It has been reported that when Apple released iOS 15, a Spanish security researcher disclosed an iPhone lock screen bypass that can be exploited to grant attackers access to a user’s notes.
In an interview with The Record, Jose Rodriguez said he published details about the lock screen bypass after Apple downplayed similar lock screen bypass issues he reported to the company earlier this year.
“Apple values reports of issues like this with up to $25,000 but for reporting a more serious issue, I was awarded $5,000,” the researcher wrote on Twitter last week. Rodriguez said he was referring to lock screen bypasses tracked as CVE-2021-1835 and CVE-2021-30699, which Apple patched in April and May, respectively. The two issues allowed threat actors to access instant messaging apps like Twitter, WhatsApp, or Telegram even while the phone was locked.
<p>This incident highlights the value of vulnerability acquisition programmes. Operating system developers in particular should have these programmes in place to have continuous insight into the fixes that need to be delivered in order to ensure a secure experience.</p>
<p>This example indicates that the level of compensation provided to the ethical hacker is being set too low by Apple. This is perhaps why so many organisation choose open source vendors where collaboration and purposes are set for the greater good. This is a dangerous move for the richest tech company today, and may result in a serious backlash that dents its reputation as a secure technology vendor.</p>
<p>Vulnerabilities are inevitable in any type of software – especially mobile operating systems like iOS and Android which have a self inflicted annual mandate to deliver innovative new game changing functionality more quickly than the competition. However, the speed and efficiency at which updates arrive proves the value of cloud-delivered services that can quickly push fixes out to users before any damage is done. If the user has automatic app updates turned on, which most people do at this point, then the operating system updates are able to be delivered with the minimum of user intervention.</p>
<p>Given that mobile operating system vendors like Apple have had 15 iterations to get things right, the aggressive annual product release cycles driven by marketing is a key contributor to these issues constantly arising.</p>
<p>Couple this with the low power, small form factor of a mobile device, that is always internet connected, and it’s not hard to see why nation states and governments have a vested interest in being able to compromise the wholesale security of your phone without you even knowing about it. The recent high profile news around Pegasus spyware and zero click exploits may even spell the downfall of these technologies in their inherent inability to keep users\’ privacy in place, contrary to all the years of marketing hype.</p>
<p>It’s more important than ever for organizations to understand that if vulnerable operating systems and apps exist in their mobile fleet, they must be aware of the risks, and address these issues at the earliest possible convenience.</p>
<p>Regardless of the capability given to an attacker who successfully exploits a vulnerability, these CVEs or common vulnerability exposures pose the same if not more risk than the PCs we have been patching for decades. Where mobile security is overlooked or ignored the risk to the overall enterprise security posture can be profound, leaving compromised devices open to exploitation results in compromised credentials. This in turn allows an attacker to remain on the network, identifying data for exfiltration or encryption.</p>
<p>This is especially true in a bring-your-own-device (BYOD) scenarios where employees will inevitably have a number (often dozens) of personal apps, public messaging, gaming, dating, and utility apps that represent just a small cross section of apps on their devices and admins want to provide security without violating employee privacy.</p>
<p>In order to mitigate the risk of vulnerable operating systems and exploitable versions of apps compromising corporate data security, organizations should leverage a mobile security solution that strikes the balance between security and privacy. This means the solution can provide enough visibility to build policies based on operating systems, and app versions and permissions, but not so much that admins see versioning causing productivity issues. This preserves employee privacy while also strengthening the overall security and compliance posture of the organization.</p>