt, while Forbes is downright rabble rousing.
Google’s release trumpeting that iPhones are not immune to attack strikes me as largely motivated by competitive pressures. Nonetheless, Apple shouldn’t get a free ride for their claims of invulnerability.
Apple has concentrated much of its advertising on how well they protect their hardware owners. Turns out they didn’t do a perfect job. But do I feel the company is “rotten to the core”? (Forbes) No. Any market big enough was going to draw attention from the criminal world if they can see a way to profit. Apple needed to accept that it was now a target and warn its customers that, while they would do their best, they didn’t guarantee total protection.
The question that people choosing hardware will have to decide is who they trust more.
For years, the answer to the question “What’s the most secure consumer device?” has been easy to come up with: the iPhone. The most secure against criminal malware courtesy of Apple’s carefully maintained App Store, the most secure against government surveillance and court orders courtesy of its default full disk encryption and encryption of iMessage and FaceTime conversations, the most secure against novel exploits and newfound vulnerabilities courtesy of regular security updates pushed out to devices automatically. So an announcement from Google this week was devastating: Several compromised websites had been spreading malware to iPhones that would allow the perpetrators to steal credentials and photos as well as monitor users’ messaging activity and even location data. Devastating not just for Apple, but for the many people (including me) who use iPhones and have long regarded them as one of the most secure devices ever to achieve mainstream success with everyday consumers.
The malware identified by Google targets every version of the iPhone’s operating system released in recent years from iOS 10 through iOS 12, up until the iOS 12.1.4 update released earlier this year, which patched the relevant vulnerabilities. Google alerted Apple to the five distinct exploit chains it had identified targeting iOS back at the beginning of February, prompting the update, which was issued a week later. The prompt patch in response to Google’s alert is to Apple’s credit, but it doesn’t change the fact that the websites distributing these malware strains—none of which has been identified by either Apple or Google—were operational since 2017 and, according to Google’s estimates, were visited by thousands of people each week.
The malware targeting iPhones was apparently distributed indiscriminately to those site visitors—it was not being used to target one or two especially valuable targets, but rather to gather information off the phones of iPhone users in bulk. As Google researcher Ian Beer discussed in his announcement of the vulnerabilities, and as Andy Greenberg and Lily Hay Newman pointed out in Wired, that represents a sea change in how we’re used to thinking about iPhone compromises. They’re supposed to be expensive and arduous devices to exploit, requiring massive amounts of time and money to get into even one iPhone—far too much time and money for anyone to be able to bother wasting on accessing the iPhones of any but the most high-profile targets.
Beer writes that he hopes “to guide the general discussion around exploitation away from a focus on the million dollar dissident,” referencing a term coined by researchers at the Citizen Lab to describe Ahmed Mansoor, a human rights activist in the United Arab Emirates whose iPhone was targeted in 2016 using what appeared to be very expensive iPhone-specific exploits. So maybe it doesn’t actually cost $1 million to get into your iPhone—what do we do now?
Beer’s point—that all of us who use iPhones are at risk, not just those who are doing extremely risky work—is an important one. But it doesn’t yield a lot of clear advice or actionable steps for iPhone users, beyond the necessity of downloading the latest updates if you haven’t already. (If you go to “Settings” in your iPhone and then “General,” you can find which version of iOS you are running in the “About” menu and download any updates from the “Software Update” menu—go do it now!) If you’ve been using a vulnerable iPhone and have any important passwords saved on the device, this would also be a good moment to consider changing them, since the malware was capable of accessing the bank of saved passwords. You can switch to Android, of course, but there are no guarantees that that ecosystem will be any more secure.
Real users make risk decisions based on the public perception of the security of these devices. The reality remains that security protections will never eliminate the risk of attack if you’re being targeted. … All that users can do is be conscious of the fact that mass exploitation still exists and behave accordingly; treating their mobile devices as both integral to their modern lives, yet also as devices which when compromised, can upload their every action into a database to potentially be used against them.
If anything, his goal seems to be merely leveling the playing field a little bit by pushing back on the public perception of iPhones as being far more secure than other mobile devices. And if Apple and Google decided to compete on security by trying to see which company could find the most serious vulnerabilities in the other’s mobile operating system, well, that would be a pretty great outcome for all of us.
