Newsletter

08.24.2021 | 5'' read

Should I worry about iOS zero-click exploits?

by Ryan Naraine

Advertisement: Register now for SecurityWeek’s CISO Forum 2021. This is a virtual event scheduled for Sept 14-15, 2021.   The agenda is chocked with prominent security leaders discussing topics ranging from ransomware, cyber-insurance, SBOMs and supply chain security, attack simulations, zero-trust, and post-pandemic attack surface expansion. Register here ]

* The most clicked link from last week’s issue was Corellium’s Open Security Initiative, a program offering cash grants for hackers to “validate any security and privacy claims” made by Apple or any other mobile software vendor.
Personal notes.

  • Security Conversations is looking for paid interns to help with podcast transcripts, audio+video editing, and social media shenanigans. Ping me directly (naraine@gmail.com) with your resume.
  • I’ll be interviewing Peloton’s new CISO Adrian Stone to kick off this year’s SecurityWeek CISO Forum.  Adrian’s been around the security block and will have some incredible stories to tell.

Monday blues. 

Another day, another zero-day.  In Apple’s case, another frightening zero-click iOS exploit hitting iPhones without any user-interaction whatsoever.  Imagine the helplessness of receiving a blue-colored iMessage and, boom, just like that, your fully patched iPhone is compromised.  That’s the news I woke up to this morning (read my story on SecurityWeek) and that’s the impossible challenge Apple faces to keep the iPhone away from apex threat actors.

Apple’s statement to Zack Whittaker at TechCrunch puts things into perspective:

Apple’s head of security engineering and architecture Ivan Krstic said: “Apple unequivocally condemns cyberattacks against journalists, human rights activists, and others seeking to make the world a better place … Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.” 

Apple added it continues to work on new iMessage security tech slated for release in iOS 15 next month.

My bet is we’ll see an emergency iOS very soon. In the meantime, I agree with The Record’s Catalin Cimpanu that the rest of us should not panic about this in-the-wild exploitation.

“Since FORCEDENTRY is currently a carefully guarded exploit in the arsenal of a surveillance vendor and deployed in very limited and targeted operations, the danger to most iOS users is low until Apple learns more and releases an official fix.  However, the danger is high for individuals who have their own government and NSO Group in their threat model.”

In the meantime, here’s your not-so-constant reminder to reboot your iPhones weekly as a useful security measure.

_ryan

On to the newsletter…

People movements.

  • Fermin J. Serna is the new Chief Security Officer at Databricks.
  • Former Box CISO Lakshmi Hanspal is the new global CSO at Amazon Devices & Services.
  • Splunk has tapped Pamela Fusco as its new security chief.
  • Ross Hosman has landed the gig as CISO at Drata.

Nation-state APT things.

Ransomware and cyber-insurance.

Readables.

Tangentially.

P.S. Full podcast episodes are available on the SecurityConversations.com home page, and on all major platforms. Subscribe directly: Apple/iPhoneGoogle/AndroidSpotify and Amazon/Audible.

|

This site uses cookies and may process personal data based on our Privacy Policy