In recent weeks, more news has come out about vulnerabilities affecting Apple devices. Here are some details about these discoveries and some important lessons to draw from this news.
In February, a researcher at Trellix announced the discovery of a “large new class of bugs” that affects iPhones, iPads, and Macs.
Once an attacker gains access to a device, they can use this vulnerability to run code that bypasses code-signing safeguards. Through this exploit, an attacker could gain access to pretty much any assets on the victim’s device, including photos, call logs, text messages, calendars, and location data. Further, they can gain remote control over the device’s camera and microphone and even wipe the device completely.
How it Works
The exploit stems from NSPredicate, which is a class (or capability for creating objects) available to developers. This class is intended to let developers filter lists of objects on a device. While the nature of this capability sounds innocuous, the reality is that it is a complete scripting language—and it’s one that can be exploited to gain unfettered access and control.
The Reality: Apple Devices Vulnerable
Over the years, Apple has received a lot of recognition for its approach to security, and for good reason. In iOS devices, and increasingly in macOS devices as well, the company has employed code signing. This means apps can only run if they’ve been cryptographically signed by a trusted developer. This undoubtedly makes it harder for malicious actors to run malware on Apple devices.
However, while it is great these protections are in place, that doesn’t mean you can assume they’re foolproof. NSPredicate is an example of this. Fundamentally, this class enables anyone with access to a device to bypass code signing and run malware.
These Vulnerabilities Aren’t the First, Just the Latest
The vulnerabilities disclosed in February are just the latest in a series of discoveries surrounding Apple vulnerabilities. It was just in January that Apple issued an advisory about a critical security flaw affecting older devices. Further, in issuing this advisory, the company cited evidence of active exploitation. They issued patches that remediated a number of security vulnerabilities, including flaws in the WebKit browser engine that could lead to code execution.
Further, these revelations in February weren’t even the first time NSPredicate was in the news. In fact, it was back in September 2021 that Citizen Lab announced an exploit known as FORCEDENTRY. This was a zero-click exploit, meaning a device could be infected without the user even clicking a link. FORCEDENTRY was used by the NSO Group, purveyors of Pegasus spyware. One specific example uncovered was that a Saudi activist had their iPhone infected by Pegasus through this exploit.
This exploit employed two key techniques, one of which was leveraging, you guessed it, NSPredicate to bypass code signing. Since then, Apple has made a number of changes to address the risks posed by NSPredicate, but recent revelations show that these fixes weren’t real, well, fixes.
The most recent developments underscore some key realities for security teams:
- You can’t count on “secure” device architectures. Any device can prove vulnerable. Old or new, Android or iOS, patched or unpatched, it doesn’t matter. Malicious actors keep finding ways to compromise mobile devices.
- You can’t count on patching and remediation. The reality is that a vulnerability that surfaced back in 2021 is still posing risks to device users and organizations. While various rounds of remediations have been employed and patches have been issued, gaps remain.
- You can’t count on users. Even when new updates are available, it may take users weeks, even months, to install them. Further, employees are susceptible to being fooled and rendering many safeguards worthless. As we wrote in a blog post a while back, if a phishing attack is sophisticated enough, even properly trained employees can be fooled into divulging secrets and opening the door to malware.
Moving Past Denial
It can always be tempting to reduce our stress levels by denying there’s a risk or hoping we won’t be affected. We can try to comfort ourselves, thinking we’re going to be ok because we’re running a new device, because we keep our devices current with updates, or because we’re using a platform protected by code signing. Recent years have provided way too many examples that contradict these beliefs, however.
Clinging to denial or false hopes is never a particularly sound strategy, and it is particularly disastrous for security teams. Mobile devices and apps now represent an organization’s largest unprotected vector of attack. Organizations’ assets are increasingly exposed to mobile threats, including phishing, network attacks, malicious applications, and compromised devices. Security strategies, practices, and technologies need to be aligned with these realities.
To combat the threats posed by vulnerable mobile devices today, it is abundantly clear that security teams must employ advanced mobile threat defense capabilities that keep up with today’s mobile threat landscape. These capabilities are paramount if organizations are to guard against the most advanced attacks on mobile devices. Further, these solutions provide the critical data security teams need to stay ahead of increasingly sophisticated cyberattacks.
Zimperium zIPS is the only on-device solution that provides comprehensive protection against advanced persistent threats across device, network, app, and network attacks. Zimperium leverages machine learning to continuously monitor mobile devices for malicious behavior without relying on signatures, making Zimperium the only mobile threat detection solution capable of detecting and protecting against known and unknown threats. Zimperium alerts security teams and provides them with forensics and threat intelligence to identify and isolate the incident before it becomes a much larger security issue.
For more information on how you can protect your organization against mobile risks and threats, contact us today.