If you’re an iPhone user, Apple has let you down. Massively. The discovery last week that malicious websites have been able to hack iPhones indiscriminately and with apparent ease for years came as a bit of a shock. The idea that a product that Apple itself bills as being “designed from the ground up” to protect your information could have its security measures ripped to shreds by simply visiting a website, and that this happened for almost three years makes a mockery of Apple’s claims of being able to protect users and their data.
A bigger embarrassment is that this attack on iPhone users was uncovered not by Apple, but by its arch rival in the smartphone space, Google.
The scale of this exploit should also shock users. By simply visiting a website, the hackers could use exploits to deliver payloads that could “steal private data like iMessages, photos and GPS location in real-time” without the user having to install anything or be duped to run some app.
The hackers also had access to user keychains, which contains passwords, and the databases of various end-to-end encrypted messaging apps, such as Telegram and WhatsApp.
Right now, it’s impossible to know the size and scale of this attack, and how much private information belonging to users is circulating. Were you a victim? Was I? What information is now in the wild?
I don’t know. And that’s pretty scary.
So, Apple has a big job on its hands to regain user trust.
With the iPhone launch scheduled for September 10, this would be a perfect time for Apple to come clean about this, explain to users what happened and why it failed to spot this attack for several years, and what it intends to do to prevent this from happening in the future.
But I’m not holding my breath. At best, I expect Tim Cook to make a frowny face, utter a few conciliatory words, and play down the scale of this attack, before going back to the regularly scheduled program that involves taking cheap shots at how slow Android adoption rates are and how Google can’t be trusted with private data.
And then, my bet is that Apple will try to bury this mess under the shiny glitz of a new iPhone.
For a company that wants people to trust it with some of their most sensitive information, from personal communications to financial information to health data, Apple’s silence on this matter is deeply troubling. Yes, the vulnerabilities were fixed, but Apple made no effort to inform iPhone users of this issue, leaving everyone in the dark. This is particularly worrying since the attackers could still be using stolen authentication tokens to access victim’s data.
Massive iOS Hack Raises Questions About Apple’s iPhone, iPad Security
Apple devices are reassuringly expensive. This is a widely held customer belief that Apple banks on, and the (fast approaching) iPhone 11 will put this to the test. But shocking privacy revelations recently challenged that idea, and now an even bigger scandal may leave the company’s 1.4 billion iPhone and iPad users feeling it is rotten to the core.
Following news Apple secretly paid contractors to listen to audio recordings from users’ iPhones and iPads, we now know virtually every iPhone and iPad on the planet has been open to attack for at least two years. Furthermore, the attack was cheap to do, tricked thousands of owners every week and Apple had no clue it was going on.
Google’s Project Zero security team broke the news (Forbes’ coverage), revealing that hackers quietly developed a system which enabled disparate iOS vulnerabilities to be daisy-chained together to gain complete control of your iPhone or iPad. All owners had to do to be exposed was visit certain websites and Google estimates that thousands of visitors per week did.
Once in, hackers had full access to your photos, contacts, private messages and even encrypted data, such as passwords, held in iOS Keychain – Apple’s password security system.
In a wide-ranging series of interviews, Wired spoke to security experts who described the findings as “terrifying”, “chilling” and likely the work of state-sponsored hackers. Victims “would probably have had no indication that their devices were infected” and it “changes everything we know about iPhone hacking”.
But perhaps the most remarkable thing is all this went undetected by Apple for years, despite the hackers making “some strangely amateurish mistakes”. This includes using tools which weren’t encrypted (“potentially allowing other hackers to intercept or alter the data the spyware stole in transit”) and hardcoding IP addresses into their malware which could locate the hackers’ own servers.
Which brings us back to the part about Apple devices being reassuringly expensive. In terms of privacy, rivals are no better and while this security breach may be on a scale and of a duration that is unprecedented in mobile (affected iPhones and iPads span seven years), again rivals are not perfect and Apple has issued a fix.
But it is also Apple which has promoted itself as ‘the only tech company you can trust’. So if you are paying Apple its reassuringly expensive price premiums for precisely this advantage, then you have a decision to make. And quickly.