Following the news that government hackers have been caught using a never-before-seen malware/iPhone spy tool that exploits three different vulnerabilities in Apple’s iOS operating system that allows them to get full control of the iPhone. This is the first time that anyone has uncovered such an attack in the wild. IT security experts from ESET, Tripwire, Cloud Security and prpl Foundation commented below.
Travis Smith, Senior Security Research Engineer at Tripwire:
“Any zero day which can remotely take control of a device is incredibly dangerous. The fact that this particular exploit took advantage of three vulnerabilities to accomplish complete control shows how advanced and committed the authors are. While what we’ve seen exploited in the wild thus far has been targeted towards high profile targets, exploits eventually trickle down into less skilled hands who eventually target a larger audience.
The advantage the general public has is that a patch is already available. The typical iOS users will not differentiate between a major update and a security update. Unless there are reports of apps crashing or degradation of battery life, users will more than likely install the update.”
Mark James, Security Specialist at ESET:
“The trouble with our everyday devices that have become a very integral part of our lives is no matter how hard we try to protect them there is always someone somewhere trying to hack them or take them over. I think most people believe they have nothing of value to hackers so why should you worry about it!
Well you do, in theory everyone does, all our data has a value, names, address, bank details, even contacts, that friend you grew up with may seem like just “Bob who throws a mean BBQ” but he may be the CEO of an important telecommunications company, your contact details for him may be exactly what a hacker requires to form a targeted phishing attack in an attempt to compromise that multi million pound company. Apple and indeed Google want you to have phones that you make you feel safe using their latest technology, so for me when I see Apple releasing an emergency fix for a zero day they were only notified about 10 days ago that makes me feel valued as an Apple user.
Some people may see it as just “another update” or even as unimportant but believe me you want to install this as soon as possible. Security updates are the only way forward in keeping electronic devices safe, gone are the days when a well-known company would release an update that everyone groaned and waited to see the damage it caused before installing it yourself. Nowadays if there is a security update or patch you NEED to treat it with urgency and get it installed now not tomorrow.”
Cesare Garlati, Co-Chair of The Mobile Working Group at Cloud Security Alliance and Chief Security Strategist at prpl Foundation:
“First of all, kudos to Apple for patching this vulnerability so quickly. If you haven’t downloaded the patch yet, do it now! I’m not surprised by this at all—every time there is an update there’s a long list of security vulnerabilities—this is nothing new. Apple iOS is a complex piece of software; there are vulnerabilities and they will be exploited.
“Zero-days or unknown vulnerabilities are extremely valuable in a world where IT is used as a weapon. When nation states need this data, they know where to buy the zero-days. The security community has been preaching this for years: there’s no such thing as a good back door or a “safe” vulnerability. The one thing that surprises me is the ease with which we attribute vulnerabilities to mistakes/errors in coding. I’m more and more convinced that some of these vulnerabilities are introduced on purpose, without the knowledge of the vendor, to serve nation states.
“We believe that the best approach to security is Open Source—it gives opportunity for more people to see the code, find vulnerabilities and fix them right away—which is the standard in the open source community.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.